diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..f180311
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+  # No package.json at the repo root — site is static HTML + a build-blog
+  # script that runs `node build-blog.js` directly with Node's stdlib.
+  # Only github-actions needs tracking until/unless a build pipeline
+  # introduces real npm deps.
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..8cf8e99
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,43 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "37 7 * * 1"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [javascript-typescript]
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # Default queries are enough for a static-site repo. The only
+          # JS surface is build-blog.js (build-time, no user input) plus
+          # inline <script> tags in the HTML pages — XSS-shape findings
+          # are exactly what we want surfaced.
+          config: |
+            paths-ignore:
+              - "**/node_modules/**"
+              - "dist-docs/**"
+              - "vendor/**"
+
+      - uses: github/codeql-action/analyze@v3
+        with:
+          category: /language:${{ matrix.language }}
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..d040801
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,25 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in the getbased.health website (this repo), please report it privately via [GitHub Security Advisories](https://github.com/elkimek/get-based-site/security/advisories/new).
+
+Do **not** open a public issue for security vulnerabilities.
+
+I'll acknowledge receipt within 48 hours and aim to release a fix within 7 days for critical issues.
+
+## Scope
+
+- Static site code (HTML, CSS, inline JavaScript)
+- Blog build script (`build-blog.js`) and template (`blog-template.html`)
+- Install script served at `/install.sh` (and its checksum at `/install.sh.sha256`)
+
+## Out of Scope
+
+- The getbased web app itself — please report to [elkimek/get-based](https://github.com/elkimek/get-based/security/advisories/new)
+- Self-hosted relay infrastructure — please report to [elkimek/getbased-relay](https://github.com/elkimek/getbased-relay/security/advisories/new)
+- Browser vulnerabilities
+
+## Note on the install script
+
+`/install.sh` is the canonical installer for the agent stack. Its SHA-256 is published at `/install.sh.sha256`. If you find a way to deliver a tampered `install.sh` to a user (e.g. via DNS hijack, MITM, supply-chain compromise of the hosting platform), report it through the private channel above — this is the only network-trust assumption a getbased user makes.