Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: add a severity threshold to the .env file #23

Open
CallMeGreg opened this issue Apr 12, 2023 · 1 comment
Open

Feature request: add a severity threshold to the .env file #23

CallMeGreg opened this issue Apr 12, 2023 · 1 comment
Labels
enhancement New feature or request
Milestone
v2.0.0

Comments

@CallMeGreg
Copy link

CallMeGreg commented Apr 12, 2023
edited
Loading

Context

Many organizations' security teams are outnumbered by developers, sometimes as drastically as a 1:100 ratio. Also, different organizations have different risk appetites when it comes to dismissing security alerts (e.g. focus security review on critical & high severity alerts, over medium & low severity alerts). This makes it undesirable to review the dismissal of every alert as opposed to just those that surpass a given severity threshold.

Suggestion

Allow for an optional parameter in the .env file to specify the severity threshold that requires scan-manager dismissal. For example:
SEVERITY_THRESHOLD=high would reopen only those alerts dismissed by someone other than a scan-manager that have a severity of high or critical. Not specifying a SEVERITY_THRESHOLD would reopen alerts of any severity.

cc @kenmuse
@kenmuse kenmuse added this to the v2.0.0 milestone Jun 3, 2024
@kenmuse
Copy link
Collaborator

kenmuse commented Jun 3, 2024

Planning to include this in the next version. I'll include the following settings:

  • SECURITY_ALERT_CLOSE_TEAM: The original setting and the default for all of the values. Default value is scan-managers
  • DEPENDABOT_APPROVER_TEAM: If provided, requires Dependabot issues to be closed by a member of this team
  • DEPENDABOT_SEVERITY: Anything over this level requires the team approval. Defaults to All. It uses the higher value of security_advisory.severity or security_vulnerability.severity (although they appear to always be the same)
  • CODE_SCANNING_APPROVER_TEAM: If provided, requires Code Scanning issues to be closed by a member of this team
  • CODE_SCANNING_SEVERITY: Anything over this level requires the team approval. Defaults to All.
  • SECRET_SCANNING_APPROVER_TEAM: If provided, requires Code Scanning issues to be closed by a member of this team

The severity levels will be case-insensitive and accept any of the following:

  • None: Disables approvals
  • All: The default. All alerts must be approved in order to be closed.
  • Note: Note (and higher) alerts must be approved. Code-scanning only.
  • Warning: Warning (and higher) alerts must be approved. Code-scanning only.
  • Error: Error (and higher) alerts must be approved. Code-scanning only.
  • Low: Low (and higher) alerts must be approved
  • Medium: Medium (and higher) alerts must be approved
  • High: High (and higher) alerts must be approved
  • Critical: Critical (and higher) alerts must be approved

@kenmuse kenmuse added the enhancement New feature or request label Jun 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.0.0
Development

No branches or pull requests
2 participants
@kenmuse @CallMeGreg