New severity levels for security alerts
We now show
security-severity
levels for CodeQL security alerts in code scanning.
security-severity
levels help you understand in more detail the risks posed by security alerts, allowing you to assess the potential impact of the alerts, and make the right decision on which alerts to fix first. The severity level of security alerts can be
critical,
high,
medium,
or
low.
The new
security-severity
levels are displayed on all security alerts. For example, if a PR triggers security alerts, the
security-severity
is visible on the alert annotations under the
Files changed
tab. You can also see the
security-severity
for each alert present in a repository by clicking
Security
>
Code scanning alerts
.
About security severity levels
Security severity levels are displayed on code scanning alerts that are generated by security queries.
CodeQL automatically calculates
security-severity
levels and assigns an exact numerical score to each security query. To calculate the
security-severity
of an alert, we first group all CVEs reported by
the CWEs assigned to the security query
. We then calculate the 75th percentile of the
CVSS
score for those CVEs. Finally, we translate numerical scores to
critical
,
high
,
medium
, or
low
using the following definitions:
Severity
|
Score Range
|
None
|
0.0
|
Low
|
0.1 – 3.9
|
Medium
|
4.0 – 6.9
|
High
|
7.0 – 8.9
|
Critical
|
9.0 – 10.0
|
Defining which
security-severity
levels cause pull request check failure
By default, any code scanning alerts with a
security-severity
of
critical
or
high
will cause pull request check failure. You can specify which
security-severity
level for code scanning results should cause check failure by going to the
Security & Analysis
tab in the repository settings.
Severity levels for non-security alerts
Severity levels for non-security alerts remain as
error,
warning,
or
note.
By default, any code scanning results with the severity of
error
will cause check failure. You can change this setting using the dropdown on the
Security & Analysis
tab in the repository settings. It allows two selections that apply to the security and non-security alerts.
Security severity levels in the code scanning API
You can also access
security_severity_level
data for security queries using the
/alerts
endpoint of the code scanning API.
How to add
security-severity
to a CodeQL query
You can add the expected
security-severity
level to the your custom security queries by adding the numerical score to the
@security-severity
query metadata property in the .ql file.
The new
security-severity
levels for security queries have been deployed to GitHub.com. These improvements will also be available in GitHub Enterprise Server 3.2.
Learn more about
CodeQL
and
code scanning
by reading the documentation.