SAST output for KICS Severity Ratings is not the same as KICS Documentation
Summary
There are some discrepancy between the severity levels reported by the GitLab SAST vs what was mentioned in the KICS documentation. GitLab SAST output should be consistent with the documentation.
I'm not sure if we are doing this on purpose, or something is wrong along the way.
What is the current bug behavior?
- Expected Severity (KICS Documentation): High
- Reported Severity (GitLab SAST): Critical
Launch Configuration Is Not Encrypted:
- Expected Severity (KICS Documentation): High
- Reported Severity (GitLab SAST): Critical
IAM Access Analyzer Not Enabled:
- Expected Severity (KICS Documentation): Low
- Reported Severity (GitLab SAST): Info
Healthcheck Instruction Missing:
- Expected Severity (KICS Documentation): Low
- Reported Severity (GitLab SAST): Info
Of note, some severity level are reported correctly. For example:
Auto Scaling Group With No Associated ELB
- Expected Severity (KICS Documentation): Medium
- Reported Severity (GitLab SAST): Medium
What is the expected correct behavior?
The reported severity is consistent with KICS documentation
Steps to reproduce
- Test project: https://gitlab.com/awinata-ultimate-parent/497918-kics-test
- Example SAST output: gl-sast-report.json
- Note, I use the code example describe in the KICS documentation to recreate the error.
Possible fixes
Reported by ultimate customer (zd internal only ref)