diff --git a/.github/workflows/notification-service.yml b/.github/workflows/notification-service.yml
index 85519df..24677b7 100644
--- a/.github/workflows/notification-service.yml
+++ b/.github/workflows/notification-service.yml
@@ -12,6 +12,10 @@ on:
       - notification_service/**
       - .github/workflows/notification-service.yml
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   # ── 1. Build & test ──────────────────────────────────────────────────────────
   ci:
@@ -135,19 +139,12 @@ jobs:
           MOCK_MODE: "true"
 
       - name: ZAP Baseline Scan
-        uses: zaproxy/action-baseline@v0.12.0
+        uses: zaproxy/action-baseline@v0.14.0
         with:
-          target: http://localhost:8080
+          target: http://localhost:8080/actuator/health
           fail_action: false
           allow_issue_writing: false
-
-      - name: Upload ZAP report
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: zap-report
-          path: report_html.html
-          retention-days: 14
+          artifact_name: zap-report
 
   # ── 5. Docker build & push ───────────────────────────────────────────────────
   docker: