diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 00000000000..9d060684e59
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,70 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["master"]
+  schedule:
+    # runs every day at 4:23 AM UTC
+    - cron: "23 4 * * *"
+
+permissions:
+  contents: read
+
+jobs:
+  codeql_cpp:
+    name: C++
+    runs-on: ubuntu-22.04
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Setup Build Agent
+        uses: ./.github/actions/setup-build-agent
+        with:
+          target: codeql
+          cache-key: linux-gcc-x86_64-codeql
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: cpp
+          config-file: ./src/configs/codeql.yml
+
+      - name: Build Library
+        run: ./src/scripts/ci_build.py codeql
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: cpp
+
+  codeql_py:
+    name: Python
+    runs-on: ubuntu-22.04
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: python
+          config-file: ./src/configs/codeql.yml
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: python
diff --git a/src/configs/codeql.yml b/src/configs/codeql.yml
new file mode 100644
index 00000000000..2d42d22f290
--- /dev/null
+++ b/src/configs/codeql.yml
@@ -0,0 +1,8 @@
+
+query-filters:
+ - exclude:
+     id: cpp/fixme-comment
+ - exclude:
+     id: cpp/weak-cryptographic-algorithm
+ - exclude:
+     id: py/clear-text-logging-sensitive-data
diff --git a/src/scripts/ci_build.py b/src/scripts/ci_build.py
index 0710e6e73f3..4e35bb168e0 100755
--- a/src/scripts/ci_build.py
+++ b/src/scripts/ci_build.py
@@ -32,6 +32,7 @@ def known_targets():
     return [
         'amalgamation',
         'bsi',
+        'codeql',
         'coverage',
         'cross-android-arm32',
         'cross-android-arm64',
@@ -169,6 +170,9 @@ def sanitize_kv(some_string):
         flags += ['--with-doxygen', '--with-sphinx', '--with-rst2man']
         test_cmd = None
 
+    if target == 'codeql':
+        test_cmd = None
+
     if target == 'cross-win64':
         # this test compiles under MinGW but fails when run under Wine
         disabled_tests.append('certstor_system')