diff --git a/.github/workflows/auto-dismiss-samples-alerts.yml b/.github/workflows/auto-dismiss-samples-alerts.yml
new file mode 100644
index 00000000000..73791b35da7
--- /dev/null
+++ b/.github/workflows/auto-dismiss-samples-alerts.yml
@@ -0,0 +1,63 @@
+name: Auto-dismiss security alerts in samples/
+
+on:
+  schedule:
+    - cron: '0 6 * * *'  # daily at 06:00 UTC
+  workflow_dispatch:
+
+permissions:
+  security-events: write
+
+jobs:
+  dismiss:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dismiss Dependabot alerts in samples/
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          page=1
+          dismissed=0
+          while : ; do
+            response=$(gh api "repos/$GITHUB_REPOSITORY/dependabot/alerts?state=open&per_page=100&page=$page")
+            count=$(echo "$response" | jq 'length')
+            [ "$count" -eq 0 ] && break
+
+            while IFS= read -r number; do
+              gh api --method PATCH "repos/$GITHUB_REPOSITORY/dependabot/alerts/$number" \
+                -f state=dismissed \
+                -f dismissed_reason=tolerable_risk \
+                -f dismissed_comment="samples/ contains generated integration-test fixtures, not production code" \
+                --silent
+              echo "Dismissed Dependabot alert #$number"
+              ((dismissed++))
+            done < <(echo "$response" | jq -r '.[] | select(.dependency.manifest_path | startswith("samples/")) | .number | tostring')
+
+            ((page++))
+          done
+          echo "Total Dependabot alerts dismissed: $dismissed"
+
+      - name: Dismiss code scanning alerts in samples/
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          page=1
+          dismissed=0
+          while : ; do
+            response=$(gh api "repos/$GITHUB_REPOSITORY/code-scanning/alerts?state=open&per_page=100&page=$page")
+            count=$(echo "$response" | jq 'length')
+            [ "$count" -eq 0 ] && break
+
+            while IFS= read -r number; do
+              gh api --method PATCH "repos/$GITHUB_REPOSITORY/code-scanning/alerts/$number" \
+                -f state=dismissed \
+                -f dismissed_reason="used in tests" \
+                -f dismissed_comment="samples/ contains generated integration-test fixtures, not production code" \
+                --silent
+              echo "Dismissed code scanning alert #$number"
+              ((dismissed++))
+            done < <(echo "$response" | jq -r '.[] | select(.most_recent_instance.location.path | startswith("samples/")) | .number | tostring')
+
+            ((page++))
+          done
+          echo "Total code scanning alerts dismissed: $dismissed"