diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
new file mode 100644
index 00000000000..912ba46c57b
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,160 @@
+name: "CodeQL"
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ main ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '21 18 * * 5'
+
+jobs:
+
+  # XXX this is mostly an inlined copy of the 'build' job in build.yml
+  build_extractor_pack:
+    strategy:
+      matrix:
+        os: [ubuntu-latest]
+
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-rust-cargo-${{ hashFiles('**/Cargo.lock') }}
+      - name: Check formatting
+        run: cargo fmt --all -- --check
+      - name: Build
+        run: cargo build --verbose
+      - name: Run tests
+        run: cargo test --verbose
+      - name: Release build
+        run: cargo build --release
+      - name: Generate dbscheme
+        run: target/release/ql-generator
+      - uses: actions/upload-artifact@v2
+        with:
+          name: ql.dbscheme
+          path: ql/src/ql.dbscheme
+      - uses: actions/upload-artifact@v2
+        with:
+          name: TreeSitter.qll
+          path: ql/src/codeql_ql/ast/internal/TreeSitter.qll
+      - uses: actions/upload-artifact@v2
+        with:
+          name: extractor-${{ matrix.os }}
+          path: |
+            target/release/ql-extractor
+          retention-days: 1
+  # XXX this is mostly an inlined copy of the 'package' job in build.yml
+      - run: |
+          mkdir -p ${PACK_DIR}
+        env:
+          PACK_DIR: ${{ runner.temp }}/pack
+
+      - name: Pack
+        working-directory: ${{ runner.temp }}/pack
+        run: |
+          mkdir -p ql
+          cp -r "${CHECKOUT}/codeql-extractor.yml" "${CHECKOUT}/tools" "${CHECKOUT}/ql/src/ql.dbscheme" "${CHECKOUT}/ql/src/ql.dbscheme.stats" ql/
+          mkdir -p ql/tools/linux64
+          cp "${CHECKOUT}/target/release/ql-extractor" ql/tools/linux64/extractor
+          chmod +x ql/tools/linux64/extractor
+          zip -rq codeql-ql.zip ql
+        env:
+          CHECKOUT: ${{ github.workspace }}
+
+      - uses: actions/upload-artifact@v2
+        with:
+          name: extractor-pack
+          path: ${{ runner.temp }}/pack/codeql-ql.zip
+          retention-days: 1
+
+  analyze:
+    name: Analyze
+    needs: build_extractor_pack
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+    - name: Download pack
+      uses: actions/download-artifact@v2
+      with:
+        name: extractor-pack
+        path: ${{ runner.temp }}/extractor-pack-artifact
+
+    - name: Unzip pack
+      run: |
+        set -x
+        mkdir "${PACKTMP}"
+        cd "${PACKTMP}"
+        unzip "${PACKARTIFACT}/*.zip" -d unzipped
+        cp -r unzipped/ql "${PACK}"
+      env:
+        PACKTMP: ${{ runner.temp }}/extractor-pack-artifact.tmp
+        PACKARTIFACT: ${{ runner.temp }}/extractor-pack-artifact
+        PACK: ${{ runner.temp }}/extractor-pack
+
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    - name: Make config file
+      run: |
+        set -x
+        echo "name: CodeQL config for QL" >> "${CONFIG_FILE}"
+        echo "" >> "${CONFIG_FILE}"
+        echo "disable-default-queries: true" >> "${CONFIG_FILE}"
+        echo "" >> "${CONFIG_FILE}"
+        echo "queries: " >> "${CONFIG_FILE}"
+        echo "  - name: Standard queries" >> "${CONFIG_FILE}"
+        echo "    uses: ${SUITE}" >> "${CONFIG_FILE}"
+        cat "${CONFIG_FILE}"
+      env:
+        SUITE: ./ql/src/codeql-suites/ql-code-scanning.qls
+        CONFIG_FILE: ./.custom-codeql-actions-config.yml
+
+    - name: Hack codeql-action options
+      run: |
+        JSON=$(jq -nc --arg pack "${PACK}" '.resolve.extractor=["--search-path", $pack] | .database.init=["--search-path", $pack]')
+        echo "CODEQL_ACTION_EXTRA_OPTIONS=${JSON}" >> ${GITHUB_ENV}
+      env:
+        PACK: ${{ runner.temp }}/extractor-pack
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@esbena/ql
+      with:
+        languages: ql
+        db-location: ${{ runner.temp }}/db
+        config-file: ./.custom-codeql-actions-config.yml
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@esbena/ql
+      with:
+        results: ${{ runner.temp }}/results
+        add-snippets: true
+
+    - name: Upload db
+      uses: actions/upload-artifact@v2
+      with:
+        name: db
+        path: ${{ runner.temp }}/db
+        retention-days: 1
+
+    - name: Upload results
+      uses: actions/upload-artifact@v2
+      with:
+        name: results
+        path: ${{ runner.temp }}/results
+        retention-days: 1
diff --git a/ql/src/codeql-suites/ql-code-scanning.qls b/ql/src/codeql-suites/ql-code-scanning.qls
index 1d2eeaec0c1..ae349649944 100644
--- a/ql/src/codeql-suites/ql-code-scanning.qls
+++ b/ql/src/codeql-suites/ql-code-scanning.qls
@@ -1,4 +1,8 @@
 - description: Standard Code Scanning queries for QL
-- qlpack: codeql-ql
-- apply: code-scanning-selectors.yml
-  from: codeql-suite-helpers
+- queries: .
+- include:
+    kind:
+    - problem
+    - path-problem
+    - alert
+    - path-alert
diff --git a/ql/src/codeql-suites/ql-lgtm-full.qls b/ql/src/codeql-suites/ql-lgtm-full.qls
deleted file mode 100644
index 654f3cf4d95..00000000000
--- a/ql/src/codeql-suites/ql-lgtm-full.qls
+++ /dev/null
@@ -1,11 +0,0 @@
-- description: Standard LGTM queries for QL, including ones not displayed by default
-- qlpack: codeql-ql
-- apply: lgtm-selectors.yml
-  from: codeql-suite-helpers
-# These are only for IDE use.
-- exclude:
-    tags contain:
-      - ide-contextual-queries/local-definitions
-      - ide-contextual-queries/local-references
-- query: Metrics/FLinesOfCode.ql
-
diff --git a/ql/src/codeql-suites/ql-lgtm.qls b/ql/src/codeql-suites/ql-lgtm.qls
deleted file mode 100644
index dc5e2322558..00000000000
--- a/ql/src/codeql-suites/ql-lgtm.qls
+++ /dev/null
@@ -1,4 +0,0 @@
-- description: Standard LGTM queries for QL
-- apply: codeql-suites/ql-lgtm-full.qls
-- apply: lgtm-displayed-only.yml
-  from: codeql-suite-helpers
diff --git a/ql/src/codeql-suites/ql-security-and-quality.qls b/ql/src/codeql-suites/ql-security-and-quality.qls
deleted file mode 100644
index adf758373a2..00000000000
--- a/ql/src/codeql-suites/ql-security-and-quality.qls
+++ /dev/null
@@ -1,4 +0,0 @@
-- description: Security-and-quality queries for QL
-- qlpack: codeql-ql
-- apply: security-and-quality-selectors.yml
-  from: codeql-suite-helpers
diff --git a/ql/src/codeql-suites/ql-security-extended.qls b/ql/src/codeql-suites/ql-security-extended.qls
deleted file mode 100644
index f96869e486e..00000000000
--- a/ql/src/codeql-suites/ql-security-extended.qls
+++ /dev/null
@@ -1,4 +0,0 @@
-- description: Security-extended queries for QL
-- qlpack: codeql-ql
-- apply: security-extended-selectors.yml
-  from: codeql-suite-helpers