Skip to content
Latchkey

GitHub Actions SARIF Upload Fails - security-events: write Missing

A code-scanning step (CodeQL or another SARIF producer) fails to upload results because the workflow token is missing security-events: write, the scope required to write code-scanning alerts.

What this error means

The analysis runs but the SARIF upload step fails with a 403 or "Resource not accessible by integration", so no alerts appear under code scanning.

Actions log
Error: Resource not accessible by integration
  POST /repos/org/repo/code-scanning/sarifs
# upload-sarif could not write code scanning results

Common causes

Missing security-events: write permission

Uploading SARIF to code scanning requires security-events: write. Without it (or under read-only defaults) the upload is rejected.

Fork pull request token is read-only

On pull_request from a fork, the token cannot write security events, so SARIF upload from that context is denied by design.

How to fix it

Grant security-events: write

.github/workflows/codeql.yml
permissions:
  contents: read
  security-events: write
jobs:
  analyze:
    runs-on: ubuntu-latest

Run scanning where it can write

  1. Run code scanning on push and on non-fork PRs where the token can write.
  2. For fork PRs, upload SARIF as an artifact and ingest it from a trusted workflow_run job.
  3. Add actions: read when the analysis needs to read workflow metadata.

How to prevent it

  • Grant security-events: write on the scanning job only.
  • Avoid relying on SARIF upload directly from fork PRs.
  • Keep code-scanning workflows least-privilege otherwise.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →