diff --git a/.github/workflows/third_party_scan.yml b/.github/workflows/third_party_scan.yml
index b1ab739807cda..cbaf2e2b4db83 100644
--- a/.github/workflows/third_party_scan.yml
+++ b/.github/workflows/third_party_scan.yml
@@ -22,5 +22,19 @@ jobs:
         uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b
         with:
           python-version: '3.7.7' # install the python version needed
-      - name: "execute py script"
+      - name: "extract and flatten deps"
         run: python ci/deps_parser.py
+      - name: "scan deps for vulnerabilities"
+        run: python ci/scan_flattened_deps.py
+      # Upload the results as artifacts.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
+        with:
+          name: SARIF file
+          path: osvReport.sarif
+          retention-days: 5
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to security tab"
+        uses: github/codeql-action/upload-sarif@29b1f65c5e92e24fe6b6647da1eaabe529cec70f
+        with:
+          sarif_file: osvReport.sarif
diff --git a/ci/scan_flattened_deps.py b/ci/scan_flattened_deps.py
index 67759b3d710a0..ca400f21dbdec 100644
--- a/ci/scan_flattened_deps.py
+++ b/ci/scan_flattened_deps.py
@@ -33,10 +33,15 @@
 sarif_log = {
     '$schema':
         'https://json.schemastore.org/sarif-2.1.0.json', 'version':
-            '2.1.0', 'runs': [{
-                'tool': {'driver': {'name': 'OSV Scan', 'rules': []}},
-                'results': []
-            }]
+            '2.1.0',
+    'runs': [{
+        'tool': {
+            'driver': {
+                'name': 'OSV Scan', 'informationUri': 'https://osv.dev/',
+                'semanticVersion': '1.0.0', 'rules': []
+            }
+        }, 'results': []
+    }]
 }
 
 
@@ -49,9 +54,7 @@ def sarif_result():
       'ruleId':
           'N/A', 'message': {'text': 'OSV Scan Finding'}, 'locations': [{
               'physicalLocation': {
-                  'artifactLocation': {
-                      'uri': 'No location associated with this finding'
-                  },
+                  'artifactLocation': {'uri': 'DEPS'},
                   'region': {'startLine': 1, 'startColumn': 1, 'endColumn': 1}
               }
           }]
@@ -184,9 +187,8 @@ def get_common_ancestor_commit(dep, deps_list):
     upstream = deps_list.get(UPSTREAM_PREFIX + dep_name)
     temp_dep_dir = DEP_CLONE_DIR + '/' + dep_name
     # clone dependency from mirror
-    subprocess.check_output([
-        'git', 'clone', '--quiet', '--', dep[0], temp_dep_dir
-    ])
+    subprocess.check_output(['git', 'clone', '--quiet', '--', dep[0], dep_name],
+                            cwd=DEP_CLONE_DIR)
 
     # create branch that will track the upstream dep
     print(
@@ -194,36 +196,30 @@ def get_common_ancestor_commit(dep, deps_list):
             upstream=upstream
         )
     )
-    subprocess.check_output([
-        'git', '--git-dir', temp_dep_dir + '/.git', 'remote', 'add', 'upstream',
-        upstream
-    ])
-    subprocess.check_output([
-        'git', '--git-dir', temp_dep_dir + '/.git', 'fetch', '--quiet',
-        'upstream'
-    ])
+    subprocess.check_output(['git', 'remote', 'add', 'upstream', upstream],
+                            cwd=temp_dep_dir)
+    subprocess.check_output(['git', 'fetch', '--quiet', 'upstream'],
+                            cwd=temp_dep_dir)
     # get name of the default branch for upstream (e.g. main/master/etc.)
     default_branch = subprocess.check_output(
-        'git --git-dir ' + temp_dep_dir + '/.git remote show upstream ' +
-        "| sed -n \'/HEAD branch/s/.*: //p\'",
+        'git remote show upstream ' + "| sed -n \'/HEAD branch/s/.*: //p\'",
+        cwd=temp_dep_dir,
         shell=True
     )
     default_branch = byte_str_decode(default_branch)
     default_branch = default_branch.strip()
-    print(
-        'default_branch found: {default_branch}'.format(
-            default_branch=default_branch
-        )
-    )
+
     # make upstream branch track the upstream dep
     subprocess.check_output([
-        'git', '--git-dir', temp_dep_dir + '/.git', 'checkout', '-b',
-        'upstream', '--track', 'upstream/' + default_branch
-    ])
+        'git', 'checkout', '--force', '-b', 'upstream', '--track',
+        'upstream/' + default_branch
+    ],
+                            cwd=temp_dep_dir)
     # get the most recent commit from default branch of upstream
     commit = subprocess.check_output(
-        'git --git-dir ' + temp_dep_dir + '/.git for-each-ref ' +
+        'git for-each-ref ' +
         "--format=\'%(objectname:short)\' refs/heads/upstream",
+        cwd=temp_dep_dir,
         shell=True
     )
     commit = byte_str_decode(commit)
@@ -231,9 +227,8 @@ def get_common_ancestor_commit(dep, deps_list):
 
     # perform merge-base on most recent default branch commit and pinned mirror commit
     ancestor_commit = subprocess.check_output(
-        'git --git-dir {temp_dep_dir}/.git merge-base {commit} {depUrl}'.format(
-            temp_dep_dir=temp_dep_dir, commit=commit, depUrl=dep[1]
-        ),
+        'git merge-base {commit} {depUrl}'.format(commit=commit, depUrl=dep[1]),
+        cwd=temp_dep_dir,
         shell=True
     )
     ancestor_commit = byte_str_decode(ancestor_commit)