Filter github codeQL scan results to exclude external dependencies

Signed-off-by: Christoph Niethammer <[email protected]>

.github/workflows/codeql.yml

@@ -27,7 +27,7 @@ jobs:
       fail-fast: false
       matrix:
         include:
-        - language: c-cpp
+        - language: cpp
           build-mode: manual
 
     steps:
@@ -63,3 +63,32 @@ jobs:
       uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"
+        output: sarif-results
+        upload: failure-only
+
+    - name: Upload full loc as a Build Artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: sarif-results
+        path: sarif-results
+        retention-days: 1
+
+    - name: Filter CodeQL results
+      uses: advanced-security/filter-sarif@v1
+      with:
+        patterns: |
+          -external/
+        input: sarif-results/${{matrix.language}}.sarif
+        output: sarif-results/${{matrix.language}}.sarif
+
+    - name: Upload CodeQL results
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: sarif-results/${{matrix.language}}.sarif
+
+    - name: Upload loc as a Build Artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: sarif-results
+        path: sarif-results
+        retention-days: 1