Open
Conversation
Remove DefaultSeverities map, GetDefaultSeverity, BuildAllZeroAggregation, AggregateByRepo wrapper, hideZero parameter, and Jenkins --hide-zero CLI flag. All platforms already defaulted to hiding zero-count rows; this removes the dead code path that displayed vulnerability types with zero findings. LAB-1429 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- environment-bypass: HIGH -> LOW (missing config, not active vuln) - dispatch-toctou: HIGH -> MEDIUM (requires collaborator access + race) - unpinned-action (GitHub): HIGH -> LOW (supply chain, not direct vuln) - unpinned-include (GitLab): HIGH -> LOW (same rationale) - secrets-exposure fork build (ADO): MEDIUM -> HIGH (direct exfil path) LAB-1429 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
AI detections depend on prompt injection succeeding, which is probabilistic and model-dependent — unlike script injection which is deterministic RCE. No AI detection exceeds MEDIUM severity. Applies across all four platforms: GitHub, Azure DevOps, GitLab, and Bitbucket. LAB-1429 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove the separate "AI Security Detections" section from GitHub's --list output. AI detections are now grouped by severity alongside all other detections, matching the GitLab and ADO format. LAB-1429 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Update ~17 test comments and 1 doc comment that still referenced old CRITICAL/HIGH severity levels after the recalibration to MEDIUM/LOW. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
MCP untrusted-only findings were recalibrated from MEDIUM to LOW but the test comments still said MEDIUM. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Severity ratings across detection plugins need fine tuning. This PR recalibrates them
Severity adjustments:
Infrastructure cleanup:
DefaultSeveritiesmap,GetDefaultSeverity,BuildAllZeroAggregation, and thehideZeroparameter threading. All platforms already hid zero-count rows, so this code had no effect.--listoutput format across platforms.Test plan
Closes LAB-1429