diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
new file mode 100644
index 0000000..5c82c1b
--- /dev/null
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,8 @@
+# CodeQL configuration for ZeroClaw
+#
+# We intentionally ignore integration tests under `tests/` because they often
+# contain security-focused fixtures (example secrets, malformed payloads, etc.)
+# that can trigger false positives in security queries.
+
+paths-ignore:
+    - tests/**
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 9899963..81210b2 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -27,6 +27,7 @@ jobs:
               uses: github/codeql-action/init@v4
               with:
                   languages: rust
+                  config-file: ./.github/codeql/codeql-config.yml
 
             - name: Set up Rust
               uses: dtolnay/rust-toolchain@stable