diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 0bdd785e70..ce2bcb57f3 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -111,12 +111,36 @@ jobs:
       uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"
-      id: codeql_analysis
+        upload: failure-only # upload only in case of failure, otherwise upload later after filtering
+        output: codeql-results
+    
+    - name: Filter SARIF
+      uses: advanced-security/filter-sarif@v1
+      with:
+        # filter out third-party dependencies
+        patterns: |
+          -src/dnsmasq/*
+          -src/webserver/civetweb/*
+          -src/webserver/cJSON/*
+          -src/tre-regex/*
+          -src/config/tomlc99/*
+          -src/database/shell.c
+          -src/database/sqlite3.c
+          -src/zip/miniz/*
+          -src/lua/*
+          +src/lua/ftl_*  
+        input: codeql-results/cpp.sarif
+        output: codeql-results/cpp.sarif
+
+    - name: Upload SARIF
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: codeql-results/cpp.sarif
 
     - name: Upload CodeQL results as an artifact
       if: success() || failure()
       uses: actions/upload-artifact@v4
       with:
         name: codeql-results
-        path: ${{ steps.codeql_analysis.outputs.sarif-output }}
+        path: codeql-results
         retention-days: 5