diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
index 51e3e403..7e6ff4a5 100644
--- a/.github/workflows/unit-test.yml
+++ b/.github/workflows/unit-test.yml
@@ -15,6 +15,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     permissions:
       contents: write
+      security-events: write
     strategy:
       fail-fast: false
       matrix:
@@ -23,6 +24,13 @@ jobs:
       - name: Checkout code changes
         uses: actions/checkout@v5
 
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        if: runner.os == 'Linux'
+        with:
+          languages: "java"
+          queries: security-and-quality
+
       - name: Setup FFmpeg
         uses: FedericoCarboni/setup-ffmpeg@v3
         with:
@@ -52,10 +60,61 @@ jobs:
         if: runner.os == 'Linux'
         with:
           name: coverage_report
-          path: .qodana/code-coverage/report.xml
+          path: build/code-coverage/report.xml
           retention-days: 1
           if-no-files-found: error
 
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3
+        if: runner.os == 'Linux'
+        with:
+          upload: false
+          output: build/sarif-results
+
+      - name: Upload CodeQL report
+        uses: actions/upload-artifact@v4
+        if: runner.os == 'Linux'
+        with:
+          name: codeql_analysis
+          path: build/sarif-results/java.sarif
+          retention-days: 1
+          if-no-files-found: error
+
+  codeql:
+    name: Upload CodeQL analysis
+    needs: tests
+    runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      security-events: write
+    steps:
+      - name: Checkout code changes
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+          fetch-depth: 0
+
+      - name: Download CodeQL analysis
+        uses: actions/download-artifact@v5
+        with:
+          name: codeql_analysis
+          path: build/sarif-results
+
+      - name: Filter SARIF
+        uses: advanced-security/filter-sarif@v1
+        with:
+          patterns: |
+            -.gradle/**
+            -**/generated/**
+          input: build/sarif-results/java.sarif
+          output: build/sarif-results/java.sarif
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: build/sarif-results/java.sarif
+          category: "/language:java"
+
   qodana:
     name: Perform Qodana analysis
     if: ${{ vars.QODANA_ENABLED == 'true' }}
diff --git a/build.gradle b/build.gradle
index 0c611255..8f497cdb 100644
--- a/build.gradle
+++ b/build.gradle
@@ -70,7 +70,7 @@ jacocoTestReport {
     reports {
         html.required = false
         xml.required = true
-        xml.outputLocation = file('.qodana/code-coverage/report.xml')
+        xml.outputLocation = file('build/code-coverage/report.xml')
     }
 
     afterEvaluate {
@@ -88,7 +88,7 @@ def generateCohArchive = tasks.register('generateCohArchive', Exec) {
     inputs.dir(jlink.map { it.outputDirectory.get().asFile })
 
     def java = jlink.map { it.outputDirectory.file('jre/bin/java').get().asFile.absolutePath }
-    doFirst { commandLine(java.get(), '-XX:+UseCompactObjectHeaders', '-Xshare:dump') }
+    doFirst { commandLine(java.get(), '-XX:+UseCompactObjectHeaders', '-Xshare:dump', '-XX:+UnlockDiagnosticVMOptions', '-XX:+AllowArchivingWithJavaAgent') }
 }
 
 jlink.configure { finalizedBy(generateCohArchive) }