diff --git a/.github/workflows/contracts/chainloop-vault-codeql.yaml b/.github/workflows/contracts/chainloop-vault-codeql.yaml
index 0dadc0ad7..f002d5119 100644
--- a/.github/workflows/contracts/chainloop-vault-codeql.yaml
+++ b/.github/workflows/contracts/chainloop-vault-codeql.yaml
@@ -19,8 +19,11 @@ spec:
           check_author_verified: yes
         requirements:
           - chainloop-best-practices/commit-signed
+    materials:
+      - ref: owasp-top10-2025
   policyGroups:
     - ref: slsa-checks
       with:
         runner: GITHUB_ACTION
     - ref: sast
+    - ref: cwes