diff --git a/src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java b/src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java
index c4d1b9214..9e239c5d2 100644
--- a/src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java
+++ b/src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java
@@ -1812,7 +1812,9 @@ else if (con.getTrustManagerClass() != null) {
             if (logger.isLoggable(Level.FINEST))
                 logger.finest(toString() + " Initializing SSL context");
 
-            sslContext.init(km, tm, null);
+            sslContext.init(km, tm, null); // CodeQL [SM03853] Potential all-accepting TrustManager is by design
+            // Permissive trust manager allows minimum encryption of credentials even when trusted certificates
+            // aren't provisioned on the server.
 
             // Got the SSL context. Now create an SSL socket over our own proxy socket
             // which we can toggle between TDS-encapsulated and raw communications.