diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index 74ce18d4..08f42322 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -1,65 +1,23 @@
-# CodeQL scans for security vulnerabilities and coding errors across all
-# languages in this repo. Results appear in the "Security" tab under
-# "Code scanning alerts" and are enforced by branch protection rules.
 name: "CodeQL"
 
-permissions: {}
-
 on:
   push:
     branches: [ "main" ]
   pull_request:
     branches: [ "main" ]
-  # Weekly scheduled scan catches newly disclosed vulnerabilities in
-  # existing code, not just changes introduced by PRs.
   schedule:
     - cron: '38 11 * * 3'
 
+permissions: {}
+
 jobs:
   analyze:
-    name: Analyze (${{ matrix.language }})
-    runs-on: ubuntu-latest
+    name: Analyze
+    uses: anchore/workflows/.github/workflows/codeql.yaml@15122524ced7906bfa9685eeae12e22647773ea6 # v0.6.0
     permissions:
-      # Required to upload SARIF results to the "Security" tab.
       security-events: write
-      # Required to fetch internal or private CodeQL packs.
       packages: read
-      # Only required for workflows in private repositories.
       actions: read
       contents: read
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          # GitHub Actions workflow linting — no build needed.
-          - language: actions
-            build-mode: none
-
-          # JavaScript/TypeScript — no build needed for CodeQL analysis.
-          - language: javascript-typescript
-            build-mode: none
-
-          # Python — doc generation scripts and test utilities in src/ and tests/.
-          - language: python
-            build-mode: none
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
-        with:
-          languages: ${{ matrix.language }}
-          build-mode: ${{ matrix.build-mode }}
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
-        with:
-          # The category tag lets GitHub associate SARIF results with the
-          # correct language when branch protection checks for required
-          # code scanning results.
-          category: "/language:${{matrix.language}}"
+    with:
+      languages: 'python,javascript,actions'