New severity levels for security alerts
We now show security-severity
levels for CodeQL security alerts in code scanning. security-severity
levels help you understand in more detail the risks posed by security alerts, allowing you to assess the potential impact of the alerts, and make the right decision on which alerts to fix first. The severity level of security alerts can be critical,
high,
medium,
or low.
The new security-severity
levels are displayed on all security alerts. For example, if a PR triggers security alerts, the security-severity
is visible on the alert annotations under the Files changed tab. You can also see the security-severity
for each alert present in a repository by clicking Security > Code scanning alerts.
About security severity levels
Security severity levels are displayed on code scanning alerts that are generated by security queries.
CodeQL automatically calculates security-severity
levels and assigns an exact numerical score to each security query. To calculate the security-severity
of an alert, we first group all CVEs reported by the CWEs assigned to the security query. We then calculate the 75th percentile of the CVSS score for those CVEs. Finally, we translate numerical scores to critical
, high
, medium
, or low
using the following definitions:
Severity | Score Range |
---|---|
None | 0.0 |
Low | 0.1 – 3.9 |
Medium | 4.0 – 6.9 |
High | 7.0 – 8.9 |
Critical | 9.0 – 10.0 |
Defining which security-severity
levels cause pull request check failure
By default, any code scanning alerts with a security-severity
of critical
or high
will cause pull request check failure. You can specify which security-severity
level for code scanning results should cause check failure by going to the Security & Analysis tab in the repository settings.
Severity levels for non-security alerts
Severity levels for non-security alerts remain as error,
warning,
or note.
By default, any code scanning results with the severity of error
will cause check failure. You can change this setting using the dropdown on the Security & Analysis tab in the repository settings. It allows two selections that apply to the security and non-security alerts.
Security severity levels in the code scanning API
You can also access security_severity_level
data for security queries using the /alerts
endpoint of the code scanning API.
How to add security-severity
to a CodeQL query
You can add the expected security-severity
level to the your custom security queries by adding the numerical score to the @security-severity
query metadata property in the .ql file.
The new security-severity
levels for security queries have been deployed to GitHub.com. These improvements will also be available in GitHub Enterprise Server 3.2.
Learn more about CodeQL and code scanning by reading the documentation.