diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
index ac7d79ea..603c8301 100644
--- a/.github/workflows/security.yaml
+++ b/.github/workflows/security.yaml
@@ -9,6 +9,9 @@ jobs:
   scan:
     name: Scan for known vulnerabilities
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -46,7 +49,6 @@ jobs:
         uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
         with:
           sarif_file: ${{ env.TRIVY_RESULTS }}
-          token: ${{ secrets.ROCKSBOT_CHISEL_SECURITY_EVENTS }}
 
       - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: ${{ !cancelled() }}