Checkov severity levels appear in Code Scanning Filter

bridgecrewio / checkov-action

This GitHub Action runs Checkov against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.

Apache License 2.0

240 stars 101 forks source link

Checkov severity levels appear in Code Scanning Filter #141

Open kawikao opened 1 year ago

kawikao commented 1 year ago

After calling checkov-action in a workflow, the Severity filter in Code scanning in Github shows the regular checkov severities (low, medium, high and critical). Since checkov-action always reports error, these make no sense to even be in the filter list.

srgoni commented 1 year ago

Isn't this actually the opposite problem?

Severity levels are perfectly useful, and it's quite annoying that all findings are reported as Errors. Why does Chekov not reproduce the severity defined for each rule in SARIF reports?

luca-regne commented 6 days ago

The same here! Kinda of messy to priorize issues with "error" status in all of them/