diff --git a/.github/workflows/jss.yml b/.github/workflows/jss.yml
new file mode 100644
index 0000000..24a8f6f
--- /dev/null
+++ b/.github/workflows/jss.yml
@@ -0,0 +1,75 @@
+name: Jenkins Security Scan
+
+on:
+  workflow_call:
+    inputs:
+      java-version:
+        description: Version of Java set up for the build. See actions/setup-java documentation for values.
+        type: string
+        required: true
+      java-cache:
+        description: What kind of Java dependency cache to set up. See actions/setup-java documentation for values.
+        type: string
+        required: false
+
+permissions:
+  security-events: write
+
+  # Private repo support
+  contents: read # For actions/checkout
+  actions: read # For github/codeql-action/upload-sarif
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest # Provides `jq`
+    steps:
+      - name: Check out plugin
+        uses: actions/checkout@v4
+
+      - name: Set up Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: ${{ inputs.java-version }}
+          cache: ${{ inputs.java-cache }}
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: java
+          config: |
+            disable-default-queries: true
+            packs:
+            - jenkins-infra/jenkins-codeql@0.0.2
+            - codeql/java-queries:AlertSuppression.ql
+            - codeql/java-queries:AlertSuppressionAnnotations.ql
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Run CodeQL
+        id: generate-sarif
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: Jenkins Security Scan
+          upload: failure-only
+
+      - name: Process SARIF
+        # Process the generated SARIF file:
+        # 1. Prevent conflicts with otherwise set up CodeQL scan by renaming the tool driver
+        # 2. Remove suppressed warnings because GitHub Code Scanning does not support inline suppressions
+        run: |
+          jq 'setpath(path(.runs[].tool.driver.name); "Jenkins Security Scan") | setpath(path(.runs[].tool.driver.organization); "Jenkins Project") | del(.runs[].results[] | select( .suppressions | length != 0 ))' ../results/java.sarif > jenkins-security-scan.sarif
+          mv -v ../results/java.sarif .
+
+      - name: Archive SARIF
+        uses: actions/upload-artifact@v4
+        with:
+          path: '*.sarif'
+          name: Jenkins Security Scan SARIF
+
+      - name: Upload Scan Result
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: jenkins-security-scan.sarif
+          category: Jenkins Security Scan