fix: add SARIF output and permissions for Snyk workflow

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: kmcallorum

.github/workflows/security.yml

@@ -37,6 +37,9 @@ jobs:
 
   snyk:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
     steps:
       - uses: actions/checkout@v6
 
@@ -56,7 +59,7 @@ jobs:
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
-          args: --severity-threshold=high
+          args: --sarif-file-output=snyk.sarif --severity-threshold=high
 
       - name: Upload Snyk results to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@v4