diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml
index add0daf2d7b..400053e7de7 100644
--- a/.github/workflows/daily-malicious-code-scan.lock.yml
+++ b/.github/workflows/daily-malicious-code-scan.lock.yml
@@ -951,7 +951,7 @@ jobs:
         if: steps.process_safe_outputs.outputs.sarif_file != ''
         uses: github/codeql-action/upload-sarif@0e9f55954318745b37b7933c693bc093f7336125 # v4.35.1
         with:
-          github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
           sarif_file: ${{ steps.process_safe_outputs.outputs.sarif_file }}
           wait-for-processing: true
       - name: Upload Safe Output Items
diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml
index a8c43c4c066..aaf90b099d3 100644
--- a/.github/workflows/daily-semgrep-scan.lock.yml
+++ b/.github/workflows/daily-semgrep-scan.lock.yml
@@ -1122,7 +1122,7 @@ jobs:
         if: steps.process_safe_outputs.outputs.sarif_file != ''
         uses: github/codeql-action/upload-sarif@0e9f55954318745b37b7933c693bc093f7336125 # v4.35.1
         with:
-          github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
           sarif_file: ${{ steps.process_safe_outputs.outputs.sarif_file }}
           wait-for-processing: true
       - name: Upload Safe Output Items
diff --git a/actions/setup/js/create_code_scanning_alert.cjs b/actions/setup/js/create_code_scanning_alert.cjs
index 63b52ad6a0c..153c163b5a7 100644
--- a/actions/setup/js/create_code_scanning_alert.cjs
+++ b/actions/setup/js/create_code_scanning_alert.cjs
@@ -28,6 +28,10 @@ async function main(config = {}) {
   core.info(`Create code scanning alert configuration: max=${maxFindings === 0 ? "unlimited" : maxFindings}`);
   core.info(`Driver name: ${driverName}`);
   core.info(`Workflow filename for rule ID prefix: ${workflowFilename}`);
+  core.info(`Working directory: ${process.cwd()}`);
+  core.info(`GitHub ref: ${process.env.GITHUB_REF || "(not set)"}`);
+  core.info(`GitHub SHA: ${process.env.GITHUB_SHA || "(not set)"}`);
+  core.info(`GitHub repository: ${process.env.GITHUB_REPOSITORY || "(not set)"}`);
 
   // Track how many items we've processed for max limit
   let processedCount = 0;
@@ -39,6 +43,7 @@ async function main(config = {}) {
   // SARIF file path
   const sarifFileName = "code-scanning-alert.sarif";
   const sarifFilePath = path.join(process.cwd(), sarifFileName);
+  core.info(`SARIF file will be written to: ${sarifFilePath}`);
 
   /**
    * Generate and write SARIF file with all collected findings
diff --git a/pkg/workflow/compiler_safe_outputs_job_test.go b/pkg/workflow/compiler_safe_outputs_job_test.go
index 844fa7892a0..a404cfd89b8 100644
--- a/pkg/workflow/compiler_safe_outputs_job_test.go
+++ b/pkg/workflow/compiler_safe_outputs_job_test.go
@@ -841,6 +841,20 @@ func TestCreateCodeScanningAlertIncludesSARIFUploadStep(t *testing.T) {
 					"Upload step should reference sarif_file output")
 				assert.Contains(t, stepsContent, "wait-for-processing: true",
 					"Upload step should wait for processing")
+				// github/codeql-action/upload-sarif uses 'token' not 'github-token'
+				// Extract the upload-sarif step section to check it specifically
+				uploadStepStart := strings.Index(stepsContent, "- name: Upload SARIF to GitHub Code Scanning")
+				require.Greater(t, uploadStepStart, -1, "Upload SARIF step must exist in steps content")
+				uploadStepSection := stepsContent[uploadStepStart:]
+				// Find the end of this step (next step starts with "      - name:")
+				nextStepIdx := strings.Index(uploadStepSection[len("      - name:"):], "      - name:")
+				if nextStepIdx > -1 {
+					uploadStepSection = uploadStepSection[:nextStepIdx+len("      - name:")]
+				}
+				assert.Contains(t, uploadStepSection, "token:",
+					"Upload step should use 'token' input (not 'github-token')")
+				assert.NotContains(t, uploadStepSection, "github-token:",
+					"Upload step must not use 'github-token' - upload-sarif only accepts 'token'")
 
 				// Verify the upload step appears after the process_safe_outputs step
 				processSafeOutputsPos := strings.Index(stepsContent, "id: process_safe_outputs")
diff --git a/pkg/workflow/create_code_scanning_alert.go b/pkg/workflow/create_code_scanning_alert.go
index eed746cf676..e46cd3d24a1 100644
--- a/pkg/workflow/create_code_scanning_alert.go
+++ b/pkg/workflow/create_code_scanning_alert.go
@@ -78,9 +78,43 @@ func (c *Compiler) buildUploadCodeScanningSARIFStep(data *WorkflowData) []string
 	steps = append(steps, "        if: steps.process_safe_outputs.outputs.sarif_file != ''\n")
 	steps = append(steps, fmt.Sprintf("        uses: %s\n", GetActionPin("github/codeql-action/upload-sarif")))
 	steps = append(steps, "        with:\n")
-	c.addSafeOutputGitHubTokenForConfig(&steps, data, data.SafeOutputs.CreateCodeScanningAlerts.GitHubToken)
+	// NOTE: github/codeql-action/upload-sarif uses 'token' as the input name, not 'github-token'
+	c.addUploadSARIFToken(&steps, data, data.SafeOutputs.CreateCodeScanningAlerts.GitHubToken)
 	steps = append(steps, "          sarif_file: ${{ steps.process_safe_outputs.outputs.sarif_file }}\n")
 	steps = append(steps, "          wait-for-processing: true\n")
 
 	return steps
 }
+
+// addUploadSARIFToken adds the 'token' input for github/codeql-action/upload-sarif.
+// This action uses 'token' as the input name (not 'github-token' like other GitHub Actions).
+// Uses precedence: config token > safe-outputs global github-token > GH_AW_GITHUB_TOKEN || GITHUB_TOKEN
+func (c *Compiler) addUploadSARIFToken(steps *[]string, data *WorkflowData, configToken string) {
+	var safeOutputsToken string
+	if data.SafeOutputs != nil {
+		safeOutputsToken = data.SafeOutputs.GitHubToken
+	}
+
+	// If app is configured, use app token
+	if data.SafeOutputs != nil && data.SafeOutputs.GitHubApp != nil {
+		*steps = append(*steps, "          token: ${{ steps.safe-outputs-app-token.outputs.token }}\n")
+		return
+	}
+
+	// Choose the first non-empty custom token for precedence
+	effectiveCustomToken := configToken
+	if effectiveCustomToken == "" {
+		effectiveCustomToken = safeOutputsToken
+	}
+
+	effectiveToken := getEffectiveSafeOutputGitHubToken(effectiveCustomToken)
+	// Log which token source is being used for debugging
+	tokenSource := "default (GH_AW_GITHUB_TOKEN || GITHUB_TOKEN)"
+	if configToken != "" {
+		tokenSource = "per-config github-token"
+	} else if safeOutputsToken != "" {
+		tokenSource = "safe-outputs github-token"
+	}
+	createCodeScanningAlertLog.Printf("Using token for SARIF upload from source: %s (upload-sarif uses 'token' not 'github-token')", tokenSource)
+	*steps = append(*steps, fmt.Sprintf("          token: %s\n", effectiveToken))
+}