diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
new file mode 100644
index 00000000..e9a2847a
--- /dev/null
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,6 @@
+name: "CodeQL Config"
+
+paths-ignore:
+  # Generated plugin mirrors create duplicate scan noise without adding
+  # source coverage because the canonical sources live outside plugins/.
+  - "plugins/**"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index fd8b2148..9a3186b7 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -30,8 +30,6 @@ jobs:
             build-mode: none
           - language: go
             build-mode: autobuild
-          - language: java-kotlin
-            build-mode: none
           - language: javascript-typescript
             build-mode: none
           - language: python
@@ -46,6 +44,7 @@ jobs:
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
+          config-file: ./.github/codeql/codeql-config.yml
 
       - name: Autobuild
         if: matrix.build-mode == 'autobuild'