diff --git a/.github/workflows/contracts/chainloop-vault-codeql.yaml b/.github/workflows/contracts/chainloop-vault-codeql.yaml
index fd143765b..c849e2f36 100644
--- a/.github/workflows/contracts/chainloop-vault-codeql.yaml
+++ b/.github/workflows/contracts/chainloop-vault-codeql.yaml
@@ -17,8 +17,11 @@ spec:
         with:
           check_signature: yes
           check_author_verified: yes
+    materials:
+      - ref: owasp-top10-2025
   policyGroups:
     - ref: slsa-checks
       with:
         runner: GITHUB_ACTION
     - ref: sast
+    - ref: cwes