advanced-security
diff --git a/‎extractors/cds/tools/dist/cds-extractor.bundle.js‎
Lines changed: 24 additions & 2 deletions b/‎extractors/cds/tools/dist/cds-extractor.bundle.js‎
Lines changed: 24 additions & 2 deletions
diff --git a/‎extractors/cds/tools/dist/cds-extractor.bundle.js.map‎
Lines changed: 2 additions & 2 deletions b/‎extractors/cds/tools/dist/cds-extractor.bundle.js.map‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎extractors/cds/tools/dist/compile-test-cds-lib.cjs.map‎
Lines changed: 2 additions & 2 deletions b/‎extractors/cds/tools/dist/compile-test-cds-lib.cjs.map‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎extractors/cds/tools/src/paths-ignore.ts‎
Lines changed: 35 additions & 5 deletions b/‎extractors/cds/tools/src/paths-ignore.ts‎
Lines changed: 35 additions & 5 deletions
diff --git a/‎extractors/cds/tools/test/src/paths-ignore.test.ts‎
Lines changed: 77 additions & 0 deletions b/‎extractors/cds/tools/test/src/paths-ignore.test.ts‎
Lines changed: 77 additions & 0 deletions
@@ -1,5 +1,5 @@
 import { existsSync, readFileSync } from 'fs';
-import { join } from 'path';
+import { join, relative, resolve } from 'path';
 
 import { load as yamlLoad } from 'js-yaml';
 import { minimatch } from 'minimatch';
@@ -10,7 +10,7 @@ import { cdsExtractorLog } from './logging';
  * Well-known paths where a CodeQL configuration file may be located,
  * relative to the source root directory. Checked in order of priority.
  */
-const CODEQL_CONFIG_PATHS = [
+const DEFAULT_CONFIG_RELATIVE_PATHS = [
   '.github/codeql/codeql-config.yml',
   '.github/codeql/codeql-config.yaml',
 ];
@@ -29,14 +29,44 @@ interface CodeqlConfig {
 }
 
 /**
- * Finds the CodeQL configuration file in the source root directory by
- * checking the well-known paths in order.
+ * Finds the CodeQL configuration file in the source root directory.
+ *
+ * When the `CODEQL_CONFIG_PATH` environment variable is set, its value
+ * is treated as a path (relative to `sourceRoot`) to the config file.
+ * The resolved path must reside under `sourceRoot`; otherwise it is
+ * rejected to prevent path-traversal issues.
+ *
+ * When the environment variable is not set, the well-known default
+ * paths are checked in order.
  *
  * @param sourceRoot - The source root directory
  * @returns The absolute path to the config file, or undefined if not found
  */
 export function findCodeqlConfigFile(sourceRoot: string): string | undefined {
-  for (const configPath of CODEQL_CONFIG_PATHS) {
+  const envConfigPath = process.env.CODEQL_CONFIG_PATH;
+  if (envConfigPath) {
+    const resolvedRoot = resolve(sourceRoot);
+    const fullPath = resolve(resolvedRoot, envConfigPath);
+    const rel = relative(resolvedRoot, fullPath);
+    if (rel.startsWith('..') || resolve(resolvedRoot, rel) !== fullPath) {
+      cdsExtractorLog(
+        'warn',
+        `CODEQL_CONFIG_PATH '${envConfigPath}' resolves outside the source root. Ignoring.`,
+      );
+      return undefined;
+    }
+    if (existsSync(fullPath)) {
+      cdsExtractorLog('info', `Using CodeQL config file from CODEQL_CONFIG_PATH: ${fullPath}`);
+      return fullPath;
+    }
+    cdsExtractorLog(
+      'warn',
+      `CODEQL_CONFIG_PATH is set to '${envConfigPath}', but no file exists at '${fullPath}'.`,
+    );
+    return undefined;
+  }
+
+  for (const configPath of DEFAULT_CONFIG_RELATIVE_PATHS) {
     const fullPath = join(sourceRoot, configPath);
     if (existsSync(fullPath)) {
       return fullPath;
 
@@ -18,16 +18,24 @@ jest.mock('fs', () => ({
 jest.mock('js-yaml');
 
 describe('paths-ignore', () => {
+  const savedCodeqlConfigPath = process.env.CODEQL_CONFIG_PATH;
+
   beforeEach(() => {
     jest.resetAllMocks();
     clearPathsIgnoreCache();
+    delete process.env.CODEQL_CONFIG_PATH;
     jest.spyOn(console, 'log').mockImplementation(() => {});
     jest.spyOn(console, 'warn').mockImplementation(() => {});
     jest.spyOn(console, 'error').mockImplementation(() => {});
   });
 
   afterEach(() => {
     jest.restoreAllMocks();
+    if (savedCodeqlConfigPath !== undefined) {
+      process.env.CODEQL_CONFIG_PATH = savedCodeqlConfigPath;
+    } else {
+      delete process.env.CODEQL_CONFIG_PATH;
+    }
   });
 
   describe('findCodeqlConfigFile', () => {
@@ -62,6 +70,61 @@ describe('paths-ignore', () => {
       const result = findCodeqlConfigFile('/source');
       expect(result).toBeUndefined();
     });
+
+    it('should use CODEQL_CONFIG_PATH when set and file exists', () => {
+      process.env.CODEQL_CONFIG_PATH = 'default-codeql-config.yml';
+      (existsSync as jest.Mock).mockImplementation(
+        (p: string) => p === '/source/default-codeql-config.yml',
+      );
+
+      const result = findCodeqlConfigFile('/source');
+      expect(result).toBe('/source/default-codeql-config.yml');
+    });
+
+    it('should use CODEQL_CONFIG_PATH for nested paths under source root', () => {
+      process.env.CODEQL_CONFIG_PATH = 'config/my-codeql-config.yml';
+      (existsSync as jest.Mock).mockImplementation(
+        (p: string) => p === '/source/config/my-codeql-config.yml',
+      );
+
+      const result = findCodeqlConfigFile('/source');
+      expect(result).toBe('/source/config/my-codeql-config.yml');
+    });
+
+    it('should return undefined when CODEQL_CONFIG_PATH file does not exist', () => {
+      process.env.CODEQL_CONFIG_PATH = 'nonexistent-config.yml';
+      (existsSync as jest.Mock).mockReturnValue(false);
+
+      const result = findCodeqlConfigFile('/source');
+      expect(result).toBeUndefined();
+    });
+
+    it('should reject CODEQL_CONFIG_PATH that resolves outside source root', () => {
+      process.env.CODEQL_CONFIG_PATH = '../../etc/passwd';
+      (existsSync as jest.Mock).mockReturnValue(true);
+
+      const result = findCodeqlConfigFile('/source');
+      expect(result).toBeUndefined();
+    });
+
+    it('should not fall back to default paths when CODEQL_CONFIG_PATH is set but missing', () => {
+      process.env.CODEQL_CONFIG_PATH = 'missing-config.yml';
+      (existsSync as jest.Mock).mockImplementation(
+        (p: string) => p === '/source/.github/codeql/codeql-config.yml',
+      );
+
+      const result = findCodeqlConfigFile('/source');
+      // Should NOT find the default config when CODEQL_CONFIG_PATH is explicitly set
+      expect(result).toBeUndefined();
+    });
+
+    it('should take precedence over default paths when CODEQL_CONFIG_PATH is set', () => {
+      process.env.CODEQL_CONFIG_PATH = 'custom-config.yml';
+      (existsSync as jest.Mock).mockReturnValue(true);
+
+      const result = findCodeqlConfigFile('/source');
+      expect(result).toBe('/source/custom-config.yml');
+    });
   });
 
   describe('getPathsIgnorePatterns', () => {
@@ -192,6 +255,20 @@ describe('paths-ignore', () => {
       const result = getPathsIgnorePatterns('/source');
       expect(result).toEqual([]);
     });
+
+    it('should read patterns from custom config via CODEQL_CONFIG_PATH', () => {
+      process.env.CODEQL_CONFIG_PATH = 'default-codeql-config.yml';
+      (existsSync as jest.Mock).mockImplementation(
+        (p: string) => p === '/source/default-codeql-config.yml',
+      );
+      (readFileSync as jest.Mock).mockReturnValue('yaml-content');
+      (yamlLoad as jest.Mock).mockReturnValue({
+        'paths-ignore': ['third_party', 'generated/**'],
+      });
+
+      const result = getPathsIgnorePatterns('/source');
+      expect(result).toEqual(['third_party', 'generated/**']);
+    });
   });
 
   describe('shouldIgnorePath', () => {