diff --git a/.github/workflows/tf-unit-tests.yml b/.github/workflows/tf-unit-tests.yml
index b9beeb8..67bfdd4 100644
--- a/.github/workflows/tf-unit-tests.yml
+++ b/.github/workflows/tf-unit-tests.yml
@@ -3,6 +3,11 @@ name: 'Terraform Unit Tests'
 on:
   push:
 
+permissions:
+  security-events: write # Needed to upload-sarif
+  contents: read # Needed to clone repo
+  actions: read # Potentially needed for private repositories (see https://github.com/github/codeql-action/issues/2117)
+
 jobs:
   terraform-unit-tests:
     name: 'Terraform Unit Tests'