docs: clarify GITHUB_TOKEN permissions needed for private repos

README.md

@@ -87,6 +87,27 @@ GitHub's new [Repository Rules](https://docs.github.com/repositories/configuring
 We recommend new repositories use Repository Rules so they can be read with the default GitHub token. 
 Repositories that already use classic Branch Protection and wish to see their results without an admin token should consider migrating to Repository Rules.
 
+### Additional permissions for private repositories
+
+When running Scorecard Action on **private repositories** with the default `GITHUB_TOKEN`, add these **job-level permissions** so Scorecard can query commits and detect configured SAST tools. Without them you may see errors like:
+
+> `Resource not accessible by integration` (e.g., during GraphQL ListCommits)
+
+```yaml
+jobs:
+  analysis:
+    runs-on: ubuntu-latest
+    permissions:
+      # Required when publishing results (badge / API / code scanning)
+      security-events: write
+      id-token: write
+      # Recommended reads for private repos to avoid GraphQL/SAST gaps
+      contents: read
+      issues: read
+      pull-requests: read
+      checks: read
+```
+
 ## View Results
 
 The workflow is preconfigured to run on every repository contribution. After making a code change, you can view the results for the change either through the Scorecard Badge, Code Scanning Alerts or GitHub Workflow Runs.