diff --git a/.github/workflows/security-gate.yml b/.github/workflows/security-gate.yml
index 91c8cb6..f225a28 100644
--- a/.github/workflows/security-gate.yml
+++ b/.github/workflows/security-gate.yml
@@ -1,13 +1,14 @@
 name: Security Gate - LESIS
 
 on:
-  push:
-    branches:
-      - main
   pull_request:
     branches:
       - main
 
+permissions:
+  security-events: read
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -24,15 +25,15 @@ jobs:
     - name: Pull Docker image from GitHub Container Registry
       run: docker pull ghcr.io/instriq/security-gate/security-gate:latest
 
-    - name: Verify security alerts from dependabot
+    - name: Verify security alerts from GHAS
       run: |
         docker run ghcr.io/instriq/security-gate/security-gate:latest \
-        -t $GITHUB_TOKEN \
-        -r ${{ github.repository }} \
-        --critical $MAX_CRITICAL \
-        --high $MAX_HIGH \
-        --medium $MAX_MEDIUM \
-        --low $MAX_LOW \
+        -t "$GITHUB_TOKEN" \
+        -r "${{ github.repository }}" \
+        -c "$MAX_CRITICAL" \
+        -h "$MAX_HIGH" \
+        -m "$MAX_MEDIUM" \
+        -l "$MAX_LOW" \
         --dependency-alerts \
-        --code-alerts \
-        --secret-alerts 
+        --secret-alerts \
+        --code-alerts
diff --git a/lib/Zarn/Engine/Source_to_Sink.pm b/lib/Zarn/Engine/Source_to_Sink.pm
index c4d07c9..dc9c714 100644
--- a/lib/Zarn/Engine/Source_to_Sink.pm
+++ b/lib/Zarn/Engine/Source_to_Sink.pm
@@ -20,7 +20,7 @@ package Zarn::Engine::Source_to_Sink {
         );
 
         if ($ast && $rules) {
-            foreach my $token (@{$ast -> find('PPI::Token')}) {
+            foreach my $token (@{$ast -> find('PPI::Token') || []}) {
                 foreach my $rule (@{$rules}) {
                     my @sample   = $rule -> {sample} -> @*;
                     my $category = $rule -> {category};
@@ -63,4 +63,4 @@ package Zarn::Engine::Source_to_Sink {
     }
 }
 
-1;
\ No newline at end of file
+1;