diff --git a/README.md b/README.md
index 5fbaffe..a5a6fed 100644
--- a/README.md
+++ b/README.md
@@ -31,7 +31,11 @@ After successful apply, the `import` blocks can be removed in a follow-up
 PR (they're idempotent but only useful once).
 
 Next up (separate PRs): org Actions permissions, org-level settings, org
-variables, per-repo labels and LICENSE files via `for_each`.
+variables, per-repo labels and LICENSE files via `for_each`. CodeQL
+default-setup across every public org repo is staged in
+`code_scanning.tf` as a commented-out resource block pending upstream
+[integrations/terraform-provider-github#3315](https://github.com/integrations/terraform-provider-github/pull/3315);
+uncomment + bump the provider version when that PR ships.
 
 ## Layout
 
diff --git a/code_scanning.tf b/code_scanning.tf
new file mode 100644
index 0000000..fecacb4
--- /dev/null
+++ b/code_scanning.tf
@@ -0,0 +1,47 @@
+# CodeQL default-setup — pending upstream provider support.
+#
+# Code scanning default-setup is FREE on public repos (no GHAS license
+# consumed). Enabling it across every public org repo with a supported
+# language is the goal; this file is the placeholder that becomes the
+# canonical config once integrations/terraform-provider-github exposes the
+# resource.
+#
+# Status as of 2026-06-04: the resource does NOT exist in the provider yet.
+# `integrations/github` ~> 6.0's `security_and_analysis` block covers
+# advanced_security, code_security (paid GHAS), secret_scanning, push
+# protection, AI detection, and non-provider patterns — but not the free
+# CodeQL default-setup endpoint.
+#
+# Upstream: https://github.com/integrations/terraform-provider-github/pull/3315
+# (feat: Add github_repository_code_scanning_default_setup resource).
+# Opened 2026-04-01 by oda251. Adds the resource with the schema below.
+#
+# When that PR merges and ships in a tagged release:
+#
+#   1. Bump `version = "~> 6.X"` in versions.tf to the release that includes it.
+#   2. Uncomment the data + resource blocks below.
+#   3. `tofu apply` — for_each fans out across every public, non-archived,
+#      non-fork org repo. The provider's underlying API will return success
+#      on repos with a supported language and a clear error on repos
+#      without one; refine the query if necessary, or filter via a follow-up
+#      data lookup once the provider exposes `languages` reliably.
+#
+# Cost impact (per AGENTS.md "Cost policy"): $0. Code scanning is FREE on
+# public repos and the data source's `visibility:public` filter is the safety
+# belt — no private repo can land in the for_each.
+#
+# data "github_repositories" "public_for_codeql" {
+#   query = "org:dryvist archived:false fork:false visibility:public"
+# }
+#
+# resource "github_repository_code_scanning_default_setup" "codeql" {
+#   for_each = toset(data.github_repositories.public_for_codeql.names)
+#
+#   repository  = each.value
+#   state       = "configured"
+#   query_suite = "default"
+#
+#   # `languages` is Optional/Computed in the upstream schema — let the
+#   # provider auto-detect from the repo's contents. Set explicitly only
+#   # for repos where a subset is desired.
+# }