diff --git a/.github/workflows/snyk-scan.yml b/.github/workflows/snyk-scan.yml
index 6edabe1..c230bc5 100644
--- a/.github/workflows/snyk-scan.yml
+++ b/.github/workflows/snyk-scan.yml
@@ -36,11 +36,15 @@ jobs:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
           image: ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64
-          args: --severity-threshold=high --file=docker/pulumi/Dockerfile -d
+          args: --severity-threshold=high --file=docker/pulumi/Dockerfile
+      - name: Filter Sarif File
+        # GitHub Code Scanning does not allow more than 20 runs per file. We filter out empty runs to avoid this limit.
+        run: |
+          python -c "import json; sarif = json.loads(open("plop.sarif").read()); sarif["runs"] = [run for run in sarif["runs"] if len(run["results"]) > 0]; open("out.sarif", "w").write(json.dumps(sarif, indent=2))"
       - name: Upload result to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: snyk.sarif
+          sarif_file: out.sarif
 
   provider-build-environment:
     name: Provider Build Environment
@@ -62,10 +66,14 @@ jobs:
         with:
           image: ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }}-amd64
           args: --severity-threshold=high --file=docker/pulumi/Dockerfile
+      - name: Filter Sarif File
+        # GitHub Code Scanning does not allow more than 20 runs per file. We filter out empty runs to avoid this limit.
+        run: |
+          python -c "import json; sarif = json.loads(open("plop.sarif").read()); sarif["runs"] = [run for run in sarif["runs"] if len(run["results"]) > 0]; open("out.sarif", "w").write(json.dumps(sarif, indent=2))"
       - name: Upload result to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: snyk.sarif
+          sarif_file: out.sarif
 
   base:
     name: Base image