probot-security-alerts icon indicating copy to clipboard operation
probot-security-alerts copied to clipboard
verified publisher icon advanced-security

Feature request: add a severity threshold to the .env file

Open CallMeGreg opened this issue 2 years ago • 1 comments

Context

Many organizations' security teams are outnumbered by developers, sometimes as drastically as a 1:100 ratio. Also, different organizations have different risk appetites when it comes to dismissing security alerts (e.g. focus security review on critical & high severity alerts, over medium & low severity alerts). This makes it undesirable to review the dismissal of every alert as opposed to just those that surpass a given severity threshold.

Suggestion

Allow for an optional parameter in the .env file to specify the severity threshold that requires scan-manager dismissal. For example: SEVERITY_THRESHOLD=high would reopen only those alerts dismissed by someone other than a scan-manager that have a severity of high or critical. Not specifying a SEVERITY_THRESHOLD would reopen alerts of any severity.

cc @kenmuse

CallMeGreg avatar Apr 12 '23 14:04 CallMeGreg

Planning to include this in the next version. I'll include the following settings:

  • SECURITY_ALERT_CLOSE_TEAM: The original setting and the default for all of the values. Default value is scan-managers
  • DEPENDABOT_APPROVER_TEAM: If provided, requires Dependabot issues to be closed by a member of this team
  • DEPENDABOT_SEVERITY: Anything over this level requires the team approval. Defaults to All. It uses the higher value of security_advisory.severity or security_vulnerability.severity (although they appear to always be the same)
  • CODE_SCANNING_APPROVER_TEAM: If provided, requires Code Scanning issues to be closed by a member of this team
  • CODE_SCANNING_SEVERITY: Anything over this level requires the team approval. Defaults to All.
  • SECRET_SCANNING_APPROVER_TEAM: If provided, requires Code Scanning issues to be closed by a member of this team

The severity levels will be case-insensitive and accept any of the following:

  • None: Disables approvals
  • All: The default. All alerts must be approved in order to be closed.
  • Note: Note (and higher) alerts must be approved. Code-scanning only.
  • Warning: Warning (and higher) alerts must be approved. Code-scanning only.
  • Error: Error (and higher) alerts must be approved. Code-scanning only.
  • Low: Low (and higher) alerts must be approved
  • Medium: Medium (and higher) alerts must be approved
  • High: High (and higher) alerts must be approved
  • Critical: Critical (and higher) alerts must be approved

kenmuse avatar Jun 03 '24 14:06 kenmuse