diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 41b4bb14..bd83e2fa 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -88,23 +88,6 @@ jobs:
       - name: Check
         run: pnpm check
 
-  sast:
-    name: SAST
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: javascript-typescript
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
-
   test:
     name: Test
     runs-on: ubuntu-latest
diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml
new file mode 100644
index 00000000..c62a000c
--- /dev/null
+++ b/.github/workflows/sast.yml
@@ -0,0 +1,29 @@
+name: SAST
+
+on:
+  pull_request:
+    branches: ['*']
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  security-events: write
+  id-token: write
+
+jobs:
+  codeql:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: javascript-typescript
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
\ No newline at end of file