diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a9f00a1..83493f4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -41,3 +41,15 @@ jobs:
       - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+
+  codeql:
+    needs: lint
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: github/codeql-action/init@603b797f8b14b413fe025cd935a91c16c4782713 # v3
+        with:
+          languages: actions
+      - uses: github/codeql-action/analyze@603b797f8b14b413fe025cd935a91c16c4782713 # v3
\ No newline at end of file
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..170c700
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,21 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+**Do not open a public issue.** Instead, use [GitHub private vulnerability reporting](https://github.com/calebfaruki/airlock/security/advisories/new) to submit your report.
+
+Include: what you found, steps to reproduce, and which version you tested against.
+
+## Response
+
+You should receive an acknowledgment within 48 hours. Security fixes are prioritized over all other work. We aim to release a fix within 90 days of a confirmed report, coordinating public disclosure timing with the reporter.
+
+## Supported Versions
+
+Only the latest release receives security patches.
+
+## Scope
+
+Security issues include: socket permission bypass, command allowlist bypass, environment isolation escape, shell injection, credential leakage across profiles, and audit log tampering.
+
+Out of scope: denial of service via slow commands, feature requests, and issues in user-authored hooks or command overrides.