Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Classify Code Scanning alerts with Security Severities #99

Open
CallMeGreg opened this issue Oct 5, 2023 · 0 comments
Open

Classify Code Scanning alerts with Security Severities #99

CallMeGreg opened this issue Oct 5, 2023 · 0 comments

Comments

@CallMeGreg
Copy link

The SARIF spec allows for a properties field (Property bag object) within any object in the spec. For GitHub Code Scanning specifically, if a properties array is added to each of the rules objects, the properties.security-severity field can be included to change the GitHub Code Scanning severity values to be more in line with other security tools (Critical, High, Medium, Low) instead of quality tools (Error, Warning, Note).

More on those SARIF compliant, GitHub specific fields can be found here.

This would allow developers who are reviewing the findings in GitHub to consider KICS results in line with other AppSec tools, instead of being anchored behind all of the "Security" related findings.

Here's an example of what an updated SARIF file would look like, where this rule would now be classified in GitHub Code Scanning as a Critical severity alert instead of an Error severity alert:

Image
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@CallMeGreg