diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 7c0ad6c7b..059f7d91c 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -46,6 +46,7 @@ jobs:
       continue-on-error: true
 
     - name: Trivy filesystem vulnerability scan (SARIF)
+      id: trivy
       uses: aquasecurity/trivy-action@0.24.0
       with:
         scan-type: fs
@@ -58,8 +59,8 @@ jobs:
       continue-on-error: true
 
     - name: Upload SARIF to GitHub code scanning
-      if: ${{ always() }}
-      uses: github/codeql-action/upload-sarif@v3
+      if: ${{ steps.trivy.outcome == 'success' && hashFiles('trivy-results.sarif') != '' }}
+      uses: github/codeql-action/upload-sarif@v4
       with:
         sarif_file: trivy-results.sarif