feat(sarif): emit GitHub security-severity so Code Scanning ranks findings by severity#33
Open
dmchaledev wants to merge 1 commit into
Open
feat(sarif): emit GitHub security-severity so Code Scanning ranks findings by severity#33dmchaledev wants to merge 1 commit into
security-severity so Code Scanning ranks findings by severity#33dmchaledev wants to merge 1 commit into
Conversation
GitHub Code Scanning reads the `security-severity` property from each rule's `properties` bag to assign the Critical/High/Medium/Low badge in the Security tab and to drive severity-based alert filtering and branch-protection rules. Without it, GitHub can only rank by SARIF `level`, so CRITICAL and HIGH findings (both `error`) are indistinguishable and severity gates can't target them — undermining the headline "Output SARIF for GitHub Code Scanning" feature. Map each Severity to GitHub's documented bands (9.0+ critical, 7.0-8.9 high, 4.0-6.9 medium, <4.0 low) and emit it on every SARIF rule. Adds unit tests covering the property and the full severity-to-score mapping. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01DQNF4ehRBdHf8AJxj5vvao
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The headline SARIF feature — "Output SARIF for GitHub Code Scanning" (README) — emits results without the
security-severityproperty that GitHub uses to rank alerts. As a result, every finding collapses to its SARIFlevel: a CRITICALNO_AUTHand a HIGHOVERPRIVILEGED_TOOLboth serialize aslevel: "error"and become indistinguishable in the GitHub Security tab. The scanner computes a rich five-level severity model, but none of that severity signal survives into Code Scanning.GitHub's SARIF support docs state that the Critical/High/Medium/Low badge — and severity-based alert filtering / branch-protection thresholds (e.g. "block merge on critical alerts") — are driven by a numeric
security-severitystring (0.0–10.0) in each rule'spropertiesbag, not by the SARIFlevel. Without it, a "fail on critical" workflow on the GitHub side has nothing to target.The change
src/sarif.ts: map eachSeverityto GitHub's documented bands and emit it on every SARIF rule.security-severity9.0>= 9.0→ critical8.07.0–8.9→ high5.04.0–6.9→ medium2.0< 4.0→ low0.0Verified against the built CLI on
examples/vulnerable-config.json:Scope & safety
src/sarif.ts(one new mapping function + one field onSarifRule); no behavior change to scanning, scoring, or the JSON/table outputs.propertiesis an optional field; existing SARIF consumers ignore unknown properties.npx tsc --noEmit,npm run lint, andnpm testall green (120 tests, +2 new covering the property and the full severity→score mapping).Acceptance criteria
properties["security-severity"].🤖 Generated with Claude Code
https://claude.ai/code/session_01DQNF4ehRBdHf8AJxj5vvao
Generated by Claude Code