diff --git a/.github/workflows/opengrep-precise-full.yml b/.github/workflows/opengrep-precise-full.yml
index 240b40ddd24..272ef734a2e 100644
--- a/.github/workflows/opengrep-precise-full.yml
+++ b/.github/workflows/opengrep-precise-full.yml
@@ -66,5 +66,5 @@ jobs:
         with:
           name: opengrep-full-sarif
           path: .opengrep-out/precise.sarif
-          if-no-files-found: warn
+          if-no-files-found: error
           retention-days: 30
diff --git a/.github/workflows/opengrep-precise.yml b/.github/workflows/opengrep-precise.yml
index 9eee588e96d..44ec9244bdd 100644
--- a/.github/workflows/opengrep-precise.yml
+++ b/.github/workflows/opengrep-precise.yml
@@ -97,5 +97,5 @@ jobs:
         with:
           name: opengrep-pr-diff-sarif
           path: .opengrep-out/precise.sarif
-          if-no-files-found: warn
+          if-no-files-found: error
           retention-days: 30
diff --git a/scripts/run-opengrep.sh b/scripts/run-opengrep.sh
index 1edfdc29bc0..070c1ef1471 100755
--- a/scripts/run-opengrep.sh
+++ b/scripts/run-opengrep.sh
@@ -61,11 +61,13 @@ PATHS_PASSED=0
 SAW_DOUBLE_DASH=0
 CHANGED_ONLY=0
 FAIL_ON_FINDINGS=0
+SARIF_OUTPUT=""
 while (( $# > 0 )); do
   case "$1" in
     --sarif)
       mkdir -p "$REPO_ROOT/.opengrep-out"
-      EXTRA_ARGS+=( "--sarif-output=$REPO_ROOT/.opengrep-out/$BUCKET.sarif" )
+      SARIF_OUTPUT="$REPO_ROOT/.opengrep-out/$BUCKET.sarif"
+      EXTRA_ARGS+=( "--sarif-output=$SARIF_OUTPUT" )
       shift
       ;;
     --json)
@@ -102,6 +104,31 @@ while (( $# > 0 )); do
   esac
 done
 
+write_empty_sarif() {
+  local output="$1"
+
+  mkdir -p "$(dirname "$output")"
+  cat > "$output" <<'JSON'
+{
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "Opengrep OSS",
+          "informationUri": "https://opengrep.dev",
+          "semanticVersion": "1.22.0",
+          "rules": []
+        }
+      },
+      "results": []
+    }
+  ]
+}
+JSON
+}
+
 cd "$REPO_ROOT"
 
 if (( CHANGED_ONLY && PATHS_PASSED )); then
@@ -181,6 +208,9 @@ if (( PATHS_PASSED == 0 )); then
     fi
     if (( ${#SCAN_PATHS[@]} == 0 )); then
       echo "→ No changed first-party paths for opengrep." >&2
+      if [[ -n "$SARIF_OUTPUT" ]]; then
+        write_empty_sarif "$SARIF_OUTPUT"
+      fi
       exit 0
     fi
   else
diff --git a/src/scripts/test-projects.test.ts b/src/scripts/test-projects.test.ts
index 78be3511d4a..5540ac5bdb1 100644
--- a/src/scripts/test-projects.test.ts
+++ b/src/scripts/test-projects.test.ts
@@ -862,6 +862,7 @@ describe("test-projects args", () => {
           "src/install-sh-version.test.ts",
           "src/proxy-capture/store.sqlite.test.ts",
           "test/scripts/android-version.test.ts",
+          "test/scripts/render-maturity-docs.test.ts",
           "test/scripts/resolve-openclaw-ref.test.ts",
         ],
         watchMode: false,
diff --git a/test/scripts/ci-workflow-guards.test.ts b/test/scripts/ci-workflow-guards.test.ts
index ce0fa97216a..77702b6f8ee 100644
--- a/test/scripts/ci-workflow-guards.test.ts
+++ b/test/scripts/ci-workflow-guards.test.ts
@@ -6,6 +6,8 @@ import { parse } from "yaml";
 const CHECKOUT_V6 = "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10";
 const CACHE_V5 = "actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae";
 const UPLOAD_ARTIFACT_V7 = "actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a";
+const OPENGREP_PR_DIFF_WORKFLOW = ".github/workflows/opengrep-precise.yml";
+const OPENGREP_FULL_WORKFLOW = ".github/workflows/opengrep-precise-full.yml";
 
 function readCiWorkflow() {
   return parse(readFileSync(".github/workflows/ci.yml", "utf8"));
@@ -104,6 +106,34 @@ describe("ci workflow guards", () => {
     expect(findUnpinnedExternalActions()).toEqual([]);
   });
 
+  it("fails OpenGrep SARIF artifact uploads when reports are missing", () => {
+    const cases = [
+      {
+        workflowPath: OPENGREP_PR_DIFF_WORKFLOW,
+        artifactName: "opengrep-pr-diff-sarif",
+      },
+      {
+        workflowPath: OPENGREP_FULL_WORKFLOW,
+        artifactName: "opengrep-full-sarif",
+      },
+    ];
+
+    for (const item of cases) {
+      const workflow = parse(readFileSync(item.workflowPath, "utf8"));
+      const uploadStep = workflow.jobs.scan.steps.find(
+        (step) => step.name === "Upload SARIF as workflow artifact",
+      );
+
+      expect(uploadStep.if, item.workflowPath).toBe("always()");
+      expect(uploadStep.uses, item.workflowPath).toBe(UPLOAD_ARTIFACT_V7);
+      expect(uploadStep.with, item.workflowPath).toMatchObject({
+        name: item.artifactName,
+        path: ".opengrep-out/precise.sarif",
+        "if-no-files-found": "error",
+      });
+    }
+  });
+
   it("runs real behavior proof from the trusted workflow revision", () => {
     const workflow = readRealBehaviorProofWorkflow();
     const source = readFileSync(".github/workflows/real-behavior-proof.yml", "utf8");
diff --git a/test/scripts/run-opengrep.test.ts b/test/scripts/run-opengrep.test.ts
index 0bf04c04937..034f46866a9 100644
--- a/test/scripts/run-opengrep.test.ts
+++ b/test/scripts/run-opengrep.test.ts
@@ -68,6 +68,53 @@ describe("run-opengrep.sh", () => {
     expect(args).toContain("security/opengrep/precise.yml");
   });
 
+  it("writes empty SARIF when a changed scan has no first-party paths", () => {
+    const repo = createTempDir("openclaw-run-opengrep-empty-sarif-");
+    git(repo, "init", "-q");
+    git(repo, "config", "user.email", "test@example.com");
+    git(repo, "config", "user.name", "Test User");
+
+    copyRunOpengrepFiles(repo);
+    writeFile(path.join(repo, "security/opengrep/precise.yml"), "rules: []\n");
+    writeFile(path.join(repo, ".github/actions/ensure-base-commit/action.yml"), "name: ensure\n");
+    git(repo, "add", ".");
+    git(repo, "commit", "-qm", "initial");
+
+    fs.appendFileSync(path.join(repo, ".github/actions/ensure-base-commit/action.yml"), "# changed\n");
+    const argsPath = path.join(repo, "opengrep-args.txt");
+    const binDir = path.join(repo, "bin");
+    fs.mkdirSync(binDir);
+    writeFile(
+      path.join(binDir, "opengrep"),
+      [
+        "#!/usr/bin/env bash",
+        `printf '%s\\n' "$@" > ${JSON.stringify(argsPath)}`,
+        "exit 0",
+        "",
+      ].join("\n"),
+    );
+    fs.chmodSync(path.join(binDir, "opengrep"), 0o755);
+
+    execFileSync("bash", ["scripts/run-opengrep.sh", "--changed", "--sarif", "--error"], {
+      cwd: repo,
+      env: {
+        ...process.env,
+        PATH: `${binDir}${path.delimiter}${process.env.PATH ?? ""}`,
+        OPENCLAW_OPENGREP_BASE_REF: "HEAD",
+      },
+      encoding: "utf8",
+    });
+
+    const sarif = JSON.parse(
+      fs.readFileSync(path.join(repo, ".opengrep-out/precise.sarif"), "utf8"),
+    );
+    expect(sarif.version).toBe("2.1.0");
+    expect(sarif.runs[0].tool.driver.name).toBe("Opengrep OSS");
+    expect(sarif.runs[0].tool.driver.semanticVersion).toBe("1.22.0");
+    expect(sarif.runs[0].results).toEqual([]);
+    expect(fs.existsSync(argsPath)).toBe(false);
+  });
+
   it("scans PR files instead of main-only files when the payload base is stale", () => {
     const repo = createTempDir("openclaw-run-opengrep-merge-");
     git(repo, "init", "-q", "--initial-branch=main");