ci: enable CodeQL static analysis

.github/workflows/codeql.yml

@@ -0,0 +1,48 @@
+name: CodeQL
+
+# CodeQL static analysis. Findings appear in Security → Code scanning.
+# Runs on push to main, on every PR to main, and weekly on Mondays as a
+# safety net for queries that get updated upstream between active changes.
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "29 7 * * 1" # Mondays 07:29 UTC — off-peak so it doesn't fight Dependabot
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [python]
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # security-and-quality is broader than security-extended;
+          # surfaces both vulnerability and maintainability findings.
+          queries: security-and-quality
+
+      # Pure-Python project, autobuild is a no-op but kept for the
+      # canonical CodeQL pattern in case future code adds extensions.
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

README.md

@@ -3,6 +3,7 @@
 > A typed, testable CLI for the [Hevy](https://hevy.com) workout tracking API.
 
 [![CI](https://github.com/marinsalinas/hevy-cli/actions/workflows/ci.yml/badge.svg)](https://github.com/marinsalinas/hevy-cli/actions/workflows/ci.yml)
+[![CodeQL](https://github.com/marinsalinas/hevy-cli/actions/workflows/codeql.yml/badge.svg)](https://github.com/marinsalinas/hevy-cli/actions/workflows/codeql.yml)
 [![codecov](https://codecov.io/gh/marinsalinas/hevy-cli/branch/main/graph/badge.svg)](https://codecov.io/gh/marinsalinas/hevy-cli)
 [![pre-commit.ci status](https://results.pre-commit.ci/badge/github/marinsalinas/hevy-cli/main.svg)](https://results.pre-commit.ci/latest/github/marinsalinas/hevy-cli/main)
 [![PyPI](https://img.shields.io/pypi/v/hevy-cli)](https://pypi.org/project/hevy-cli/)

SECURITY.md

@@ -32,12 +32,19 @@ Please include:
 - Fix released as a patch version; coordinated disclosure timeline agreed with the reporter.
 - Credit in the advisory and changelog unless you request anonymity.
 
+## Proactive measures in this repo
+
+- **CodeQL** static analysis runs on every push/PR to `main` plus weekly. Findings appear under [Security → Code scanning](https://github.com/marinsalinas/hevy-cli/security/code-scanning).
+- **Dependabot** opens grouped weekly PRs for Python and GitHub Actions dependencies; major bumps are kept separate for deliberate review.
+- **PyPI Trusted Publishing (OIDC)** + **Sigstore attestations** on every release — no long-lived API tokens in the repo, artifacts are cryptographically attested.
+- **Branch protection** on `main` requires PR + passing CI matrix (3.11 / 3.12 / 3.13) before merge.
+
 ## Scope
 
 In scope:
 
 - The `hevy-cli` codebase in this repository.
-- The packaging/publishing pipeline (`.github/workflows/release.yml`, PyPI artifact integrity).
+- The packaging/publishing pipeline (`.github/workflows/release-please.yml`, PyPI artifact integrity).
 - Handling of user-supplied API keys (storage, logging, masking, environment precedence).
 
 Out of scope: