Skip to content

"CodeQL Action does not support uploading multiple SARIF runs with the same category" with single file upload #3051

New issue
New issue
Closed
Closed
"CodeQL Action does not support uploading multiple SARIF runs with the same category" with single file upload#3051
@Athari

Description

@Athari
Athari
opened on Aug 21, 2025

When I upload one SARIF file, the upload action complains about "multiple SARIF runs with the same category" somehow.

Error during build:

# build log
Run github/codeql-action/upload-sarif@v3
  with:
    sarif_file: Artifacts/logs/build.sarif
    category: /language:csharp/msbuild
    checkout_path: /home/runner/work/Alba.Text.Json/Alba.Text.Json
    token: ***
    matrix: null
    wait-for-processing: true
  env:
    # ...
    artifacts_dir:    Artifacts
    logs_dir:         Artifacts/logs
    sarif_dir:        Artifacts/logs/sarif
    # ...
Uploading code scanning results
  Processing sarif files: ["Artifacts/logs/build.sarif"]
  Validating Artifacts/logs/build.sarif
  Error: The CodeQL Action does not support uploading multiple SARIF runs with the same category. Please update your workflow to upload a single run per category. For more information, see https://github.blog/changelog/2025-07-21-code-scanning-will-stop-combining-multiple-sarif-runs-uploaded-in-the-same-sarif-file/

I'm ‌building C# projects with <ErrorLog>‌​$(ArtifactsPath)​logs/​sarif/​$(ProjectName)-​$(TargetFramework)-​$(Configuration.ToLowerInvariant()).sarif,​version=2.1​</ErrorLog> in my Directory.Build.targets which makes C# compiler CSC produce logs in SARIF format. They're 4 projects, all multi-targeted (<TargetFrameworks>​net10.0;​net9.0;​net8.0;​net7.0;​net6.0;​netstandard2.1;​netstandard2.0;​net462​</TargetFrameworks> and the like). Then I merge the logs and try to upload them (I even remove the source SARIF logs just to be sure only one file remains):

    - name: Merge SARIF reports
      run: >
        dotnet sarif merge
        ${{ env.sarif_dir }}/*.sarif
        --output-directory ${{ env.logs_dir }}
        --output-file build.sarif
        --log "Optimize;Minify"

        Remove-Item -Path '${{ env.sarif_dir }}' -Recurse

    - name: Upload SARIF reports
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: ${{ env.logs_dir }}/build.sarif
        category: "/language:csharp/msbuild"

What does it want from me? It's one file, with category specified.

The other workflow, which is CodeQL Actions + CodeQL C# + PSScriptAnalyzer, with all 3 producing SARIF, works fine.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions