diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml
index 81e4ee2..96e7fe2 100644
--- a/.github/workflows/hypatia-scan.yml
+++ b/.github/workflows/hypatia-scan.yml
@@ -55,6 +55,11 @@ jobs:
 
       - name: Run Hypatia scan
         id: scan
+        env:
+          # Hypatia uses Dependabot alerts as one of its signal sources.
+          # Without GITHUB_TOKEN it warns and exits 1. The default GITHUB_TOKEN
+          # has the security_events:read scope needed to query alerts.
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           echo "Scanning repository: ${{ github.repository }}"