diff --git a/.pipelines/codeql.yml b/.pipelines/codeql.yml
new file mode 100644
index 00000000000..91c758d4c5b
--- /dev/null
+++ b/.pipelines/codeql.yml
@@ -0,0 +1,56 @@
+# Azure DevOps Pipeline running CI
+#
+# Note: This pipeline uses a secret variable "github_codeql_upload_token".
+#       This is a GitHub Personal Access Token (Classic) owned by mbarnes.
+#       It has no expiration and only has the "security_events" scope for
+#       the purpose of uploading CodeQL results.
+#
+#       However, for this secret to be available to pull requests from
+#       forked ARO-RP repositories, the pipeline option "Make secrets
+#       available to builds of forks" is enabled.
+#
+#       More information:
+#       https://learn.microsoft.com/en-us/azure/devops/pipelines/repos/github#contributions-from-forks
+#
+trigger:
+  branches:
+    include:
+      - master
+  paths:
+    exclude:
+      - docs/*
+  tags:
+    include:
+      - v2*
+
+pr:
+  branches:
+    include:
+      - master
+  paths:
+    exclude:
+      - docs/*
+
+resources:
+  containers:
+    - container: golang
+      image: registry.access.redhat.com/ubi8/go-toolset:1.18
+      options: --user=0
+
+variables:
+  - template: vars.yml
+
+jobs:
+  - job: Golang_CodeQL
+    pool:
+      name: 1es-aro-ci-pool
+    variables:
+      HOME: $(Agent.BuildDirectory)
+    steps:
+      - template: ./templates/template-checkout.yml
+      - template: ./templates/template-codeql.yml
+        parameters:
+          language: go
+          target: golang
+          github_token: $(github_codeql_upload_token)
+    timeoutInMinutes: 120