New severity levels for security alerts
We now show
security-severity levels for CodeQL security alerts in code scanning.
security-severity levels help you understand in more detail the risks posed by security alerts, allowing you to assess the potential impact of the alerts, and make the right decision on which alerts to fix first. The severity level of security alerts can be
security-severity levels are displayed on all security alerts. For example, if a PR triggers security alerts, the
security-severity is visible on the alert annotations under the Files changed tab. You can also see the
security-severity for each alert present in a repository by clicking Security > Code scanning alerts.
About security severity levels
Security severity levels are displayed on code scanning alerts that are generated by security queries.
CodeQL automatically calculates
security-severity levels and assigns an exact numerical score to each security query. To calculate the
security-severity of an alert, we first group all CVEs reported by the CWEs assigned to the security query. We then calculate the 75th percentile of the CVSS score for those CVEs. Finally, we translate numerical scores to
low using the following definitions:
|Low||0.1 – 3.9|
|Medium||4.0 – 6.9|
|High||7.0 – 8.9|
|Critical||9.0 – 10.0|
security-severity levels cause pull request check failure
By default, any code scanning alerts with a
high will cause pull request check failure. You can specify which
security-severity level for code scanning results should cause check failure by going to the Security & Analysis tab in the repository settings.
Severity levels for non-security alerts
Severity levels for non-security alerts remain as
note. By default, any code scanning results with the severity of
error will cause check failure. You can change this setting using the dropdown on the Security & Analysis tab in the repository settings. It allows two selections that apply to the security and non-security alerts.
Security severity levels in the code scanning API
You can also access
security_severity_level data for security queries using the
/alerts endpoint of the code scanning API.
How to add
security-severity to a CodeQL query
You can add the expected
security-severity level to the your custom security queries by adding the numerical score to the
@security-severity query metadata property in the .ql file.
security-severity levels for security queries have been deployed to GitHub.com. These improvements will also be available in GitHub Enterprise Server 3.2.
Learn more about CodeQL and code scanning by reading the documentation.