diff --git a/.github/workflows/codeql-guard.yml b/.github/workflows/codeql-guard.yml
index 4e2526b..204423e 100644
--- a/.github/workflows/codeql-guard.yml
+++ b/.github/workflows/codeql-guard.yml
@@ -81,7 +81,19 @@ jobs:
             if [ "${repo}" = "evalops/.github" ] && [ "${path}" = ".github/workflows/codeql-guard.yml" ]; then
               continue
             fi
-            hits+=("${repo}"$'\t'"${path}")
+            if ! content="$(
+              GH_TOKEN="${ORG_CODE_SEARCH_TOKEN}" gh api "repos/${repo}/contents/${path}" --jq '.content' |
+                base64 --decode
+            )"; then
+              echo "::warning::Could not verify ${repo}:${path}; preserving search hit."
+              hits+=("${repo}"$'\t'"${path}")
+              continue
+            fi
+            if grep -Eq '^[[:space:]]*(-[[:space:]]*)?uses:[[:space:]]*github/codeql-action([/@]|[[:space:]]|$)' <<< "${content}"; then
+              hits+=("${repo}"$'\t'"${path}")
+            else
+              echo "::notice::Skipping stale or non-use search hit ${repo}:${path}"
+            fi
           done <<< "${response}"
           if [ "${#hits[@]}" -eq 0 ]; then
             echo "ok: no CodeQL workflow files found in any evalops repo"