Error: Unable to upload "results.sarif" as it is not valid SARIF

[JPLachance]

Describe the bug

When the GitHub Action job reaches the SARIF upload step, the SARIF upload fails.

Error: Unable to upload "results.sarif" as it is not valid SARIF:

• instance.runs[0].tool.driver.supportedTaxonomies[0].index is not of a type(s) integer
• instance.runs[0].tool.driver.supportedTaxonomies[0].guid is not of a type(s) string
• instance.runs[0].taxonomies[0].rules is not of a type(s) array

To Reproduce

Here is our job YAML. Notice we run on a https://runs-on.com/ GitHub runner, on Ubuntu 24.04.

  poutine:
    name: Boost Security.io Poutine
    runs-on:
      # these are auto-generated
      - runs-on=${{ github.run_id }}
      - runner=default_ubuntu_24_arm64
      - env=${{ vars.RUNS_ON_ENV_DEV }}/region=us-east-1

    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
        with:
          egress-policy: audit
      - name: Setup self-hosted runner
        uses: coveo-platform/setup-runner@v1.0.0
      - uses: actions/checkout@v5.0.0
      - name: poutine - GitHub Actions SAST
        uses: boostsecurityio/poutine-action@61bf0017ee5853beb601609f85c94249b53c26ef
      - name: Upload poutine SARIF file
        uses: github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
        with:
          sarif_file: results.sarif

Expected behavior
Uploading a SARIF normally works.

Screenshots

Run github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f
##[debug]Sending status report: {"action_name":"upload-sarif","action_oid":"unknown","action_ref":"4fa2a7953630fd2f3fb380f21be14ede0169dd4f","action_started_at":"2025-11-07T18:05:39.980Z","action_version":"3.25.12","analysis_key":".github/workflows/security-ci.yml:poutine","commit_oid":"fcd6c2d5b2c2d8366e13b7415780831017e0ecae","first_party_analysis":false,"job_name":"poutine","job_run_uuid":"","ref":"refs/pull/482/merge","runner_os":"Linux","started_at":"2025-11-07T18:05:39.980Z","status":"starting","steady_state_default_setup":false,"testing_environment":"","workflow_name":"Code Scanning","workflow_run_attempt":2,"workflow_run_id":19173891048,"actions_event_name":"pull_request","runner_available_disk_space_bytes":40131665920,"runner_total_disk_space_bytes":50884108288,"matrix_vars":"null","runner_arch":"ARM64"}
::group::Uploading results
Uploading results
Error details: instance.runs[0].tool.driver.supportedTaxonomies[0].index is not of a type(s) integer
::group::Error details: instance.runs[0].tool.driver.supportedTaxonomies[0].guid is not of a type(s) string
Error details: instance.runs[0].tool.driver.supportedTaxonomies[0].guid is not of a type(s) string
::group::Error details: instance.runs[0].taxonomies[0].rules is not of a type(s) array
Error details: instance.runs[0].taxonomies[0].rules is not of a type(s) array
Error: Unable to upload "results.sarif" as it is not valid SARIF:
- instance.runs[0].tool.driver.supportedTaxonomies[0].index is not of a type(s) integer
- instance.runs[0].tool.driver.supportedTaxonomies[0].guid is not of a type(s) string
- instance.runs[0].taxonomies[0].rules is not of a type(s) array
##[debug]Sending status report: {"action_name":"upload-sarif","action_oid":"unknown","action_ref":"4fa2a7953630fd2f3fb380f21be14ede0169dd4f","action_started_at":"2025-11-07T18:05:39.980Z","action_version":"3.25.12","analysis_key":".github/workflows/security-ci.yml:poutine","commit_oid":"fcd6c2d5b2c2d8366e13b7415780831017e0ecae","first_party_analysis":false,"job_name":"poutine","job_run_uuid":"","ref":"refs/pull/482/merge","runner_os":"Linux","started_at":"2025-11-07T18:05:39.980Z","status":"user-error","steady_state_default_setup":false,"testing_environment":"","workflow_name":"Code Scanning","workflow_run_attempt":2,"workflow_run_id":19173891048,"actions_event_name":"pull_request","runner_available_disk_space_bytes":40131641344,"runner_total_disk_space_bytes":50884108288,"cause":"Unable to upload \"results.sarif\" as it is not valid SARIF:\n- instance.runs[0].tool.driver.supportedTaxonomies[0].index is not of a type(s) integer\n- instance.runs[0].tool.driver.supportedTaxonomies[0].guid is not of a type(s) string\n- instance.runs[0].taxonomies[0].rules is not of a type(s) array","exception":"Error: Unable to upload \"results.sarif\" as it is not valid SARIF:\n- instance.runs[0].tool.driver.supportedTaxonomies[0].index is not of a type(s) integer\n- instance.runs[0].tool.driver.supportedTaxonomies[0].guid is not of a type(s) string\n- instance.runs[0].taxonomies[0].rules is not of a type(s) array\n    at run (/home/runner/_work/_actions/github/codeql-action/4fa2a7953630fd2f3fb380f21be14ede0169dd4f/lib/upload-sarif-action.js:73:15)\n    at async runWrapper (/home/runner/_work/_actions/github/codeql-action/4fa2a7953630fd2f3fb380f21be14ede0169dd4f/lib/upload-sarif-action.js:86:9)","completed_at":"2025-11-07T18:05:40.497Z","matrix_vars":"null","runner_arch":"ARM64"}
##[debug]Node Action run completed with exit code 1
##[debug]CODEQL_ACTION_FEATURE_MULTI_LANGUAGE='false'
##[debug]CODEQL_ACTION_FEATURE_SANDWICH='false'
##[debug]CODEQL_ACTION_FEATURE_SARIF_COMBINE='true'
##[debug]CODEQL_ACTION_FEATURE_WILL_UPLOAD='true'
##[debug]CODEQL_ACTION_VERSION='3.25.12'
##[debug]CODEQL_ACTION_ANALYSIS_KEY='.github/workflows/security-ci.yml:poutine'
##[debug]CODEQL_WORKFLOW_STARTED_AT='2025-11-07T18:05:39.980Z'
##[debug]CODEQL_ACTION_JOB_STATUS='JOB_STATUS_CONFIGURATION_ERROR'
##[debug]Finishing: Upload poutine SARIF file

Desktop (please complete the following information):

• OS: Ubuntu
• Browser [e.g. chrome, safari]
• Version 24.04

[JPLachance]

A well working version: boostsecurityio/poutine-action@d10ad56

The non-working version: boostsecurityio/poutine-action@61bf001