diff --git a/src/oas3/__tests__/accessors.test.ts b/src/oas3/__tests__/accessors.test.ts
index ad60575..cf8ed36 100644
--- a/src/oas3/__tests__/accessors.test.ts
+++ b/src/oas3/__tests__/accessors.test.ts
@@ -1,4 +1,5 @@
 import { DeepPartial } from '@stoplight/types';
+import { SecuritySchemeType } from 'openapi3-ts';
 
 import { setSkipHashing } from '../../hash';
 import { getSecurities as _getSecurities, OperationSecurities } from '../accessors';
@@ -111,6 +112,35 @@ describe('getOas3Securities', () => {
     ]);
   });
 
+  it.each<SecuritySchemeType>(['http', 'apiKey', 'openIdConnect'])(
+    'given global securities and matching operation scheme with scopes should return scopes as extensions for security scheme type: %s',
+    type => {
+      expect(
+        getSecurities({
+          security: [{ operationScheme: ['image:read'] }],
+          components: {
+            securitySchemes: {
+              operationScheme: {
+                type,
+              },
+            },
+          },
+        }),
+      ).toStrictEqual([
+        [
+          [
+            'operationScheme',
+            {
+              type,
+              ['x-scopes']: ['image:read'],
+              extensions: { ['x-scopes']: ['image:read'] },
+            },
+          ],
+        ],
+      ]);
+    },
+  );
+
   it('given global securities and matching spec and invalid operation scheme should return empty array', () => {
     expect(
       getSecurities(
diff --git a/src/oas3/accessors.ts b/src/oas3/accessors.ts
index 03e5444..7693e04 100644
--- a/src/oas3/accessors.ts
+++ b/src/oas3/accessors.ts
@@ -45,11 +45,14 @@ export function getSecurities(
           ];
         }
 
+        const extensions = scopes?.length ? { ['x-scopes']: scopes } : {};
+
         return [
           opScheme,
           {
             ...definition,
-            extensions: getExtensions(definition),
+            ...extensions,
+            extensions: getExtensions({ ...definition, ...extensions }),
           },
         ];
       })