diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
new file mode 100644
index 000000000..2c290189a
--- /dev/null
+++ b/.github/workflows/codeql.yaml
@@ -0,0 +1,92 @@
+# Copyright 2025 Chainguard, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+name: "CodeQL Advanced"
+
+on:
+  pull_request:
+  push:
+    branches: ["main"]
+  schedule:
+    - cron: "35 23 * * 0"
+
+env:
+  CODEQL_EXTRACTOR_GO_BUILD_TRACING: "on"
+
+permissions: {}
+
+jobs:
+  analyze:
+    if: ${{ github.repository }} == 'chainguard-dev/malcontent'
+    runs-on: mal-ubuntu-latest-8-core
+    permissions:
+      actions: read
+      contents: read
+      packages: read
+      security-events: write
+    steps:
+      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Checkout virusTotal/yara-x
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+          repository: virusTotal/yara-x
+          path: yara-x
+          ref: refs/tags/v0.14.0
+      - name: Install Rust for yara-x-capi
+        uses: dtolnay/rust-toolchain@888c2e1ea69ab0d4330cbf0af1ecc7b68f368cc1
+        with:
+          toolchain: stable
+      - name: Install cargo-c and yara-x-capi
+        run: |
+          cd ${{ github.workspace }}/yara-x
+          cargo install cargo-c --locked
+          sudo -E env "PATH=$PATH" cargo cinstall -p yara-x-capi --features=native-code-serialization --release
+          sudo ldconfig -v
+          cd ${{ github.workspace }}
+          sudo rm -rf ${{ github.workspace }}/yara-x
+      - name: Set up Go
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        with:
+          go-version-file: "go.mod"
+          check-latest: true
+          cache: false
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+        with:
+          languages: go
+          build-mode: manual
+      - run: |
+          go build -o /dev/null ./...
+          go test -o /dev/null -c ./...
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+        with:
+          category: "/language:go"
+  analyze-actions:
+    if: ${{ github.repository }} == 'chainguard-dev/malcontent'
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      packages: read
+      security-events: write
+    steps:
+      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+        with:
+          languages: actions
+          build-mode: none
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+        with:
+          category: "/language:actions"