diff --git a/.github/workflows/ci_ubuntu.yaml b/.github/workflows/ci_ubuntu.yaml
index f9b0d4181..168b8a7b3 100644
--- a/.github/workflows/ci_ubuntu.yaml
+++ b/.github/workflows/ci_ubuntu.yaml
@@ -4,6 +4,7 @@ on: [pull_request, push]
 
 permissions:
   actions: write
+  security-events: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -65,6 +66,14 @@ jobs:
           cmake --build build
           sudo cmake --install build
 
+      # to avoid scanning 3rdparty codebases, initialize it just before building qbt
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        if: startsWith(matrix.libt_version, 2) && (matrix.qbt_gui == 'GUI=ON') && startsWith(matrix.qt_version, 6)
+        with:
+          config-file: ./.github/workflows/helper/codeql/cpp.yaml
+          languages: cpp
+
       - name: Build qBittorrent (Qt5)
         if: ${{ startsWith(matrix.qt_version, 5) }}
         run: |
@@ -104,6 +113,10 @@ jobs:
           cmake --build build --target check
           DESTDIR="qbittorrent" cmake --install build
 
+      - name: Run CodeQL analysis
+        uses: github/codeql-action/analyze@v2
+        if: startsWith(matrix.libt_version, 2) && (matrix.qbt_gui == 'GUI=ON') && startsWith(matrix.qt_version, 6)
+
       - name: Prepare build artifacts
         run: |
           mkdir upload
diff --git a/.github/workflows/ci_webui.yaml b/.github/workflows/ci_webui.yaml
index 335cfe6ad..08daaae6f 100644
--- a/.github/workflows/ci_webui.yaml
+++ b/.github/workflows/ci_webui.yaml
@@ -2,7 +2,8 @@ name: CI - WebUI
 
 on: [pull_request, push]
 
-permissions: {}
+permissions:
+  security-events: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -36,3 +37,12 @@ jobs:
         run: |
           npm run format
           git diff --exit-code
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          config-file: ./.github/workflows/helper/codeql/js.yaml
+          languages: javascript
+
+      - name: Run CodeQL analysis
+        uses: github/codeql-action/analyze@v2
diff --git a/.github/workflows/helper/codeql/cpp.yaml b/.github/workflows/helper/codeql/cpp.yaml
new file mode 100644
index 000000000..3e09fec53
--- /dev/null
+++ b/.github/workflows/helper/codeql/cpp.yaml
@@ -0,0 +1,14 @@
+name: "CodeQL config for C++"
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - exclude:
+      id: cpp/commented-out-code
+  - exclude:
+      id: cpp/include-non-header
+  - exclude:
+      id: cpp/loop-variable-changed
+  - exclude:
+      id: cpp/useless-expression
diff --git a/.github/workflows/helper/codeql/js.yaml b/.github/workflows/helper/codeql/js.yaml
new file mode 100644
index 000000000..4d05b6db2
--- /dev/null
+++ b/.github/workflows/helper/codeql/js.yaml
@@ -0,0 +1,11 @@
+name: "CodeQL config for Javascript"
+
+paths-ignore:
+  - "**/lib/*"
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - exclude:
+      id: js/superfluous-trailing-arguments