GitHub Actions SARIF Upload Fails - security-events: write Missing
A code-scanning step (CodeQL or another SARIF producer) fails to upload results because the workflow token is missing security-events: write, the scope required to write code-scanning alerts.
What this error means
The analysis runs but the SARIF upload step fails with a 403 or "Resource not accessible by integration", so no alerts appear under code scanning.
Actions log
Error: Resource not accessible by integration
POST /repos/org/repo/code-scanning/sarifs
# upload-sarif could not write code scanning resultsCommon causes
Missing security-events: write permission
Uploading SARIF to code scanning requires security-events: write. Without it (or under read-only defaults) the upload is rejected.
Fork pull request token is read-only
On pull_request from a fork, the token cannot write security events, so SARIF upload from that context is denied by design.
How to fix it
Grant security-events: write
.github/workflows/codeql.yml
permissions:
contents: read
security-events: write
jobs:
analyze:
runs-on: ubuntu-latestRun scanning where it can write
- Run code scanning on push and on non-fork PRs where the token can write.
- For fork PRs, upload SARIF as an artifact and ingest it from a trusted workflow_run job.
- Add actions: read when the analysis needs to read workflow metadata.
How to prevent it
- Grant security-events: write on the scanning job only.
- Avoid relying on SARIF upload directly from fork PRs.
- Keep code-scanning workflows least-privilege otherwise.
Related guides
GitHub Actions "Resource not accessible" Creating a Check RunFix GitHub Actions check-run / annotation failures - the GITHUB_TOKEN lacks checks: write, so actions that pu…
GitHub Actions "Resource not accessible" Setting a Commit StatusFix GitHub Actions commit-status failures - setting a commit status via the statuses API needs statuses: writ…
GitHub Actions OIDC id-token Missing in a Reusable WorkflowFix GitHub Actions OIDC failures in reusable workflows - id-token: write must be granted by the caller and no…