diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml
new file mode 100644
index 00000000..7b66543e
--- /dev/null
+++ b/.github/workflows/checkov.yaml
@@ -0,0 +1,37 @@
+name: Checkov
+
+on:
+  push:
+    branches: [ "main" ]
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  checkov-job:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+      statuses: none
+    runs-on: ubuntu-latest
+    name: checkov-action
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@master
+
+      - name: Run Checkov action
+        id: checkov
+        uses: bridgecrewio/checkov-action@0549dc60bddd4c55cb85c6c3a07072e3cf2ca48e
+        with:
+          skip_check: CKV_DOCKER_2,CKV_DOCKER_3
+          quiet: true
+          output_format: cli,sarif
+          output_file_path: console,results.sarif
+          download_external_modules: true
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        if: success() || failure()
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 22dc13df..a0dd2cf2 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -2,6 +2,8 @@ name: Lint
 
 on: [pull_request]
 
+permissions: read-all
+
 jobs:
   black:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/no_debug_allowed.yaml b/.github/workflows/no_debug_allowed.yaml
index 90ce5f7e..cabe9d08 100644
--- a/.github/workflows/no_debug_allowed.yaml
+++ b/.github/workflows/no_debug_allowed.yaml
@@ -2,6 +2,8 @@ name: Make sure Debug mode is OFF!
 
 on: [pull_request]
 
+permissions: read-all
+
 jobs:
   is-debug-off:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/no_forgoten_migrations.yaml b/.github/workflows/no_forgoten_migrations.yaml
index 7d68c1f3..31a58f6d 100644
--- a/.github/workflows/no_forgoten_migrations.yaml
+++ b/.github/workflows/no_forgoten_migrations.yaml
@@ -2,6 +2,8 @@ name: Make sure to run manage.py makemigrations if you change models
 
 on: [pull_request]
 
+permissions: read-all
+
 jobs:
   is-migration-diff-clean:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish-and-deploy.yaml b/.github/workflows/publish-and-deploy.yaml
index 6f6621a8..4901cee1 100644
--- a/.github/workflows/publish-and-deploy.yaml
+++ b/.github/workflows/publish-and-deploy.yaml
@@ -5,6 +5,8 @@ on:
   push:
     branches: [ main ]
 
+permissions: read-all
+
 jobs:
   push_to_registry:
     name: Push Docker Image to Docker Hub
diff --git a/.github/workflows/run_django_tests.yaml b/.github/workflows/run_django_tests.yaml
index 0d13b969..949cc149 100644
--- a/.github/workflows/run_django_tests.yaml
+++ b/.github/workflows/run_django_tests.yaml
@@ -3,6 +3,8 @@ name: Run Django Tests
 on: 
   pull_request:
 
+permissions: read-all
+
 jobs:
   run-django-tests:
     runs-on: ubuntu-latest