diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index fab63981..9f2f0a35 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -55,7 +55,7 @@ jobs:
         uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
         with:
           languages: ${{ matrix.language }}
-          queries: security-and-quality
+          queries: security-and-quality,security-experimental
           # Use CodeQL config to exclude documented false positives
           # Go: Excludes go/request-forgery for url_testing.go (has 4-layer SSRF defense)
           # See: .github/codeql/codeql-config.yml for full justification
@@ -118,7 +118,7 @@ jobs:
             echo "## 🔒 CodeQL Security Analysis Results"
             echo ""
             echo "**Language:** ${{ matrix.language }}"
-            echo "**Query Suite:** security-and-quality"
+            echo "**Query Suite:** security-and-quality + security-experimental"
             echo ""
           } >> "$GITHUB_STEP_SUMMARY"
 
diff --git a/scripts/ci/check-codeql-parity.sh b/scripts/ci/check-codeql-parity.sh
index b19b8735..65398067 100755
--- a/scripts/ci/check-codeql-parity.sh
+++ b/scripts/ci/check-codeql-parity.sh
@@ -118,12 +118,15 @@ ensure_event_branches_semantic \
   "push" \
   "branches: [main]" \
   "main" || fail "codeql.yml push branches must be [main]"
-grep -Fq 'queries: security-and-quality' "$CODEQL_WORKFLOW" || fail "codeql.yml must pin init queries to security-and-quality"
+grep -Fq 'security-and-quality' "$CODEQL_WORKFLOW" || fail "codeql.yml must include security-and-quality in init queries"
+grep -Fq 'security-experimental' "$CODEQL_WORKFLOW" || fail "codeql.yml must include security-experimental in init queries (align with local scans)"
 ensure_task_command "$TASKS_FILE" "Security: CodeQL Go Scan (CI-Aligned) [~60s]" "bash scripts/pre-commit-hooks/codeql-go-scan.sh" || fail "Missing or mismatched CI-aligned Go CodeQL task (label+command)"
 ensure_task_command "$TASKS_FILE" "Security: CodeQL JS Scan (CI-Aligned) [~90s]" "bash scripts/pre-commit-hooks/codeql-js-scan.sh" || fail "Missing or mismatched CI-aligned JS CodeQL task (label+command)"
 ! grep -Fq 'go-security-extended.qls' "$TASKS_FILE" || fail "tasks.json contains deprecated go-security-extended suite; use CI-aligned scripts"
 ! grep -Fq 'javascript-security-extended.qls' "$TASKS_FILE" || fail "tasks.json contains deprecated javascript-security-extended suite; use CI-aligned scripts"
 grep -Fq 'codeql/go-queries:codeql-suites/go-security-and-quality.qls' "$GO_PRECOMMIT_SCRIPT" || fail "Go pre-commit script must use go-security-and-quality suite"
+grep -Fq 'codeql/go-queries:codeql-suites/go-security-experimental.qls' "$GO_PRECOMMIT_SCRIPT" || fail "Go pre-commit script must use go-security-experimental suite (align with CI)"
 grep -Fq 'codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls' "$JS_PRECOMMIT_SCRIPT" || fail "JS pre-commit script must use javascript-security-and-quality suite"
+grep -Fq 'codeql/javascript-queries:codeql-suites/javascript-security-experimental.qls' "$JS_PRECOMMIT_SCRIPT" || fail "JS pre-commit script must use javascript-security-experimental suite (align with CI)"
 
-echo "CodeQL parity check passed (workflow triggers + suite pinning + local/pre-commit suite alignment)"
+echo "CodeQL parity check passed (workflow triggers + suite pinning [security-and-quality + security-experimental] + local/CI alignment)"
diff --git a/scripts/pre-commit-hooks/codeql-go-scan.sh b/scripts/pre-commit-hooks/codeql-go-scan.sh
index 6e962b29..81b9031b 100755
--- a/scripts/pre-commit-hooks/codeql-go-scan.sh
+++ b/scripts/pre-commit-hooks/codeql-go-scan.sh
@@ -28,11 +28,12 @@ codeql database create codeql-db-go \
   --overwrite
 
 echo ""
-echo "📊 Analyzing with security-and-quality suite..."
+echo "📊 Analyzing with security-and-quality + security-experimental suites..."
 ANALYZE_LOG=$(mktemp)
-# Analyze with CI-aligned suite
+# Analyze with CI-aligned suites (mirrors codeql.yml queries: security-and-quality,security-experimental)
 codeql database analyze codeql-db-go \
   codeql/go-queries:codeql-suites/go-security-and-quality.qls \
+  codeql/go-queries:codeql-suites/go-security-experimental.qls \
   --format=sarif-latest \
   --output=codeql-results-go.sarif \
   --sarif-add-baseline-file-info \
diff --git a/scripts/pre-commit-hooks/codeql-js-scan.sh b/scripts/pre-commit-hooks/codeql-js-scan.sh
index 8895d84a..d3949ef0 100755
--- a/scripts/pre-commit-hooks/codeql-js-scan.sh
+++ b/scripts/pre-commit-hooks/codeql-js-scan.sh
@@ -26,10 +26,11 @@ codeql database create codeql-db-js \
   --overwrite
 
 echo ""
-echo "📊 Analyzing with security-and-quality suite..."
-# Analyze with CI-aligned suite
+echo "📊 Analyzing with security-and-quality + security-experimental suites..."
+# Analyze with CI-aligned suites (mirrors codeql.yml queries: security-and-quality,security-experimental)
 codeql database analyze codeql-db-js \
   codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls \
+  codeql/javascript-queries:codeql-suites/javascript-security-experimental.qls \
   --format=sarif-latest \
   --output=codeql-results-js.sarif \
   --sarif-add-baseline-file-info \