The SARIF spec allows for a properties field (Property bag object) within any object in the spec. For GitHub Code Scanning specifically, if a properties array is added to each of the rules objects, the properties.security-severity field can be included to change the GitHub Code Scanning severity values to be more in line with other security tools (Critical, High, Medium, Low) instead of quality tools (Error, Warning, Note).
More on those SARIF compliant, GitHub specific fields can be found here.
This would allow developers who are reviewing the findings in GitHub to consider KICS results in line with other AppSec tools, instead of being anchored behind all of the "Security" related findings.
Here's an example of what an updated SARIF file would look like, where this rule would now be classified in GitHub Code Scanning as a Critical severity alert instead of an Error severity alert:
The SARIF spec allows for a
propertiesfield (Property bag object) within any object in the spec. For GitHub Code Scanning specifically, if apropertiesarray is added to each of the rules objects, theproperties.security-severityfield can be included to change the GitHub Code Scanning severity values to be more in line with other security tools (Critical, High, Medium, Low) instead of quality tools (Error, Warning, Note).More on those SARIF compliant, GitHub specific fields can be found here.
This would allow developers who are reviewing the findings in GitHub to consider KICS results in line with other AppSec tools, instead of being anchored behind all of the "Security" related findings.
Here's an example of what an updated SARIF file would look like, where this rule would now be classified in GitHub Code Scanning as a
Criticalseverity alert instead of anErrorseverity alert: