From 83806b9962ba043767993766dd6ffd3ce292cd7f Mon Sep 17 00:00:00 2001
From: Mathew Payne <2772944+GeekMasher@users.noreply.github.com>
Date: Wed, 9 Apr 2025 14:02:06 +0100
Subject: [PATCH 1/2] docs: Update README.md

---
 README.md | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index e60eb5d..4c1ea9c 100644
--- a/README.md
+++ b/README.md
@@ -86,7 +86,6 @@ For Policy as Code to work correctly, you need to have the following permissions
   - [`security_events: read`][permissions]
     - [Dependabot Alerts][permissions-dependabot]
     - [Code Scanning][permissions-codescanning]
-    - [Secret Scanning][permissions-secretscanning]
   - [`content: read`][permissions]
     - [Dependency Graph][permissions-dependencygraph] / [Dependency Licenses][permissions-dependencygraph]
   - [`pull-requests: write`][permissions]
@@ -94,6 +93,16 @@ For Policy as Code to work correctly, you need to have the following permissions
 - [optional] Policy Repository
   - `content: read` to be able to clone external sources of the policies
 
+> [!WARNING]
+> Secret Scanning results cannot be accessed using the Actions Token, use a GitHub App
+
+**GitHub App:**
+
+- Contents
+- [Code scanning alerts][permissions-codescanning]
+- [Dependabot alerts][permissions-dependabot]
+- [Secret scanning alerts][permissions-secretscanning]
+
 **[Action Permissions Example][permissions]:**
 
 ```yaml

From 0a24559db4213685dbdf13db9608d4ef806faab3 Mon Sep 17 00:00:00 2001
From: Mathew Payne <2772944+GeekMasher@users.noreply.github.com>
Date: Wed, 16 Apr 2025 10:50:52 +0100
Subject: [PATCH 2/2] docs: Update permissions

---
 README.md | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 4c1ea9c..4150d60 100644
--- a/README.md
+++ b/README.md
@@ -84,17 +84,20 @@ For Policy as Code to work correctly, you need to have the following permissions
 
 - [required] Repository Permissions
   - [`security_events: read`][permissions]
-    - [Dependabot Alerts][permissions-dependabot]
     - [Code Scanning][permissions-codescanning]
   - [`content: read`][permissions]
     - [Dependency Graph][permissions-dependencygraph] / [Dependency Licenses][permissions-dependencygraph]
   - [`pull-requests: write`][permissions]
     - Policy as Code Pull Request Summary
+  - ["Secret scanning alerts" repository permissions (read)][permissions-secretscanning]
+    - ⚠️ GitHub App or PAT only, not Actions Token
+  - ["Dependabot alerts" repository permissions (read)][permissions-dependabot]
+    - ⚠️ GitHub App or PAT only, not Actions Token
 - [optional] Policy Repository
   - `content: read` to be able to clone external sources of the policies
 
 > [!WARNING]
-> Secret Scanning results cannot be accessed using the Actions Token, use a GitHub App
+> Secret Scanning and Dependabot Alerts results cannot be accessed using the Actions Token, use a GitHub App
 
 **GitHub App:**