diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml
index dc3976a4..b254b0d8 100644
--- a/.github/workflows/android.yml
+++ b/.github/workflows/android.yml
@@ -23,10 +23,3 @@ jobs:
         with:
           name: maven-repo
           path: ~/.m2/repository/com/yubico/yubikit/
-
-      - name: Upload build reports
-        uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: build-reports
-          path: ./*/build/reports/*
diff --git a/.github/workflows/spotbugs-scan.yml b/.github/workflows/spotbugs-scan.yml
new file mode 100644
index 00000000..6b44af73
--- /dev/null
+++ b/.github/workflows/spotbugs-scan.yml
@@ -0,0 +1,39 @@
+name: "SpotBugs"
+
+on:
+  push:
+    branches: [ adamve/spotbugs-reports-v3 ]
+  pull_request:
+    branches: [ adamve/spotbugs-reports-v3 ]
+  schedule:
+    - cron: '25 16 * * 0'
+
+jobs:
+  spotbugs-analyze:
+    name: SpotBugs Analyze
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Setup Java
+      uses: actions/setup-java@v3
+      with:
+        distribution: 'temurin'
+        java-version: '17'
+
+    - name: Build with Gradle
+      run: ./gradlew spotbugsRelease spotbugsMain
+
+    - name: upload SARIF
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: build/spotbugs/
+        category: spotbugs-analysis
\ No newline at end of file
diff --git a/build.gradle b/build.gradle
index 01be8c00..ad676496 100755
--- a/build.gradle
+++ b/build.gradle
@@ -52,9 +52,9 @@ subprojects {
                 enabled = false
             } else {
                 group 'verification'
-                reports {
-                    xml.enabled = true
-                    html.enabled = true
+                reports.create("sarif") {
+                    required = true
+                    outputLocation = file("${project.rootDir}/build/spotbugs/spotbugs-${project.name}.sarif")
                 }
             }
         }
diff --git a/buildSrc/src/main/groovy/project-convention-spotbugs.gradle b/buildSrc/src/main/groovy/project-convention-spotbugs.gradle
index 8e546cef..cba6f8d2 100644
--- a/buildSrc/src/main/groovy/project-convention-spotbugs.gradle
+++ b/buildSrc/src/main/groovy/project-convention-spotbugs.gradle
@@ -3,11 +3,11 @@ plugins {
 }
 
 dependencies {
-    spotbugs 'com.github.spotbugs:spotbugs:4.8.0'
+    spotbugs 'com.github.spotbugs:spotbugs:4.8.3'
     spotbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.12.0'
 
     compileOnly 'com.google.code.findbugs:jsr305:3.0.2'
-    compileOnly 'com.github.spotbugs:spotbugs-annotations:4.8.0'
+    compileOnly 'com.github.spotbugs:spotbugs-annotations:4.8.3'
 
     testImplementation 'com.google.code.findbugs:jsr305:3.0.2'
 }
@@ -22,6 +22,4 @@ spotbugs {
 
     effort = "max"
     reportLevel = "low"
-
-    reportsDir = project.layout.getBuildDirectory().dir('reports/spotbugs').get().asFile
 }