diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index 38d3405..7a50ca6 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -17,6 +17,9 @@ on:
     - cron: '30 14 * * *'
     # or whatever time works best for your team.
 
+permissions:
+  contents: read
+
 jobs:
   semgrep:
     # User definable name of this GitHub Actions job.
@@ -33,6 +36,11 @@ jobs:
 
     steps:
       # Fetch project source with GitHub Actions Checkout.
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       # Run the "semgrep ci" command on the command line of the docker image.
       - run: semgrep scan --config auto