diff --git a/.entur/security/codescan.yml b/.entur/security/codescan.yml
new file mode 100644
index 0000000..b711d64
--- /dev/null
+++ b/.entur/security/codescan.yml
@@ -0,0 +1,9 @@
+apiVersion: entur.io/securitytools/v1
+kind: CodeScanConfig
+metadata:
+  id: omsaexampleclients
+spec:
+  notifications:
+    outputs:
+      pullRequest:
+        enabled: false
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..fa93bcb
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,27 @@
+name: "CodeQL"
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - "**/README.md"
+  schedule:
+    - cron: "0 3 * * MON"
+
+permissions: {}
+
+jobs:
+  code-scan:
+    name: Code Scan
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: entur/gha-security/.github/workflows/code-scan.yml@v2
+    secrets: inherit
+    with:
+      ignore_language: "cpp,swift,kotlin"