diff --git a/.gitea/workflows/security.yml b/.gitea/workflows/security.yml
index 839de66..665c049 100644
--- a/.gitea/workflows/security.yml
+++ b/.gitea/workflows/security.yml
@@ -10,4 +10,12 @@ on:
 jobs:
   scan:
     uses: JonKazama-Hellion/security-workflows/.gitea/workflows/security-scan.yml@main
+    with:
+      # MessageStore.cs uses string-interpolation in CommandText for table
+      # names and clause-joins that come from internal code constants, not
+      # user input. Values are bound via SqlParameter, the SQL surface is
+      # local-only inside a Dalamud plugin. Semgrep matches the pattern
+      # without dataflow, so it flags those eight call sites; CodeQL
+      # would not. Suppressed for this repo only.
+      semgrep-exclude-rules: 'csharp.lang.security.sqli.csharp-sqli'