diff --git a/.github/workflows/run_pipeline.yaml b/.github/workflows/run_pipeline.yaml
index f0fe4c6b8..4f73e9992 100644
--- a/.github/workflows/run_pipeline.yaml
+++ b/.github/workflows/run_pipeline.yaml
@@ -11,21 +11,19 @@ on:
 jobs:
   lint-yaml:
     name: Lint
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     uses: ./.github/workflows/lint_yaml.yaml
   lint-powershell:
     name: Lint
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     uses: ./.github/workflows/lint_powershell.yaml
+  scan-secret:
+    name: Security
+    uses: ./.github/workflows/run_secret_scan.yaml
   syntax:
     name: Syntax
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     uses: ./.github/workflows/syntax_check_markdown.yaml
   unit-powershell:
     name: Unit
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     uses: ./.github/workflows/unit_test_powershell.yaml
   unit-opa:
     name: Unit
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     uses: ./.github/workflows/unit_test_opa.yaml
diff --git a/.github/workflows/run_secret_scan.yaml b/.github/workflows/run_secret_scan.yaml
index c66011628..ee4050dc2 100644
--- a/.github/workflows/run_secret_scan.yaml
+++ b/.github/workflows/run_secret_scan.yaml
@@ -1,10 +1,8 @@
 # Purpose: Run a secret scanner against the repo.
 
-name: Run Secret Scan
+name: Scan for Secrets
 
 on:
-  push:
-  pull_request:
   workflow_call:
   workflow_dispatch:
 
@@ -12,6 +10,8 @@ jobs:
   secret-scan:
     name: MegaLint Gitleaks
     runs-on: ubuntu-latest
+    # This condition prevents duplicate runs.
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     defaults:
       run:
         shell: bash
diff --git a/.github/workflows/unit_test_powershell.yaml b/.github/workflows/unit_test_powershell.yaml
index 526d5ec50..e0897cd38 100644
--- a/.github/workflows/unit_test_powershell.yaml
+++ b/.github/workflows/unit_test_powershell.yaml
@@ -7,6 +7,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   powershell-tests:
     name: PowerShell Unit Tests