diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 000000000..ecc673510
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,64 @@
+---
+name: CodeQL Security Analysis
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "29 13 * * 2" # Weekly Tuesday 13:29 UTC
+
+permissions: {}
+
+jobs:
+  analyze:
+    name: Analyze Java
+    runs-on: ubuntu-24.04
+    permissions:
+      actions: read # required for github/codeql-action/init to get workflow details
+      contents: read
+      security-events: write # required for github/codeql-action/analyze to upload SARIF
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Set up Java
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+        with:
+          distribution: temurin
+          java-version: "25"
+
+      - name: Cache Maven repository
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-codeql-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-codeql-
+            ${{ runner.os }}-maven-
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        with:
+          languages: java
+          tools: linked
+          queries: security-extended
+
+      # Do not use autobuild — the multi-module Maven structure requires explicit
+      # build invocation so that CodeQL can trace the compilation correctly.
+      # Do not use mise-action here — CodeQL needs to trace the raw Maven build.
+      - name: Build (CodeQL traces the build)
+        run: >
+          ./mvnw clean compile
+          -DskipTests
+          -Dcoverage.skip=true
+          -Dcheckstyle.skip=true
+          -Djavadoc.skip=true
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        with:
+          category: /language:java
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
new file mode 100644
index 000000000..934b781b8
--- /dev/null
+++ b/.github/workflows/scorecard.yml
@@ -0,0 +1,46 @@
+---
+name: OSSF Scorecard
+
+on:
+  push:
+    branches: [main]
+  schedule:
+    - cron: "43 6 * * 5" # Weekly Friday 06:43 UTC
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-24.04
+    # Prevents fork runs from failing due to missing write permissions or secrets.
+    if: ${{ github.repository == 'prometheus/client_java' }}
+    permissions:
+      contents: read
+      security-events: write # required to upload SARIF results
+      id-token: write # required by scorecard-action for OIDC token
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Run OSSF Scorecard analysis
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: Upload to code scanning
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        with:
+          sarif_file: results.sarif