diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
new file mode 100644
index 0000000..c0bb005
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,31 @@
+name: "CodeQL"
+
+on:
+  # workflow_dispatch enables manual triggering of the workflow
+  workflow_dispatch:
+  schedule:
+  - cron: '54 0 * * 2'
+env:
+  FAST_EMAIL: ${{ secrets.FAST_EMAIL }}
+  FAST_USER: ${{ secrets.FAST_USER }}
+  FAST_TOKEN: ${{ secrets.FAST_TOKEN }}
+  FAST_HTTPAUTH: ${{ secrets.FAST_HTTPAUTH }}
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+    - name: S24 static application security testing (SAST) action
+      uses: scout24/s24-sast-action@v1
+      with:
+        languages: java
+        fast_user: ${{ env.FAST_USER }}
+        fast_token: ${{ env.FAST_TOKEN }}
+        java_version: '11'
+
diff --git a/src/main/java/dev/lsegal/jenkins/codebuilder/CodeBuilderCloud.java b/src/main/java/dev/lsegal/jenkins/codebuilder/CodeBuilderCloud.java
index 39ba04f..0bf59a4 100644
--- a/src/main/java/dev/lsegal/jenkins/codebuilder/CodeBuilderCloud.java
+++ b/src/main/java/dev/lsegal/jenkins/codebuilder/CodeBuilderCloud.java
@@ -42,6 +42,7 @@
 import hudson.slaves.Cloud;
 import hudson.slaves.NodeProvisioner;
 import hudson.slaves.NodeProvisioner.PlannedNode;
+
 import hudson.util.ListBoxModel;
 import jenkins.model.Jenkins;
 import jenkins.model.JenkinsLocationConfiguration;
@@ -79,6 +80,10 @@ public class CodeBuilderCloud extends Cloud {
   private String jenkinsUrl;
   private String jnlpImage;
   private String jnlpCommand;
+
+  @CheckForNull
+  private String tunnel;
+
   private int agentTimeout;
 
   private transient AWSCodeBuild client;
@@ -187,6 +192,8 @@ public void setLabel(String label) {
     this.label = label;
   }
 
+
+
   /**
    * Getter for the field <code>jenkinsUrl</code>.
    *
@@ -260,6 +267,15 @@ public void setJnlpImage(String jnlpImage) {
     this.jnlpImage = jnlpImage;
   }
 
+  public String getTunnel() {
+    return tunnel;
+  }
+
+  @DataBoundSetter
+  public void setTunnel(String tunnel) {
+    this.tunnel = tunnel;
+  }
+
   /**
    * Getter for the field <code>agentTimeout</code>.
    *
@@ -375,7 +391,7 @@ public synchronized Collection<PlannedNode> provision(Label label, int excessWor
       final String displayName = String.format("%s.cb-%s", projectName, suffix);
       final CodeBuilderCloud cloud = this;
       final Future<Node> nodeResolver = Computer.threadPoolForRemoting.submit(() -> {
-        CodeBuilderLauncher launcher = new CodeBuilderLauncher(cloud);
+        CodeBuilderLauncher launcher = new CodeBuilderLauncher(cloud, tunnel, null);
         CodeBuilderAgent agent = new CodeBuilderAgent(cloud, displayName, launcher);
         jenkins().addNode(agent);
         return agent;
@@ -412,6 +428,8 @@ private static String getDefaultRegion() {
     }
   }
 
+
+
   @Extension
   public static class DescriptorImpl extends Descriptor<Cloud> {
     @Override
diff --git a/src/main/java/dev/lsegal/jenkins/codebuilder/CodeBuilderLauncher.java b/src/main/java/dev/lsegal/jenkins/codebuilder/CodeBuilderLauncher.java
index 34a9609..202e425 100644
--- a/src/main/java/dev/lsegal/jenkins/codebuilder/CodeBuilderLauncher.java
+++ b/src/main/java/dev/lsegal/jenkins/codebuilder/CodeBuilderLauncher.java
@@ -1,6 +1,9 @@
 package dev.lsegal.jenkins.codebuilder;
 
 import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
 import java.util.concurrent.TimeoutException;
 
 import javax.annotation.Nonnull;
@@ -9,6 +12,8 @@
 import com.amazonaws.services.codebuild.model.StartBuildRequest;
 import com.amazonaws.services.codebuild.model.StartBuildResult;
 
+import com.iwombat.util.StringUtil;
+import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -18,6 +23,7 @@
 import hudson.slaves.SlaveComputer;
 import hudson.util.StreamTaskListener;
 
+
 /**
  * CodeBuilderLauncher class.
  *
@@ -34,9 +40,11 @@ public class CodeBuilderLauncher extends JNLPLauncher {
    * Constructor for CodeBuilderLauncher.
    *
    * @param cloud a {@link CodeBuilderCloud} object.
+   * @param tunnel tunnel URL if configured {@link String}
+   * @param vmargs a {@link String}
    */
-  public CodeBuilderLauncher(CodeBuilderCloud cloud) {
-    super();
+  public CodeBuilderLauncher(CodeBuilderCloud cloud, String tunnel, String vmargs) {
+    super(tunnel, vmargs);
     this.cloud = cloud;
   }
 
@@ -113,8 +121,21 @@ private String buildspec(@Nonnull SlaveComputer computer) {
     if (n == null) {
       return "";
     }
-    String cmd = String.format("%s -noreconnect -workDir \"$CODEBUILD_SRC_DIR\" -url \"%s\" \"%s\" \"%s\"",
-        cloud.getJnlpCommand(), cloud.getJenkinsUrl(), computer.getJnlpMac(), n.getDisplayName());
+    Collection<String> command = new ArrayList<String>(Arrays.asList(
+            "jenkins-agent",
+            "-noreconnect",
+            "-workDir",
+            "\"$CODEBUILD_SRC_DIR\"",
+            "-url",
+            String.format("\"%s\"", cloud.getJenkinsUrl()),
+            String.format("\"%s\"", computer.getJnlpMac()),
+            String.format("\"%s\"", n.getDisplayName())
+    ));
+    if (StringUtils.isNotBlank(tunnel)) {
+      command.add("-tunnel");
+      command.add(cloud.getTunnel());
+    }
+    String cmd = String.join(" ", command);
     StringBuilder builder = new StringBuilder();
     builder.append("version: 0.2\n");
     builder.append("phases:\n");
diff --git a/src/main/resources/dev/lsegal/jenkins/codebuilder/CodeBuilderCloud/config.jelly b/src/main/resources/dev/lsegal/jenkins/codebuilder/CodeBuilderCloud/config.jelly
index 90662aa..c4dfa2e 100644
--- a/src/main/resources/dev/lsegal/jenkins/codebuilder/CodeBuilderCloud/config.jelly
+++ b/src/main/resources/dev/lsegal/jenkins/codebuilder/CodeBuilderCloud/config.jelly
@@ -26,6 +26,10 @@
   </f:entry>
 
   <f:advanced>
+    <f:entry field="tunnel" title="${%Tunnel URL}">
+      <f:textbox />
+    </f:entry>
+
     <f:entry field="jenkinsUrl" title="${%Alternative Jenkins URL}">
       <f:textbox />
     </f:entry>
diff --git a/src/test/java/dev/lsegal/jenkins/codebuilder/CodeBuilderCloudTest.java b/src/test/java/dev/lsegal/jenkins/codebuilder/CodeBuilderCloudTest.java
index 76ca36f..a2c59e7 100644
--- a/src/test/java/dev/lsegal/jenkins/codebuilder/CodeBuilderCloudTest.java
+++ b/src/test/java/dev/lsegal/jenkins/codebuilder/CodeBuilderCloudTest.java
@@ -13,7 +13,7 @@ public class CodeBuilderCloudTest {
 
   @Test
   public void initializes_correctly() throws InterruptedException {
-    CodeBuilderCloud cloud = new CodeBuilderCloud(null, "project", null, "us-west-2");
+    CodeBuilderCloud cloud = new CodeBuilderCloud(null, "project", null, "local");
     assertEquals("project", cloud.getProjectName());
     assertEquals("codebuilder_0", cloud.getDisplayName());
     assertNotNull(cloud.getClient());
