When uploading a SARIF file that contains multiple SARIF runs for the same tool and category,
Code Scanning combines those runs into a single run.
Combining multiple runs within the same SARIF file is an undocumented feature that was originally intended to simplify uploading multiple analyses for the same commit. Since then, we have introduced the explicit concept of category to be able to upload multiple analysis for the same commit, thus better aligning with the SARIF Specification.
Today, we are starting the deprecation path for the combination of multiple SARIF runs with the same tool and category within the same file. Specifically, in the next few days, the github/codeql-action/upload-sarif action will start showing a deprecation warning when using 3rd party tools that rely on the combination of multiple SARIF runs with the same tool and category within the same file. While showing the deprecation warning, the upload of the SARIF file will succeed.
We expect to fully stop combining multiple SARIF runs with the same tool and category within the same file in June 2025 (for github.com) and in GHES 3.18, at which point the upload of the SARIF file will fail.
How does this affect me?
You are affected if you are using the github/codeql-action/upload-sarif action to upload results from a 3rd party Code Scanning tool and the tool generates multiple runs with the same category in a single SARIF file.
If that is the case, you will start seeing the deprecation warning, and you should work with the tool provider so that each run in the SARIF file has a distinct tool or category.
You are affected if you are using github/codeql-action/upload-sarif action to upload multiple SARIF files from a 3rd party tool. You can end up with multiple SARIF files if the tool either generates multiple SARIF files itself or if you are using a matrix build to run multiple analyses. Specifically, if you are doing a matrix build that generates multiple SARIF files and have a dedicated job to upload all the SARIF files together. For example, your workflow might look like the following if you analyze two apps using a matrix build but then have a dedicated upload job to upload all the SARIF files together:
jobs:
analyze:
...
strategy:
matrix:
app: ['app1', 'app2']
steps:
- name: SAST Scan
...
- name: Temporary store SARIF file
uses: actions/upload-artifact@v4
with:
name: sarif-${{ matrix.app }}
path: "results"
upload:
name: Upload SARIF
needs: analyze
steps:
- name: Fetch SARIF files
uses: actions/download-artifact@v4
with:
path: ../results
pattern: sarif-*
merge-multiple: true
- name: Upload Results
uses: github/codeql-action/upload-sarif@v3
In this case, you need to make the call to the github/codeql-action/upload-sarif action to include a distinct category. For example, you can embed the step in the matrix job and use the matrix variables to generate a unique category. In this way, the example above becomes:
jobs:
analyze:
...
strategy:
matrix:
app: ['app1', 'app2']
steps:
- name: SAST Scan
...
- name: Upload Results
uses: github/codeql-action/upload-sarif@v3
with:
category: ${{ matrix.app }}
Note that changing the value of the category causes older alerts to remain open, and you might want to delete the configuration using the previous category value.
You are not affected if you are only using CodeQL via the github/codeql-action action. For the few repositories that rely on this behavior, the CodeQL CLI (starting version 2.17.0) includes backwards compatible logic.
You are not affected if you are uploading multiple SARIF files for the same commit using one of the documented approaches.
What’s next?
In June 2025, SARIF uploads to github.com that contain multiple runs with the same tool and category will be rejected.
