diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
new file mode 100644
index 0000000..02e21fe
--- /dev/null
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,7 @@
+name: afm CodeQL config
+
+# upstream/comrak is a verbatim vendored fork with a 0-line diff budget
+# (ADR-0001) — it is not afm's code, so exclude it from analysis to keep
+# results focused on the in-tree crates.
+paths-ignore:
+  - upstream/comrak
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a2922c4..392f719 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -70,9 +70,15 @@ jobs:
         with:
           fetch-depth: 0
       - uses: taiki-e/install-action@v2
+        if: github.actor != 'dependabot[bot]'
         with:
           tool: committed
+      # Dependabot's auto-generated commit subjects/bodies exceed committed's
+      # 50/72 limits; its PRs are squash-merged with a maintainer-set subject,
+      # so skip the lint for the bot. The job still runs and succeeds, keeping
+      # the required "commitlint" check green (a skipped required check blocks).
       - name: Check Conventional Commits (committed)
+        if: github.actor != 'dependabot[bot]'
         run: committed "${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}"
 
   # Phase-1 fast gate. `just check` runs `cargo check` workspace-wide
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..984b323
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,42 @@
+name: codeql
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "23 4 * * 1"  # weekly, Monday 04:23 UTC
+
+permissions:
+  security-events: write
+  contents: read
+  actions: read
+
+concurrency:
+  group: codeql-${{ github.ref }}
+  cancel-in-progress: true
+
+# Advanced CodeQL setup (replaces default setup). The matrix scans the real
+# source: Rust (the workspace) and TypeScript/JavaScript (afm-wasm + the
+# afm-book theme). The redundant js/ts aliases and `actions` language that
+# default setup auto-detected are dropped. Vendored comrak (upstream/comrak)
+# is excluded via codeql-config.yml.
+jobs:
+  codeql:
+    name: codeql (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [rust, javascript-typescript]
+    steps:
+      - uses: actions/checkout@v6
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: none
+          config-file: ./.github/codeql/codeql-config.yml
+      - uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"