Vulnerability severity levels (ULTIMATE)
GitLab vulnerability analyzers attempt to return vulnerability severity level values whenever
possible. The following is a list of available GitLab vulnerability severity levels, ranked from
most to least severe:
Critical
High
Medium
Low
Info
Unknown
Most GitLab vulnerability analyzers are wrappers around popular open source scanning tools. Each
open source scanning tool provides their own native vulnerability severity level value. These values
can be one of the following:
To provide consistent vulnerability severity level values, the GitLab vulnerability analyzers
convert from the above values to a standardized GitLab vulnerability severity level, as outlined in
the following tables:
SAST
GitLab analyzer |
Outputs severity levels? |
Native severity level type |
Native severity level example |
security-code-scan |
{check-circle} Yes |
String |
CRITICAL , HIGH , MEDIUM in analyzer version 3.2.0 and later. In earlier versions, hardcoded to Unknown . |
brakeman |
{check-circle} Yes |
String |
HIGH , MEDIUM , LOW |
sobelow |
{check-circle} Yes |
N/A |
Hardcodes all severity levels to Unknown |
nodejs-scan |
{check-circle} Yes |
String |
INFO , WARNING , ERROR |
flawfinder |
{check-circle} Yes |
Integer |
0 , 1 , 2 , 3 , 4 , 5 |
eslint |
{check-circle} Yes |
N/A |
Hardcodes all severity levels to Unknown |
SpotBugs |
{check-circle} Yes |
Integer |
1 , 2 , 3 , 11 , 12 , 18 |
gosec |
{check-circle} Yes |
String |
HIGH , MEDIUM , LOW |
bandit |
{check-circle} Yes |
String |
HIGH , MEDIUM , LOW |
phpcs-security-audit |
{check-circle} Yes |
String |
ERROR , WARNING |
pmd-apex |
{check-circle} Yes |
Integer |
1 , 2 , 3 , 4 , 5 |
kubesec |
{check-circle} Yes |
String |
CriticalSeverity , InfoSeverity |
secrets |
{check-circle} Yes |
N/A |
Hardcodes all severity levels to Critical |
semgrep |
{check-circle} Yes |
String |
error , warning , note , none |
Dependency Scanning
GitLab analyzer |
Outputs severity levels? |
Native severity level type |
Native severity level example |
bundler-audit |
{check-circle} Yes |
String |
low , medium , high , critical |
retire.js |
{check-circle} Yes |
String |
low , medium , high , critical |
gemnasium |
{check-circle} Yes |
CVSS v2.0 Rating and CVSS v3.1 Qualitative Severity Rating |
(AV:N/AC:L/Au:S/C:P/I:P/A:N) , CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Container Scanning
GitLab analyzer |
Outputs severity levels? |
Native severity level type |
Native severity level example |
container-scanning |
{check-circle} Yes |
String |
Unknown , Low , Medium , High , Critical |
Fuzz Testing
All fuzz testing results are reported as Unknown. They should be reviewed and triaged manually to find exploitable faults to prioritize for fixing.