How does Semgrep assign severity levels to rules?
Semgrep Code and Secrets
Semgrep Code and Secrets rules have one of four severity levels: Critical, High, Medium, and Low. The severity indicates how critical the issues that a rule potentially detects are.
The rule author assigns the rule severity. The severity assignment of custom and third-party rules is the source of truth.
As a best practice, severity for Semgrep Registry rules in the security category should be assigned by evaluating the combination of likelihood and impact.
Semgrep Supply Chain
Semgrep Supply Chain rules have one of four severity levels: Critical, High, Medium, or Low. The score assigned to the CVE using the Common Vulnerability Scoring System (CVSS) score, or the severity value set by the GitHub Advisory Database, determines the severity in Semgrep Supply Chain. For example, a vulnerability is assigned Critical if it is given a CVSS score of 9.0 or higher.
In addition to severity, Supply Chain displays an Exploit prediction scoring system (EPSS) probability for findings. The EPSS score represents the likelihood that the vulnerability will be exploited in the wild in the next 30 days. Its values range from 0% to 100%. The higher the score, the greater the probability the vulnerability will be exploited. Semgrep groups probabilities as follows:
- High: 50 - 100%
- Medium: 10 - <50%
- Low: <10%
How are confidence levels assigned to rules?
Confidence level is also set by the rule author, but it is intended to describe the rule, not the vulnerability the rule catches.
The confidence level reflects how confident the rule writer is that the rule patterns capture the vulnerability without generating too many false positive findings. The rule author manually sets the appropriate confidence level. Rules that have more targeted and detailed patterns, such as advanced taint mode rules, typically are given HIGH confidence.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.