diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml
index 456df386..0ad8db53 100644
--- a/.github/workflows/trivy-scan.yaml
+++ b/.github/workflows/trivy-scan.yaml
@@ -23,7 +23,7 @@ jobs:
       packages: write
       pull-requests: none
       repository-projects: none
-      security-events: none
+      security-events: write
       statuses: none
       # needed for `cosign attest`
       id-token: write