diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
index 9695e17d..c8d68147 100644
--- a/.github/codeql/codeql-config.yml
+++ b/.github/codeql/codeql-config.yml
@@ -1,5 +1,12 @@
 name: wowee-codeql-config
 
+# Skip vendored third-party libraries. We do not modify upstream code in
+# extern/ (ImGui, miniaudio, stb_*, etc.) — those projects own their own
+# triage and accepting CodeQL findings there blocks our update path and
+# drowns out signal in our own code.
+paths-ignore:
+  - extern
+
 # The WoW client protocol (world-socket header cipher) and Warden anti-cheat
 # module protocol both mandate RC4. There is no way to replace RC4 with a
 # stronger algorithm without breaking compatibility with all supported servers.
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 6e5f63af..e1c6a25b 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -88,6 +88,7 @@ jobs:
           semgrep scan \
             --config p/security-audit \
             --config p/secrets \
+            --exclude extern \
             --error
 
   sanitizer-build: