diff --git a/.github/workflows/ci-java.yml b/.github/workflows/ci-java.yml
index 3c030510..99bd79fd 100644
--- a/.github/workflows/ci-java.yml
+++ b/.github/workflows/ci-java.yml
@@ -18,6 +18,9 @@ jobs:
           distribution: 'temurin'
           java-version: '25'
           cache: 'maven'
+      # `verify` is the enforced quality gate: it runs unit + integration tests
+      # AND the spotbugs:check execution bound in pom.xml. Any of those
+      # failing breaks the build.
       - run: mvn clean verify -B
       - uses: actions/upload-artifact@v4
         if: always()
diff --git a/dependency-check-suppressions.xml b/dependency-check-suppressions.xml
new file mode 100644
index 00000000..9dba522a
--- /dev/null
+++ b/dependency-check-suppressions.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  OWASP dependency-check suppressions for codeiq.
+
+  Policy: every entry MUST have a CVE id, a date, and a one-line rationale
+  explaining why the finding is not exploitable here (or what the mitigation
+  is). Suppressions are reviewed when CVE bumps drop into the lockfile.
+
+  Schema: https://jeremylong.github.io/DependencyCheck/general/suppression.html
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <!-- intentionally empty - add suppressions here when triaged -->
+</suppressions>
diff --git a/pom.xml b/pom.xml
index 691566be..e8ae8ba2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -402,6 +402,13 @@
                 <configuration>
                     <excludeFilterFile>spotbugs-exclude.xml</excludeFilterFile>
                 </configuration>
+                <executions>
+                    <execution>
+                        <id>spotbugs-verify</id>
+                        <phase>verify</phase>
+                        <goals><goal>check</goal></goals>
+                    </execution>
+                </executions>
             </plugin>
 
             <plugin>