diff --git a/images/linux/scripts/SoftwareReport/SoftwareReport.Generator.ps1 b/images/linux/scripts/SoftwareReport/SoftwareReport.Generator.ps1
index 73a8d63e7..7e6db3743 100644
--- a/images/linux/scripts/SoftwareReport/SoftwareReport.Generator.ps1
+++ b/images/linux/scripts/SoftwareReport/SoftwareReport.Generator.ps1
@@ -77,6 +77,7 @@ $toolsList = @(
     (Get-AzCopy10Version),
     (Get-BazelVersion),
     (Get-BazeliskVersion),
+    (Get-CodeQLBundleVersion),
     (Get-CMakeVersion),
     (Get-CurlVersion),
     (Get-DockerMobyVersion),
diff --git a/images/linux/scripts/SoftwareReport/SoftwareReport.Tools.psm1 b/images/linux/scripts/SoftwareReport/SoftwareReport.Tools.psm1
index dcb121f61..363b4adbf 100644
--- a/images/linux/scripts/SoftwareReport/SoftwareReport.Tools.psm1
+++ b/images/linux/scripts/SoftwareReport/SoftwareReport.Tools.psm1
@@ -28,6 +28,14 @@ function Get-BazeliskVersion {
     return "Bazelisk $bazeliskVersion"
 }
 
+function Get-CodeQLBundleVersion {
+    $CodeQLVersionsWildcard = Join-Path $Env:AGENT_TOOLSDIRECTORY -ChildPath "codeql" | Join-Path -ChildPath "*"
+    $CodeQLVersionPath = Get-ChildItem $CodeQLVersionsWildcard | Select-Object -First 1 -Expand FullName
+    $CodeQLPath = Join-Path $CodeQLVersionPath -ChildPath "x64" | Join-Path -ChildPath "codeql" | Join-Path -ChildPath "codeql"
+    $CodeQLVersion = & $CodeQLPath version --quiet
+    return "CodeQL Action Bundle $CodeQLVersion"
+}
+
 function Get-PodManVersion {
     $podmanVersion = podman --version | Take-OutputPart -Part 2
     return "Podman $podmanVersion"
diff --git a/images/linux/scripts/installers/codeql-bundle.sh b/images/linux/scripts/installers/codeql-bundle.sh
new file mode 100644
index 000000000..9de8a5e41
--- /dev/null
+++ b/images/linux/scripts/installers/codeql-bundle.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+################################################################################
+##  File:  codeql-bundle.sh
+##  Desc:  Install the CodeQL CLI Bundle to the toolcache.
+################################################################################
+
+source $HELPER_SCRIPTS/install.sh
+
+# Retrieve the name of the CodeQL bundle preferred by the Action (in the format codeql-bundle-YYYYMMDD).
+codeql_bundle_name="$(curl -sSL https://raw.githubusercontent.com/github/codeql-action/main/src/defaults.json | jq -r .bundleVersion)"
+# Convert the bundle name to a version number (0.0.0-YYYYMMDD).
+codeql_bundle_version="0.0.0-${codeql_bundle_name##*-}"
+
+extraction_directory="$AGENT_TOOLSDIRECTORY/CodeQL/$codeql_bundle_version/x64"
+mkdir -p "$extraction_directory"
+
+echo "Downloading CodeQL bundle $codeql_bundle_version..."
+download_with_retries "https://github.com/github/codeql-action/releases/download/$codeql_bundle_name/codeql-bundle.tar.gz" "/tmp" "codeql-bundle.tar.gz"
+tar -xzf "/tmp/codeql-bundle.tar.gz" -C "$extraction_directory"
+
+# Touch a special file that indicates to the CodeQL Action that this bundle was baked-in to the hosted runner images.
+touch "$extraction_directory/pinned-version"
+
+# Touch a file to indicate to the toolcache that setting up CodeQL is complete.
+touch "$extraction_directory.complete"
+
+# Test that the tool has been extracted successfully.
+"$AGENT_TOOLSDIRECTORY/CodeQL/$codeql_bundle_version/x64/codeql/codeql" version
diff --git a/images/linux/ubuntu1604.json b/images/linux/ubuntu1604.json
index 3aa477cb6..e770f2f08 100644
--- a/images/linux/ubuntu1604.json
+++ b/images/linux/ubuntu1604.json
@@ -150,6 +150,7 @@
                 "{{template_dir}}/scripts/installers/clang.sh",
                 "{{template_dir}}/scripts/installers/swift.sh",
                 "{{template_dir}}/scripts/installers/cmake.sh",
+                "{{template_dir}}/scripts/installers/codeql-bundle.sh",
                 "{{template_dir}}/scripts/installers/docker-compose.sh",
                 "{{template_dir}}/scripts/installers/docker-moby.sh",
                 "{{template_dir}}/scripts/installers/dotnetcore-sdk.sh",
diff --git a/images/linux/ubuntu1804.json b/images/linux/ubuntu1804.json
index a5b71c07b..7dcb51df1 100644
--- a/images/linux/ubuntu1804.json
+++ b/images/linux/ubuntu1804.json
@@ -152,6 +152,7 @@
                 "{{template_dir}}/scripts/installers/clang.sh",
                 "{{template_dir}}/scripts/installers/swift.sh",
                 "{{template_dir}}/scripts/installers/cmake.sh",
+                "{{template_dir}}/scripts/installers/codeql-bundle.sh",
                 "{{template_dir}}/scripts/installers/containers.sh",
                 "{{template_dir}}/scripts/installers/docker-compose.sh",
                 "{{template_dir}}/scripts/installers/docker-moby.sh",
diff --git a/images/linux/ubuntu2004.json b/images/linux/ubuntu2004.json
index c2a1bd561..335144f0c 100644
--- a/images/linux/ubuntu2004.json
+++ b/images/linux/ubuntu2004.json
@@ -154,6 +154,7 @@
                 "{{template_dir}}/scripts/installers/clang.sh",
                 "{{template_dir}}/scripts/installers/swift.sh",
                 "{{template_dir}}/scripts/installers/cmake.sh",
+                "{{template_dir}}/scripts/installers/codeql-bundle.sh",
                 "{{template_dir}}/scripts/installers/containers.sh",
                 "{{template_dir}}/scripts/installers/docker-compose.sh",
                 "{{template_dir}}/scripts/installers/docker-moby.sh",
diff --git a/images/win/Windows2016-Azure.json b/images/win/Windows2016-Azure.json
index 7d44d22d9..481a3ce80 100644
--- a/images/win/Windows2016-Azure.json
+++ b/images/win/Windows2016-Azure.json
@@ -320,7 +320,8 @@
                 "{{ template_dir }}/scripts/Installers/Install-KubernetesCli.ps1",
                 "{{ template_dir }}/scripts/Installers/Install-Kind.ps1",
                 "{{ template_dir }}/scripts/Installers/Install-MongoDB.ps1",
-                "{{ template_dir }}/scripts/Installers/Install-GoogleCloudSDK.ps1"
+                "{{ template_dir }}/scripts/Installers/Install-GoogleCloudSDK.ps1",
+                "{{ template_dir }}/scripts/Installers/Install-CodeQLBundle.ps1"
             ]
         },
         {
diff --git a/images/win/Windows2019-Azure.json b/images/win/Windows2019-Azure.json
index d519c0039..10c5cdd57 100644
--- a/images/win/Windows2019-Azure.json
+++ b/images/win/Windows2019-Azure.json
@@ -318,7 +318,8 @@
                 "{{ template_dir }}/scripts/Installers/Install-AliyunCli.ps1",
                 "{{ template_dir }}/scripts/Installers/Install-RootCA.ps1",
                 "{{ template_dir }}/scripts/Installers/Install-MongoDB.ps1",
-                "{{ template_dir }}/scripts/Installers/Install-GoogleCloudSDK.ps1"
+                "{{ template_dir }}/scripts/Installers/Install-GoogleCloudSDK.ps1",
+                "{{ template_dir }}/scripts/Installers/Install-CodeQLBundle.ps1"
             ]
         },
         {
diff --git a/images/win/scripts/Installers/Install-CodeQLBundle.ps1 b/images/win/scripts/Installers/Install-CodeQLBundle.ps1
new file mode 100644
index 000000000..d9f273775
--- /dev/null
+++ b/images/win/scripts/Installers/Install-CodeQLBundle.ps1
@@ -0,0 +1,28 @@
+################################################################################
+##  File:  Install-CodeQLBundle.ps1
+##  Desc:  Install the CodeQL CLI Bundle to the toolcache.
+################################################################################
+
+# Retrieve the name of the CodeQL bundle preferred by the Action (in the format codeql-bundle-YYYYMMDD).
+$CodeQLBundleName = (Invoke-RestMethod "https://raw.githubusercontent.com/github/codeql-action/main/src/defaults.json").bundleVersion
+# Convert the bundle name to a version number (0.0.0-YYYYMMDD).
+$CodeQLBundleVersion = "0.0.0-" + $CodeQLBundleName.split("-")[-1]
+
+$ExtractionDirectory = Join-Path $Env:AGENT_TOOLSDIRECTORY -ChildPath "CodeQL" | Join-Path -ChildPath $CodeQLBundleVersion | Join-Path -ChildPath "x64"
+New-Item -Path $ExtractionDirectory -ItemType Directory -Force | Out-Null
+
+Write-Host "Downloading CodeQL bundle $CodeQLBundleVersion..."
+$CodeQLBundlePath = Start-DownloadWithRetry -Url "https://github.com/github/codeql-action/releases/download/$CodeQLBundleName/codeql-bundle.tar.gz" -Name "codeql-bundle.tar.gz"
+$DownloadDirectoryPath = (Get-Item $CodeQLBundlePath).Directory.FullName
+Extract-7Zip -Path $CodeQLBundlePath -DestinationPath $DownloadDirectoryPath
+$UnGzipedCodeQLBundlePath = Join-Path $DownloadDirectoryPath "codeql-bundle.tar"
+Extract-7Zip -Path $UnGzipedCodeQLBundlePath -DestinationPath $ExtractionDirectory
+
+# Touch a special file that indicates to the CodeQL Action that this bundle was baked-in to the hosted runner images.
+New-Item -ItemType file (Join-Path $ExtractionDirectory -ChildPath "pinned-version")
+
+# Touch a file to indicate to the toolcache that setting up CodeQL is complete.
+New-Item -ItemType file "$ExtractionDirectory.complete"
+
+# Test that the tool has been extracted successfully.
+Invoke-PesterTests -TestFile "Tools" -TestName "CodeQLBundle"
diff --git a/images/win/scripts/SoftwareReport/SoftwareReport.Generator.ps1 b/images/win/scripts/SoftwareReport/SoftwareReport.Generator.ps1
index 1aad21f29..28a07dce9 100644
--- a/images/win/scripts/SoftwareReport/SoftwareReport.Generator.ps1
+++ b/images/win/scripts/SoftwareReport/SoftwareReport.Generator.ps1
@@ -77,6 +77,7 @@ $markdown += New-MDList -Style Unordered -Lines @(
     (Get-BazelVersion),
     (Get-BazeliskVersion),
     (Get-CMakeVersion),
+    (Get-CodeQLBundleVersion),
     (Get-RVersion),
     (Get-DockerVersion),
     (Get-DockerComposeVersion),
diff --git a/images/win/scripts/SoftwareReport/SoftwareReport.Tools.psm1 b/images/win/scripts/SoftwareReport/SoftwareReport.Tools.psm1
index 760b03d3c..85c73c151 100644
--- a/images/win/scripts/SoftwareReport/SoftwareReport.Tools.psm1
+++ b/images/win/scripts/SoftwareReport/SoftwareReport.Tools.psm1
@@ -30,6 +30,14 @@ function Get-CMakeVersion {
     return "CMake $cmakeVersion"
 }
 
+function Get-CodeQLBundleVersion {
+    $CodeQLVersionsWildcard = Join-Path $Env:AGENT_TOOLSDIRECTORY -ChildPath "codeql" | Join-Path -ChildPath "*"
+    $CodeQLVersionPath = Get-ChildItem $CodeQLVersionsWildcard | Select-Object -First 1 -Expand FullName
+    $CodeQLPath = Join-Path $CodeQLVersionPath -ChildPath "x64" | Join-Path -ChildPath "codeql" | Join-Path -ChildPath "codeql.exe"
+    $CodeQLVersion = $($CodeQLPath version --quiet)
+    return "CodeQL Action Bundle $CodeQLVersion"
+}
+
 function Get-DockerVersion {
     $dockerVersion = $(docker version --format "{{.Server.Version}}")
     return "Docker $dockerVersion"
diff --git a/images/win/scripts/Tests/Tools.Tests.ps1 b/images/win/scripts/Tests/Tools.Tests.ps1
index f4938bbb2..cbb0609a5 100644
--- a/images/win/scripts/Tests/Tools.Tests.ps1
+++ b/images/win/scripts/Tests/Tools.Tests.ps1
@@ -41,6 +41,15 @@ Describe "CMake" {
     }
 }
 
+Describe "CodeQLBundle" {
+    It "CodeQLBundle" {
+        $CodeQLVersionsWildcard = Join-Path $Env:AGENT_TOOLSDIRECTORY -ChildPath "codeql" | Join-Path -ChildPath "*"
+        $CodeQLVersionPath = Get-ChildItem $CodeQLVersionsWildcard | Select-Object -First 1 -Expand FullName
+        $CodeQLPath = Join-Path $CodeQLVersionPath -ChildPath "x64" | Join-Path -ChildPath "codeql" | Join-Path -ChildPath "codeql.exe"
+        "$CodeQLPath version" | Should -ReturnZeroExitCode
+    }
+}
+
 Describe "R" {
     It "Rscript" {
         "Rscript --version" | Should -ReturnZeroExitCode