diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index a978b1d6c..2e8e641bd 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -12,6 +12,8 @@ permissions: read-all
 
 jobs:
   analyze:
+    permissions:
+      security-events: write # for github/codeql-action/analyze to upload SARIF results
     name: Analyze Go (${{ matrix.target_arch }})
     if: ${{ github.actor != 'dependabot[bot]' && github.repository == 'open-telemetry/opentelemetry-ebpf-profiler' }}
     runs-on: ubuntu-24.04