diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
new file mode 100644
index 0000000..a20d70e
--- /dev/null
+++ b/.github/workflows/codeql.yaml
@@ -0,0 +1,37 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [actions, javascript-typescript]
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-extended
+          threat-models: remote
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: /language:${{ matrix.language }}
diff --git a/security-test-samples.ts b/security-test-samples.ts
new file mode 100644
index 0000000..df8fae7
--- /dev/null
+++ b/security-test-samples.ts
@@ -0,0 +1,58 @@
+/**
+ * Sample file with intentional security vulnerabilities for CodeQL testing.
+ * DO NOT use any of this code in production.
+ */
+
+// 1. DOM-based XSS via innerHTML
+// CodeQL rule: js/xss
+function renderUserContent(userInput: string) {
+  const div = document.createElement('div');
+  div.innerHTML = userInput; // VULNERABILITY: unsanitized user input → XSS
+  document.body.appendChild(div);
+}
+
+// 2. XSS via document.write
+// CodeQL rule: js/xss
+function writeToPage(query: string) {
+  const params = new URLSearchParams(window.location.search);
+  const value = params.get(query);
+  document.write('<p>' + value + '</p>'); // VULNERABILITY: URL param written directly to DOM
+}
+
+// 3. eval() with user-controlled input
+// CodeQL rule: js/code-injection
+function runUserExpression(expr: string) {
+  const result = eval(expr); // VULNERABILITY: arbitrary code execution
+  return result;
+}
+
+// 4. Open redirect via user-controlled URL
+// CodeQL rule: js/open-redirect
+function redirectTo(dest: string) {
+  const params = new URLSearchParams(window.location.search);
+  const target = params.get(dest);
+  window.location.href = target!; // VULNERABILITY: unvalidated redirect
+}
+
+// 5. postMessage without origin check
+// CodeQL rule: js/postmessage-star-origin  (or missing origin validation)
+function listenForMessages() {
+  window.addEventListener('message', (event) => {
+    // VULNERABILITY: no check on event.origin
+    const payload = JSON.parse(event.data);
+    document.getElementById('output')!.innerHTML = payload.html;
+  });
+}
+
+// 6. Prototype pollution via merge
+// CodeQL rule: js/prototype-pollution
+function mergeObjects(target: Record<string, unknown>, source: Record<string, unknown>) {
+  for (const key in source) {
+    if (typeof source[key] === 'object') {
+      (target as any)[key] = mergeObjects((target as any)[key] ?? {}, source[key] as any);
+    } else {
+      (target as any)[key] = source[key]; // VULNERABILITY: __proto__ key can pollute prototype
+    }
+  }
+  return target;
+}