Starting on July 22nd, 2025, GitHub code scanning will no longer combine multiple SARIF files that share the same tool and category properties. Impacted SARIF files will also be rejected.

What’s changing?

When uploading a SARIF file that contains multiple runs for the same tool and category,
code scanning currently combines those runs into a single run. However, we’ve now introduced the explicit concept of category to support uploading multiple analysis for the same commit, which better aligns with the SARIF specification.

In May 2024, we announced a plan for deprecating this feature. To warn users of the upcoming deprecation, the github/codeql-action/upload-sarif action currently shows a deprecation warning when using third-party tools that rely on the combination of multiple SARIF runs with the same tool and category within the same file.

For code scanning analyses on github.com, we will cease combining multiple SARIF runs with the same tool and category within the same file on July 22, 2025. At that point, impacted SARIF uploads will fail. For GitHub Enterprise Server customers, this change will come into effect in GHES 3.18.

How does this affect me?

You will not be affected if:

  • You’re using code scanning with CodeQL, either through code scanning default setup or code scanning advanced setup.
  • You’re uploading multiple SARIF files for the same commit using one of the documented approaches.

You will be affected if:

  • You’re using either the github/codeql-action/upload-sarif action or the code scanning API to upload results from a third-party code scanning tool and the tool generates multiple runs with the same category in a single SARIF file. To ensure that SARIF uploads don’t fail, you should work with the code scanning tool provider so that each run in the SARIF file has a distinct tool or category.
  • You’re using the github/codeql-action/upload-sarif action to upload multiple SARIF files from a third-party tool or if you’re using a matrix build to run multiple analyses. For more information about updating matrix builds, see our earlier changelog post.

Learn more about securing your code with GitHub code scanning and Copilot Autofix.