diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 323caac..5a7b193 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -297,7 +297,7 @@ jobs:
         uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
-          sarif_file: bandit-results.json
+          sarif_file: bandit-results.sarif
         continue-on-error: true
 
   # ===========================================================================
diff --git a/Makefile b/Makefile
index 8a4a634..b418fe8 100644
--- a/Makefile
+++ b/Makefile
@@ -409,8 +409,8 @@ ci-build: clean
 ## CI: Security scan
 ci-security:
 	@echo "$(GREEN)Running security scan (CI mode)...$(NC)"
-	@$(PIP) install bandit safety 2>/dev/null || true
-	@bandit -r $(SRC_DIR)/ -f json -o bandit-results.json -ll || true
+	@$(PIP) install bandit bandit-sarif-formatter safety 2>/dev/null || true
+	@bandit -r $(SRC_DIR)/ --format sarif --output bandit-results.sarif -ll || true
 	@safety check --json > safety-results.json 2>/dev/null || true
 	@echo "$(GREEN)Security scan complete$(NC)"