diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..10fd33a
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,33 @@
+name: CodeQL Security Analysis
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze JavaScript and TypeScript
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript-typescript
+          build-mode: none
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:javascript-typescript"
diff --git a/SECURITY.md b/SECURITY.md
index 3dc7874..0a14a12 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -33,11 +33,4 @@ Once a report is received through the GitHub Security Advisory form, we commit t
 
 Maintainers: Please ensure that **GitHub Security Advisories** are enabled for this repository to allow researchers to submit reports privately.
 
-## Logging and Secret Redaction
 
-Server logs are configured to redact Stellar secret keys to prevent accidental leakage. The backend uses `pino` with the following protections:
-
-- Structured field redaction for paths: `*.secretKey`, `*.privateKey`, `*.seed`.
-- Regex-based redaction for any string matching `^S[0-9A-Z]{55}$` (Stellar secret seed format).
-
-If you discover logs containing secret material, please follow the private reporting process above.