diff --git a/.github/workflows/codeql-monorepo-full.yml b/.github/workflows/codeql-monorepo-full.yml
index 25506786a2..19cc79cce9 100644
--- a/.github/workflows/codeql-monorepo-full.yml
+++ b/.github/workflows/codeql-monorepo-full.yml
@@ -32,7 +32,7 @@ jobs:
     steps:
       - name: Scan whole repo, split up by project
         id: whole-repo
-        uses: advanced-security/monorepo-code-scanning-action/whole-repo@main
+        uses: advanced-security/monorepo-code-scanning-action/whole-repo@paths-ignore
         with:
           projects-json: monorepo-projects.json
           queries: security-extended
diff --git a/.github/workflows/codeql-monorepo.yml b/.github/workflows/codeql-monorepo.yml
index ae75932fe4..59498ef9d1 100644
--- a/.github/workflows/codeql-monorepo.yml
+++ b/.github/workflows/codeql-monorepo.yml
@@ -70,7 +70,8 @@ jobs:
 
       - name: Spot changes to projects
         id: changes
-        uses: advanced-security/monorepo-code-scanning-action/changes@main
+        #uses: advanced-security/monorepo-code-scanning-action/changes@main
+        uses: advanced-security/monorepo-code-scanning-action/changes@paths-ignore
         with:
           projects-json: monorepo-projects.json
           queries: security-extended
diff --git a/packages/babel-cli/src/babel/sample.min.js b/packages/babel-cli/src/babel/sample.min.js
new file mode 100644
index 0000000000..500f7157bd
--- /dev/null
+++ b/packages/babel-cli/src/babel/sample.min.js
@@ -0,0 +1,8 @@
+console.writeline("hello, world!")
+
+function insecurePassword(): string {
+  // BAD: the random suffix is not cryptographically secure
+  const suffix = Math.random();
+  const password = "myPassword" + suffix;
+  return password;
+}