diff --git a/.github/actions/codeql-config.yml b/.github/actions/codeql-config.yml
new file mode 100644
index 000000000..05e309048
--- /dev/null
+++ b/.github/actions/codeql-config.yml
@@ -0,0 +1,6 @@
+paths:
+  - src/
+  - lib/
+paths-ignore:
+  - work/
+  - t/
diff --git a/.github/workflows/job-codeql-analyzer.yml b/.github/workflows/job-codeql-analyzer.yml
index 32bf1cd9e..724833866 100644
--- a/.github/workflows/job-codeql-analyzer.yml
+++ b/.github/workflows/job-codeql-analyzer.yml
@@ -40,6 +40,7 @@ jobs:
         uses: github/codeql-action/init@v2
         with:
           languages: ${{ inputs.language }}
+          config-file: ./.github/actions/codeql-config.yml
       - name: 'Setup cache - work/ dir'
         uses: actions/cache@v3
         if: ${{ !env.ACT }}
@@ -69,8 +70,9 @@ jobs:
         uses: advanced-security/filter-sarif@v1
         with:
           patterns: |
-            -**/*     # exclusion: DENY ALL
-            src/**/*  # inclusion
+            -**/*      # exclusion: DENY ALL
+            +src/**/*  # inclusion
+            +lib/**/*  # inclusion
           input: sarif-results/${{ steps.sarif-filename.outputs.name }}.sarif
           output: sarif-results/${{ steps.sarif-filename.outputs.name }}.sarif
       - name: Upload SARIF