diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 073973379..eef34f0c0 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -11,6 +11,7 @@ Release 0.11.0 (unreleased)
 * Add provenance / release attestation to pypi package (#784)
 * Support multiple licenses per project (#788)
 * Add evidence to sbom report (#788)
+* Let action work outside of dfetch repo (#816)
 
 Release 0.10.0 (released 2025-03-12)
 ====================================
diff --git a/README.md b/README.md
index de3b17f5f..f8b0d5049 100644
--- a/README.md
+++ b/README.md
@@ -58,6 +58,9 @@ The results will be uploaded to Github. Add the following to your workflow file:
 jobs:
   dfetch-check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
       - name: Run Dfetch Check
         uses: dfetch-org/dfetch@main
diff --git a/action.yml b/action.yml
index 22dd0aafb..dc8a54907 100644
--- a/action.yml
+++ b/action.yml
@@ -20,19 +20,29 @@ runs:
   using: 'composite'
   steps:
     - name: Checkout repository
-      uses: actions/checkout@v5.0.0
+      uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0
     - name: Setup Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: '3.13'
-    - name: Install dfetch
+
+    # Install dfetch from main if NOT running on a branch in the dfetch repo
+    - name: Install dfetch from GitHub
+      if: ${{ github.repository != 'dfetch-org/dfetch' || github.ref_name == 'main' }}
+      run: pip install git+https://github.com/dfetch-org/dfetch.git@main#egg=dfetch
+      shell: bash
+
+    # Install dfetch locally if running inside the dfetch repo
+    - name: Install dfetch locally
+      if: ${{ github.repository == 'dfetch-org/dfetch' }}
       run: pip install .
       shell: bash
+
     - name: Run dfetch check (SARIF)
       run: dfetch check --sarif sarif.json
       shell: bash
       working-directory: ${{ inputs.working-directory }}
     - name: Upload SARIF file
-      uses: github/codeql-action/upload-sarif@v4.30.8
+      uses: github/codeql-action/upload-sarif@17783bfb99b07f70fae080b654aed0c514057477 # v3.30.7
       with:
         sarif_file: sarif.json
diff --git a/dfetch/reporting/check/sarif_reporter.py b/dfetch/reporting/check/sarif_reporter.py
index e02bf973c..e76124b9f 100644
--- a/dfetch/reporting/check/sarif_reporter.py
+++ b/dfetch/reporting/check/sarif_reporter.py
@@ -39,30 +39,22 @@
 
     on: push
 
+    permissions:
+        contents: read
+
     jobs:
-    dfetch:
+      dfetch:
         runs-on: ubuntu-latest
-        steps:
-        - name: Checkout
-          uses: actions/checkout@v2
-
-        - name: Set up python 3.10
-          uses: actions/setup-python@v2
-          with:
-            python-version: "3.10"
-
-        - name: Set up dfetch
-          run: |
-            python -m pip install --upgrade pip
-            pip install dfetch
-        - name: Check dependencies
-          run: dfetch check --sarif sarif.json
-
-        - name: Upload SARIF file
-          uses: github/codeql-action/upload-sarif@v1
-          with:
-            sarif_file: sarif.json
 
+        permissions:
+          contents: read
+          security-events: write
+
+        steps:
+          - name: Dfetch SARIF Check
+            uses: dfetch-org/dfetch@main
+            with:
+              working-directory: '.'
 
 For more information see the `Github Sarif documentation`_.