diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
new file mode 100644
index 000000000..8f13e8926
--- /dev/null
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,16 @@
+name: "CodeQL Config"
+
+# Paths to ignore - exclude test files and intentional security-reviewed features
+paths-ignore:
+  - '**/tests/**'
+  - '**/test_*.py'
+  - '**/*_test.py'
+
+# Query-specific path exclusions for intentional behaviors
+query-filters:
+  - exclude:
+      id: py/path-injection
+      paths:
+        # Local file indexing feature - users intentionally index their filesystem
+        # System directories are validated and blocked after path construction
+        - src/local_deep_research/research_library/routes/rag_routes.py
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 2896469d9..41d95ac09 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -71,6 +71,7 @@ jobs:
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
+        config-file: ./.github/codeql/codeql-config.yml
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
diff --git a/src/local_deep_research/research_library/routes/rag_routes.py b/src/local_deep_research/research_library/routes/rag_routes.py
index e342c41aa..bac961081 100644
--- a/src/local_deep_research/research_library/routes/rag_routes.py
+++ b/src/local_deep_research/research_library/routes/rag_routes.py
@@ -91,11 +91,11 @@ def validate_local_index_path(user_path: str) -> Path:
 
     # Try to use PathValidator with home as base
     # If path is absolute and not in home, validate it separately
-    # lgtm[py/path-injection]
     # CodeQL: This is intentional - local file indexing on user's own machine.
-    # Users index their own filesystem. System directories are blocked below.
+    # Users are allowed to index their own filesystem. System directories are blocked below.
     if Path(user_path).is_absolute():
-        validated_path = Path(user_path).resolve()
+        # lgtm[py/path-injection] - Intentional: Local filesystem indexing feature
+        validated_path = Path(user_path).resolve()  # nosec B108
     else:
         # Use PathValidator for relative paths
         validated_path = PathValidator.validate_safe_path(