Skip to content

CodeQL code scanning: annotate alerts with additional security severity indicator (Cloud)  #156

New issue
New issue
Closed
Closed
CodeQL code scanning: annotate alerts with additional security severity indicator (Cloud) #156
Labels
GitHub Advanced Security (GHAS)Product SKU: GitHub Advanced SecuritycloudAvailable on CloudcodeqlFeature: GitHub codeqlgaFeature phase: Generally availableshippedShipped
@github-product-roadmap

Description

@github-product-roadmap
github-product-roadmap
opened on Jan 13, 2021

Summary

Every security alert that is flagged up by GitHub code scanning will soon be annotated with a security-specific severity level: low, medium, high, or critical. These security-specific severity levels will be displayed in addition to the current regular severity levels (as per the SARIF standard). Our own CodeQL analysis engine will provide these new security severity levels for security-related queries, and our integration partners can do the same.

Intended Outcome

The new security severity levels will be prominently displayed in the code scanning user interface, and will make it easier way for our users to assess the potential security impact of a code scanning alert.

How will it work?

Code scanning alerts and associated security severity levels are produced by an analysis engine (e.g. CodeQL). The results and metadata are stored in SARIF result files, which are subsequently uploaded to and displayed in the code scanning interface within GitHub.

Metadata

Metadata

Assignees

No one assigned

    Labels

    GitHub Advanced Security (GHAS)Product SKU: GitHub Advanced SecuritycloudAvailable on CloudcodeqlFeature: GitHub codeqlgaFeature phase: Generally availableshippedShipped

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    GitHub Public Roadmap

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions