diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/certificate.py b/sdk/identity/azure-identity/azure/identity/_credentials/certificate.py
index e7ce646e9987..270ea1d073a8 100644
--- a/sdk/identity/azure-identity/azure/identity/_credentials/certificate.py
+++ b/sdk/identity/azure-identity/azure/identity/_credentials/certificate.py
@@ -94,7 +94,7 @@ def extract_cert_chain(pem_bytes: bytes) -> bytes:
 def load_pem_certificate(certificate_data: bytes, password: Optional[bytes] = None) -> _Cert:
     private_key = serialization.load_pem_private_key(certificate_data, password, backend=default_backend())
     cert = x509.load_pem_x509_certificate(certificate_data, default_backend())
-    fingerprint = cert.fingerprint(hashes.SHA1())  # nosec
+    fingerprint = cert.fingerprint(hashes.SHA1())  # nosec # CodeQL [SM02167] only used as a thumbprint/identifier
     return _Cert(certificate_data, private_key, fingerprint)
 
 
@@ -120,7 +120,7 @@ def load_pkcs12_certificate(certificate_data: bytes, password: Optional[bytes] =
     pem_sections = [key_bytes] + [c.public_bytes(Encoding.PEM) for c in [cert] + additional_certs]
     pem_bytes = b"".join(pem_sections)
 
-    fingerprint = cert.fingerprint(hashes.SHA1())  # nosec
+    fingerprint = cert.fingerprint(hashes.SHA1())  # nosec # CodeQL [SM02167] only used as a thumbprint/identifier
 
     return _Cert(pem_bytes, private_key, fingerprint)
 
diff --git a/sdk/identity/azure-identity/azure/identity/_internal/aadclient_certificate.py b/sdk/identity/azure-identity/azure/identity/_internal/aadclient_certificate.py
index 1a5a8a20d973..d5f9d5c031de 100644
--- a/sdk/identity/azure-identity/azure/identity/_internal/aadclient_certificate.py
+++ b/sdk/identity/azure-identity/azure/identity/_internal/aadclient_certificate.py
@@ -25,7 +25,7 @@ def __init__(self, pem_bytes: bytes, password: Optional[bytes] = None) -> None:
         self._private_key = private_key
 
         cert = x509.load_pem_x509_certificate(pem_bytes, default_backend())
-        fingerprint = cert.fingerprint(hashes.SHA1())  # nosec
+        fingerprint = cert.fingerprint(hashes.SHA1())  # nosec # CodeQL [SM02167] only used as a thumbprint/identifier
         sha256_fingerprint = cert.fingerprint(hashes.SHA256())
         self._thumbprint = base64.urlsafe_b64encode(fingerprint).decode("utf-8")
         self._sha256_thumbprint = base64.urlsafe_b64encode(sha256_fingerprint).decode("utf-8")