diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
new file mode 100644
index 00000000..4cbfc309
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,26 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ master ]
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+    - name: Checkout repo
+      uses: actions/checkout@v2
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: 'go'
+
+    - name: CodeQL Analysis
+      uses: github/codeql-action/analyze@v1
diff --git a/array.go b/array.go
index 7806a31f..39c8f7e2 100644
--- a/array.go
+++ b/array.go
@@ -587,8 +587,8 @@ func (a *Int32Array) scanBytes(src []byte) error {
 	} else {
 		b := make(Int32Array, len(elems))
 		for i, v := range elems {
-			var x int
-			if x, err = strconv.Atoi(string(v)); err != nil {
+			x, err := strconv.ParseInt(string(v), 10, 32)
+			if err != nil {
 				return fmt.Errorf("pq: parsing array element index %d: %v", i, err)
 			}
 			b[i] = int32(x)
diff --git a/encode.go b/encode.go
index 51c143ee..210b1ec3 100644
--- a/encode.go
+++ b/encode.go
@@ -559,7 +559,7 @@ func parseBytea(s []byte) (result []byte, err error) {
 				if len(s) < 4 {
 					return nil, fmt.Errorf("invalid bytea sequence %v", s)
 				}
-				r, err := strconv.ParseInt(string(s[1:4]), 8, 9)
+				r, err := strconv.ParseUint(string(s[1:4]), 8, 8)
 				if err != nil {
 					return nil, fmt.Errorf("could not parse bytea value: %s", err.Error())
 				}