From 53d2396c2f11654aea97e8298ad14248a211dfb6 Mon Sep 17 00:00:00 2001
From: Michael Collins <15347726+michaeljcollinsuk@users.noreply.github.com>
Date: Mon, 22 Apr 2024 11:52:31 +0100
Subject: [PATCH] Attempt to resolve checkov errors

---
 .github/workflows/codeql-analysis.yml             | 2 ++
 .github/workflows/enforce-version-pinning.yml     | 2 ++
 .github/workflows/test-and-push-docker-image.yaml | 4 ++++
 3 files changed, 8 insertions(+)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 632ad4c70..7a6188849 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,6 +20,8 @@ on:
   schedule:
     - cron: '43 11 * * 1'
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/enforce-version-pinning.yml b/.github/workflows/enforce-version-pinning.yml
index e0d6d0a78..de7885ebc 100644
--- a/.github/workflows/enforce-version-pinning.yml
+++ b/.github/workflows/enforce-version-pinning.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: [main]
 
+permissions: {}
+
 jobs:
   check-version-pinning:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test-and-push-docker-image.yaml b/.github/workflows/test-and-push-docker-image.yaml
index 024a5aa82..50ad8d7ff 100644
--- a/.github/workflows/test-and-push-docker-image.yaml
+++ b/.github/workflows/test-and-push-docker-image.yaml
@@ -7,9 +7,13 @@ name: Run tests and push Docker image on success
   release:
     types: [published]
 
+permissions: {}
+
 jobs:
   test-and-push:
     runs-on: [self-hosted, management-ecr]
+    permissions:
+      contents: read
     env:
       LOGS_BUCKET_NAME: moj-analytics-s3-logs
     steps: