From 6f8805e224af921e4c2ccaf903943f0a0b111e53 Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Mon, 18 May 2026 17:15:30 +0100
Subject: [PATCH] Default setup env vars: Restrict results to `src`

---
 queries/default-setup-environment-variables.ql | 1 +
 1 file changed, 1 insertion(+)

diff --git a/queries/default-setup-environment-variables.ql b/queries/default-setup-environment-variables.ql
index e45640941..9f677dfb9 100644
--- a/queries/default-setup-environment-variables.ql
+++ b/queries/default-setup-environment-variables.ql
@@ -43,6 +43,7 @@ predicate envVarRead(DataFlow::Node node, string envVar) {
 from DataFlow::Node read, string envVar
 where
   envVarRead(read, envVar) and
+  read.getFile().getRelativePath().matches("src/%") and
   not read.getFile().getBaseName().matches("%.test.ts") and
   not isSafeForDefaultSetup(envVar)
 select read,