diff --git a/.github/workflows/ci-cov-report.yml b/.github/workflows/ci-cov-report.yml
index 3af7a0f0..88e18e7a 100644
--- a/.github/workflows/ci-cov-report.yml
+++ b/.github/workflows/ci-cov-report.yml
@@ -2,6 +2,9 @@ name: coverity-report
 
 on: workflow_dispatch
 
+permissions:
+  contents: read
+
 jobs:
   linux-report:
     uses: intel-innersource/applications.analyzers.pcm/.github/workflows/ci-cov-linux-report.yml@main
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 59c0b51f..5d251a02 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -5,6 +5,9 @@ on:
     branches: 
         - master
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-20.04
diff --git a/.github/workflows/freebsd_build.yml b/.github/workflows/freebsd_build.yml
index ddcb3210..44c192e9 100644
--- a/.github/workflows/freebsd_build.yml
+++ b/.github/workflows/freebsd_build.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
diff --git a/.github/workflows/freebsd_scan_build.yml b/.github/workflows/freebsd_scan_build.yml
index 1a7dec8d..ca7dfc87 100644
--- a/.github/workflows/freebsd_scan_build.yml
+++ b/.github/workflows/freebsd_scan_build.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   build: