Change CS_SEVERITY_THRESHOLD default value to `medium`

Why are we doing this work

⚠️ This change has been cancelled or postponed indefinitely.

The Container Scanning security feature generates a lot of security findings. The volume is often difficult to manage for engineering teams and even internally we often limit the results to focus on the most critical vulnerabilities.

By changing this to medium we'll provide a saner default to our users, where any findings with a severity below medium are not reported.

Starting with GitLab 18.0, the default value for the CS_SEVERITY_THRESHOLD environment variable is set to medium instead of unknown.

Relevant links

Non-functional requirements

Documentation:
Feature flag:
Performance:
Testing:

Implementation plan

WIP:

Since we will release a new major version of the analyzer in 18.0 we can update CS_SEVERITY_THRESHOLD default value to medium in the analyzer directly. https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning

This change must not be applied to the V7 of Container Scanning, we don't want to impact users of GitLab 17.x with this breaking change.

Verification steps

Edited Apr 14, 2025 by John Crowley

Change CS_SEVERITY_THRESHOLD default value to medium