diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 921f81ca..a577b387 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -25,6 +25,7 @@ jobs:
     timeout-minutes: 15
     permissions:
       contents: read
+      security-events: write
     env:
       TOXENV: ${{ matrix.name }}
     steps:
@@ -57,6 +58,13 @@ jobs:
       - name: Run tox
         run: tox
 
+      - name: Upload zizmor SARIF report into the GitHub repo code scanning
+        if: contains(matrix.name, 'linting')
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: zizmor.sarif
+          category: zizmor
+
       - name: Report coverage
         if: contains(matrix.name, 'coverage')
         uses: codecov/codecov-action@v5
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
index 2ed61128..a935769a 100644
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -4,3 +4,4 @@ rules:
       policies:
         actions/*: ref-pin
         codecov/codecov-action: ref-pin
+        github/*: ref-pin
diff --git a/.gitignore b/.gitignore
index 35f1856e..27011bfa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,3 +18,4 @@ _build
 *.egg
 # autogenerated by setuptools-scm
 /pytest_django/_version.py
+zizmor.sarif
diff --git a/tox.ini b/tox.ini
index ccd5e381..59d4cb57 100644
--- a/tox.ini
+++ b/tox.ini
@@ -48,7 +48,7 @@ commands =
     ruff check --diff {posargs:pytest_django pytest_django_test tests}
     ruff format --quiet --diff {posargs:pytest_django pytest_django_test tests}
     mypy {posargs:pytest_django pytest_django_test tests}
-    zizmor --persona=pedantic .github/workflows/deploy.yml .github/workflows/main.yml
+    python -c "import subprocess, sys; sys.exit(subprocess.call('zizmor --persona=pedantic --format sarif .github/workflows/deploy.yml .github/workflows/main.yml > zizmor.sarif', shell=True))"
 
 [testenv:doc8]
 basepython = python3