CodeQL code scanning: annotate alerts with additional security severity indicator (Server) #194
Labels
codeql
Feature: GitHub codeql
ga
Feature phase: Generally available
github advanced security
Product SKU: GitHub Advanced Security
security & compliance
Feature area: Code security and compliance
server
Available on Server
shipped
Shipped
Projects
Comments
github-product-roadmap
added
ga
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
github-product-roadmap commentedMay 12, 2021
Summary
Every security alert that is flagged up by GitHub code scanning will soon be annotated with a security-specific severity level: low, medium, high, or critical. These security-specific severity levels will be displayed in addition to the current regular severity levels (as per the SARIF standard). Our own CodeQL analysis engine will provide these new security severity levels for security-related queries, and our integration partners can do the same.
Intended Outcome
The new security severity levels will be prominently displayed in the code scanning user interface, and will make it easier way for our users to assess the potential security impact of a code scanning alert.
How will it work?
Code scanning alerts and associated security severity levels are produced by an analysis engine (e.g. CodeQL). The results and metadata are stored in SARIF result files, which are subsequently uploaded to and displayed in the code scanning interface within GitHub.
The text was updated successfully, but these errors were encountered: