Merge pull request #90 from advanced-security/GeekMasher/fix-severity…

…-check Fix severity check logic and make it configurable
advanced-security · Dec 19, 2024 · 2d5f25e · 2d5f25e
2 parents 8877538 + e65181f
commit 2d5f25e
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -57,6 +57,8 @@ GITHUB_APP_KEY=-----BEGIN PRIVATE KEY-----\n...
 GITHUB_APP_SECRET=123456789012345678901234567890
 GITHUB_APP_ENDPOINT=/
 GITHUB_GHAS_TEAM="sec_team"
+# GHAS Severities
+GITHUB_GHAS_SEVERITIES="critical,high,error,errors"
 ```
 
 You can also use the following CLI arguments to pass the configuration.

diff --git a/ghasreview/app.py b/ghasreview/app.py
@@ -155,11 +155,19 @@ def onCodeScanningAlertClose():
 
     # Severity check, if not high enough, do not involve security team
     severities = current_app.config.get("GHAS_SEVERITIES")
-    if severities and alert.severity not in severities:
-        logger.debug(
-            f"Severity is not high enough to get security involved: {alert.severity}"
-        )
-        return {"message": "Severity is not high enough to get security involved, doing nothing."}
+    if severities:
+        if alert.severity not in severities:
+            logger.debug(
+                f"Severity is not high enough to get security involved: {alert.severity}"
+            )
+            return {"message": "Severity is not high enough to get security involved, doing nothing."}
+        if alert.payload.get("alert", {}).get("rule", {}).get("security_severity_level", "") not in severities:
+            logger.debug(
+                f"Security severity level is not high enough to get security involved: {alert.payload.get('alert', {}).get('rule', {}).get('security_severity_level', '')}"
+            )
+            return {"message": "Security severity level is not high enough to get security involved, doing nothing."}
+    else:
+        logger.debug("No severities provided, reopening all findings")
 
     # Check team exists
     if not alert.client.checkIfTeamExists(alert.owner, config.get("GHAS_TEAM")):

diff --git a/ghasreview/setup.py b/ghasreview/setup.py
@@ -28,6 +28,11 @@ def parse_arguments():
     parser_github.add_argument(
         "--ghas-comment-required", default=bool(os.environ.get("GITHUB_GHAS_COMMENT_REQUIRED", 0))
     )
+    parser_github.add_argument(
+        "--ghas-severities",
+        nargs="*",
+        default=os.environ.get("GITHUB_GHAS_SEVERITIES", "").split(",") or ["critical", "high", "error", "errors"],
+    )
 
     parser_github = parser.add_argument_group("GitHub")
     parser_github.add_argument(
@@ -63,6 +68,7 @@ def setup_logging(arguments):
     logging.debug(f"GitHub App Secret :: {arguments.github_app_secret}")
     logging.debug(f"GHAS Tool Name :: {arguments.ghas_tool_name}")
     logging.debug(f"GHAS Comment Required :: {arguments.ghas_comment_required}")
+    logging.debug(f"GHAS Severities :: {arguments.ghas_severities}")
 
 
 def validate_arguments(arguments):
@@ -102,7 +108,7 @@ def setup_app():
         "GHAS_COMMENT_REQUIRED": arguments.ghas_comment_required,
         # Tool and severities to check
         "GHAS_TOOL": arguments.ghas_tool_name,
-        "GHAS_SEVERITIES": ["critical", "high", "error", "errors"],
+        "GHAS_SEVERITIES": arguments.ghas_severities if arguments.ghas_severities else None,
         # GitHub App
         "GITHUBAPP_ID": arguments.github_app_id,
         "GITHUBAPP_KEY": app_key,