diff --git a/.azure/default-build.yml b/.azure/default-build.yml
index 0234c36..f4bd00e 100644
--- a/.azure/default-build.yml
+++ b/.azure/default-build.yml
@@ -66,6 +66,10 @@ jobs:
         condition: eq( variables['Agent.OS'], 'Windows_NT' )
         displayName: Run tests
 
+    - script: "echo ##vso[build.addbuildtag]CodeQL3000"
+      displayName: 'Set CI CodeQL3000 tag'
+      condition: ne(variables.CODEQL_DIST,'')
+
     - ${{ parameters.afterBuild }}
 
     - task: PublishTestResults@2
diff --git a/.config/tsaoptions.json b/.config/tsaoptions.json
new file mode 100644
index 0000000..e3cfd60
--- /dev/null
+++ b/.config/tsaoptions.json
@@ -0,0 +1,12 @@
+{
+  "areaPath": "DevDiv\\ASP.NET OOB\\SignalR",
+  "codebaseName": "SignalR-Client-Cpp",
+  "instanceUrl": "https://devdiv.visualstudio.com/",
+  "iterationPath": "DevDiv",
+  "notificationAliases": [
+    "aspnetcore-build@microsoft.com"
+  ],
+  "projectName": "DEVDIV",
+  "repositoryName": "SignalR-Client-Cpp",
+  "template": "TFSDEVDIV"
+}
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
index 1e140b9..7b9afbe 100644
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -16,10 +16,19 @@ variables:
     value: true
   - name: _BuildConfig
     value: 'Debug'
-  - name: Codeql.Enabled
-    value: true
-  # used for post-build phases, internal builds only
   - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
+    - name: Codeql.Enabled
+      value: true
+    # Run once per week
+    - name: Codeql.Cadence
+      value: 168
+    - name: Codeql.SourceRoot
+      value: src
+    - name: Codeql.TSAEnabled
+      value: true
+    - name: Codeql.TSAOptionsPath
+      value: '$(Build.SourcesDirectory)/.config/tsaoptions.json'
+    # used for post-build phases, internal builds only
     - group: DotNet-AspNet-SDLValidation-Params
 
 trigger: