diff --git a/src/codeql.ts b/src/codeql.ts
index c7f64e60d..fde9eb47e 100644
--- a/src/codeql.ts
+++ b/src/codeql.ts
@@ -732,7 +732,17 @@ async function getCodeQLForCmd(
         "-Dmaven.wagon.http.pool=false",
       ].join(" ");
 
-      await runTool(autobuildCmd);
+      const runnerExecutable = process.env["CODEQL_RUNNER"] || "";
+      // On Mac, prefixing with the runner executable is required to handle System Integrity Protection.
+      if (runnerExecutable) {
+        // Earlier steps (init) are expected to have written the runner executable path
+        // to the tracing environment, and the current step is expected to have
+        // correctly loaded that environment.
+        await runTool(runnerExecutable, [autobuildCmd]);
+      } else {
+        // Fallback in case CODEQL_RUNNER wasn't correctly set or loaded.
+        await runTool(autobuildCmd);
+      }
     },
     async extractScannedLanguage(databasePath: string, language: Language) {
       // Get extractor location