diff --git a/.github/workflows/notification-service.yml b/.github/workflows/notification-service.yml
index 24677b7..29acecd 100644
--- a/.github/workflows/notification-service.yml
+++ b/.github/workflows/notification-service.yml
@@ -38,39 +38,7 @@ jobs:
       - name: Build & test (SpotBugs included via verify)
         run: mvn verify -q
 
-  # ── 2. SAST – CodeQL ─────────────────────────────────────────────────────────
-  sast-codeql:
-    name: SAST – CodeQL
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      security-events: write
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Setup Java 17
-        uses: actions/setup-java@v4
-        with:
-          java-version: 17
-          distribution: temurin
-          cache: maven
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: java
-          queries: security-and-quality
-
-      - name: Build for CodeQL
-        run: mvn compile -q -f notification_service/pom.xml
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@v3
-        with:
-          category: /language:java
-
-  # ── 3. Dependency vulnerability scan (OWASP) ─────────────────────────────────
+  # ── 2. Dependency vulnerability scan (OWASP) ─────────────────────────────────
   dependency-check:
     name: Dependency vulnerability scan
     runs-on: ubuntu-latest
@@ -150,7 +118,7 @@ jobs:
   docker:
     name: Docker build & push
     runs-on: ubuntu-latest
-    needs: [ci, sast-codeql, dast]
+    needs: [ci, dast]
     if: github.ref == 'refs/heads/main'
     outputs:
       sha_tag: ${{ steps.tag.outputs.sha }}