From b6b9d1e7b74580a1e91e6d66037a3b12713d769d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B8rgen=20Andresen=20Osberg?=
 <jorgen.andresen.osberg@entur.org>
Date: Wed, 13 May 2026 11:37:34 +0200
Subject: [PATCH 1/2] security(codeql): add codeql workflow

---
 .github/workflows/codeql.yml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..fa96c4f
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,29 @@
+name: "CodeQL"
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - "**/README.md"
+  schedule:
+    - cron: "0 3 * * MON"
+
+permissions: {}
+
+jobs:
+  code-scan:
+    name: Code Scan
+    permissions:
+      actions: read
+      contents: read
+      issues: write
+      pull-requests: write
+      security-events: write
+    uses: entur/gha-security/.github/workflows/code-scan.yml@v2
+    secrets: inherit
+    with:
+      ignore_language: "cpp,swift,kotlin"

From 849b345e51e181ffb41d28b47bc94fa55afee391 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B8rgen=20Andresen=20Osberg?=
 <jorgen.andresen.osberg@entur.org>
Date: Wed, 13 May 2026 15:31:02 +0200
Subject: [PATCH 2/2] security(codeql): disable PR comments and tighten
 permissions

---
 .entur/security/codescan.yml | 9 +++++++++
 .github/workflows/codeql.yml | 2 --
 2 files changed, 9 insertions(+), 2 deletions(-)
 create mode 100644 .entur/security/codescan.yml

diff --git a/.entur/security/codescan.yml b/.entur/security/codescan.yml
new file mode 100644
index 0000000..b711d64
--- /dev/null
+++ b/.entur/security/codescan.yml
@@ -0,0 +1,9 @@
+apiVersion: entur.io/securitytools/v1
+kind: CodeScanConfig
+metadata:
+  id: omsaexampleclients
+spec:
+  notifications:
+    outputs:
+      pullRequest:
+        enabled: false
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index fa96c4f..fa93bcb 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -20,8 +20,6 @@ jobs:
     permissions:
       actions: read
       contents: read
-      issues: write
-      pull-requests: write
       security-events: write
     uses: entur/gha-security/.github/workflows/code-scan.yml@v2
     secrets: inherit