diff --git a/src/Client/AzureManaged/DurableTaskSchedulerClientOptions.cs b/src/Client/AzureManaged/DurableTaskSchedulerClientOptions.cs
index 3a00ba7a1..01b2268cd 100644
--- a/src/Client/AzureManaged/DurableTaskSchedulerClientOptions.cs
+++ b/src/Client/AzureManaged/DurableTaskSchedulerClientOptions.cs
@@ -173,7 +173,7 @@ this.Credential is not null
         switch (authType.ToLowerInvariant())
         {
             case "defaultazure":
-                return new DefaultAzureCredential();
+                return new DefaultAzureCredential(); // CodeQL [SM05137] Use DefaultAzureCredential explicitly for local development and is decided by the user
             case "managedidentity":
                 return new ManagedIdentityCredential(connectionString.ClientId);
             case "workloadidentity":
diff --git a/src/Worker/AzureManaged/DurableTaskSchedulerWorkerOptions.cs b/src/Worker/AzureManaged/DurableTaskSchedulerWorkerOptions.cs
index 65aa52610..de2b75d4b 100644
--- a/src/Worker/AzureManaged/DurableTaskSchedulerWorkerOptions.cs
+++ b/src/Worker/AzureManaged/DurableTaskSchedulerWorkerOptions.cs
@@ -135,7 +135,7 @@ this.Credential is not null
         switch (authType.ToLowerInvariant())
         {
             case "defaultazure":
-                return new DefaultAzureCredential();
+                return new DefaultAzureCredential(); // CodeQL [SM05137] Use DefaultAzureCredential explicitly for local development and is decided by the user
             case "managedidentity":
                 return new ManagedIdentityCredential(connectionString.ClientId);
             case "workloadidentity":
diff --git a/src/Worker/Core/Shims/TaskOrchestrationContextWrapper.cs b/src/Worker/Core/Shims/TaskOrchestrationContextWrapper.cs
index c7c5dea57..5bf3fbe55 100644
--- a/src/Worker/Core/Shims/TaskOrchestrationContextWrapper.cs
+++ b/src/Worker/Core/Shims/TaskOrchestrationContextWrapper.cs
@@ -379,7 +379,9 @@ static void SwapByteArrayElements(byte[] byteArray, int left, int right)
 
         byte[] hashByteArray;
 #pragma warning disable CA5350 // Do Not Use Weak Cryptographic Algorithms -- not for cryptography
-        using (HashAlgorithm hashAlgorithm = SHA1.Create())
+        using (HashAlgorithm hashAlgorithm = SHA1.Create()) /* CodeQL [SM02196] Suppressed: SHA1 is not used for cryptographic purposes here. The information being hashed is not sensitive,
+                                                               and the goal is to generate a deterministic Guid. We cannot update to SHA2-based algorithms without breaking
+                                                               customers' inflight orchestrations. */
         {
             hashAlgorithm.TransformBlock(namespaceValueByteArray, 0, namespaceValueByteArray.Length, null, 0);
             hashAlgorithm.TransformFinalBlock(nameByteArray, 0, nameByteArray.Length);