diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index dcb9db0..d4be676 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [opened, reopened, synchronize]
 
+# As per Checkov CKV2_GHA_1
+permissions: read-all
+
 jobs:
   soundness:
     name: Soundness