diff --git a/.github/skills/security-scan-codeql-scripts/run.sh b/.github/skills/security-scan-codeql-scripts/run.sh
index 6fda60a0..033baf60 100755
--- a/.github/skills/security-scan-codeql-scripts/run.sh
+++ b/.github/skills/security-scan-codeql-scripts/run.sh
@@ -95,6 +95,7 @@ run_codeql_scan() {
     local source_root=$2
     local db_name="codeql-db-${lang}"
     local sarif_file="codeql-results-${lang}.sarif"
+    local suite=""
     local build_mode_args=()
     local codescanning_config="${PROJECT_ROOT}/.github/codeql/codeql-config.yml"
 
@@ -107,6 +108,9 @@ run_codeql_scan() {
 
     if [[ "${lang}" == "javascript" ]]; then
         build_mode_args=(--build-mode=none)
+        suite="codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls"
+    else
+        suite="codeql/go-queries:codeql-suites/go-security-and-quality.qls"
     fi
 
     log_step "CODEQL" "Scanning ${lang} code in ${source_root}/"
@@ -135,8 +139,9 @@ run_codeql_scan() {
     fi
 
     # Run analysis
-    log_info "Analyzing with Code Scanning config (CI-aligned query filters)..."
+    log_info "Analyzing with CI-aligned suite: ${suite}"
     if ! codeql database analyze "${db_name}" \
+        "${suite}" \
         --format=sarif-latest \
         --output="${sarif_file}" \
         --sarif-add-baseline-file-info \
diff --git a/.github/skills/security-scan-codeql.SKILL.md b/.github/skills/security-scan-codeql.SKILL.md
index 741068c8..c65382fe 100644
--- a/.github/skills/security-scan-codeql.SKILL.md
+++ b/.github/skills/security-scan-codeql.SKILL.md
@@ -136,8 +136,8 @@ This skill uses the **security-and-quality** suite to match CI:
 
 | Language | Suite | Queries | Coverage |
 |----------|-------|---------|----------|
-| Go | go-security-and-quality.qls | 61 | Security + quality issues |
-| JavaScript | javascript-security-and-quality.qls | 204 | Security + quality issues |
+| Go | go-security-and-quality.qls | version-dependent | Security + quality issues |
+| JavaScript | javascript-security-and-quality.qls | version-dependent | Security + quality issues |
 
 **Note:** This matches GitHub Actions CodeQL default configuration exactly.
 
@@ -260,8 +260,7 @@ This skill is specifically designed to match GitHub Actions CodeQL workflow:
 | Parameter | Local | CI | Aligned |
 |-----------|-------|-----|---------|
 | Query Suite | security-and-quality | security-and-quality | ✅ |
-| Go Queries | 61 | 61 | ✅ |
-| JS Queries | 204 | 204 | ✅ |
+| Query Expansion | version-dependent | version-dependent | ✅ (when versions match) |
 | Threading | auto | auto | ✅ |
 | Baseline Info | enabled | enabled | ✅ |
 
diff --git a/.vscode/tasks.json b/.vscode/tasks.json
index 76120471..c8eef9be 100644
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -501,14 +501,14 @@
         {
             "label": "Security: CodeQL Go Scan (DEPRECATED)",
             "type": "shell",
-            "command": "codeql database create codeql-db-go --language=go --source-root=backend --overwrite && codeql database analyze codeql-db-go /projects/codeql/codeql/go/ql/src/codeql-suites/go-security-extended.qls --format=sarif-latest --output=codeql-results-go.sarif",
+            "command": "bash scripts/pre-commit-hooks/codeql-go-scan.sh",
             "group": "test",
             "problemMatcher": []
         },
         {
             "label": "Security: CodeQL JS Scan (DEPRECATED)",
             "type": "shell",
-            "command": "codeql database create codeql-db-js --language=javascript --source-root=frontend --overwrite && codeql database analyze codeql-db-js /projects/codeql/codeql/javascript/ql/src/codeql-suites/javascript-security-extended.qls --format=sarif-latest --output=codeql-results-js.sarif",
+            "command": "bash scripts/pre-commit-hooks/codeql-js-scan.sh",
             "group": "test",
             "problemMatcher": []
         },
diff --git a/scripts/ci/check-codeql-parity.sh b/scripts/ci/check-codeql-parity.sh
index e4ae25b9..e2928186 100755
--- a/scripts/ci/check-codeql-parity.sh
+++ b/scripts/ci/check-codeql-parity.sh
@@ -121,6 +121,8 @@ ensure_event_branches_semantic \
 grep -Fq 'queries: security-and-quality' "$CODEQL_WORKFLOW" || fail "codeql.yml must pin init queries to security-and-quality"
 ensure_task_command "$TASKS_FILE" "Security: CodeQL Go Scan (CI-Aligned) [~60s]" "bash scripts/pre-commit-hooks/codeql-go-scan.sh" || fail "Missing or mismatched CI-aligned Go CodeQL task (label+command)"
 ensure_task_command "$TASKS_FILE" "Security: CodeQL JS Scan (CI-Aligned) [~90s]" "bash scripts/pre-commit-hooks/codeql-js-scan.sh" || fail "Missing or mismatched CI-aligned JS CodeQL task (label+command)"
+! grep -Fq 'go-security-extended.qls' "$TASKS_FILE" || fail "tasks.json contains deprecated go-security-extended suite; use CI-aligned scripts"
+! grep -Fq 'javascript-security-extended.qls' "$TASKS_FILE" || fail "tasks.json contains deprecated javascript-security-extended suite; use CI-aligned scripts"
 grep -Fq 'codeql/go-queries:codeql-suites/go-security-and-quality.qls' "$GO_PRECOMMIT_SCRIPT" || fail "Go pre-commit script must use go-security-and-quality suite"
 grep -Fq 'codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls' "$JS_PRECOMMIT_SCRIPT" || fail "JS pre-commit script must use javascript-security-and-quality suite"