diff --git a/internal/depsfile/locks_file.go b/internal/depsfile/locks_file.go
index 386615200..2c38175a3 100644
--- a/internal/depsfile/locks_file.go
+++ b/internal/depsfile/locks_file.go
@@ -2,7 +2,6 @@ package depsfile
 
 import (
 	"fmt"
-	"os"
 	"sort"
 
 	"github.com/hashicorp/hcl/v2"
@@ -134,7 +133,7 @@ func SaveLocksToFile(locks *Locks, filename string) tfdiags.Diagnostics {
 
 	newContent := f.Bytes()
 
-	err := replacefile.AtomicWriteFile(filename, newContent, os.ModePerm)
+	err := replacefile.AtomicWriteFile(filename, newContent, 0644)
 	if err != nil {
 		diags = diags.Append(tfdiags.Sourceless(
 			tfdiags.Error,
diff --git a/internal/depsfile/locks_file_test.go b/internal/depsfile/locks_file_test.go
index 88d9532ba..9e0d0f429 100644
--- a/internal/depsfile/locks_file_test.go
+++ b/internal/depsfile/locks_file_test.go
@@ -232,6 +232,14 @@ func TestSaveLocksToFile(t *testing.T) {
 		t.Fatalf("unexpected errors\n%s", diags.Err().Error())
 	}
 
+	fileInfo, err := os.Stat(filename)
+	if err != nil {
+		t.Fatalf(err.Error())
+	}
+	if mode := fileInfo.Mode(); mode&0111 != 0 {
+		t.Fatalf("Expected lock file to be non-executable: %o", mode)
+	}
+
 	gotContentBytes, err := ioutil.ReadFile(filename)
 	if err != nil {
 		t.Fatalf(err.Error())