diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
new file mode 100644
index 000000000..b256a8f8f
--- /dev/null
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,5 @@
+---
+name: "CodeQL config"
+
+queries:
+ - uses: security-extended  # security-and-quality (very verbose)
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
new file mode 100644
index 000000000..b25c90a68
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,38 @@
+---
+name: "CodeQL"
+
+on:
+  push
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          # We must fetch at least the immediate parents so that if this is
+          # a pull request then we can checkout the head.
+          fetch-depth: 2
+          submodules: 'recursive'
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        with:
+          languages: cpp
+          config-file: ./.github/codeql/codeql-config.yml
+
+      - run: |
+          sudo apt-get install -y libssl-dev
+          ./ci/build_picotls.sh
+          ./ci/build_picoquic.sh
+          mkdir build
+          cd build
+          cmake ..
+          cmake --build .
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1