Modify the severity of findings for Python applications

This article will show you how to use ShiftLeft's modifying findings feature to change the vulnerability's assigned severity level after initial code analysis.


We assume that you have a GitHub repo that you're scanning using NG SAST.

Step 1: Create the configuration file

In the root directory, create a configuration file called ngsast.yaml that includes the following:

- app:
name: shiftleft-python-example
- downgrade_sqli
# Use filter to specify the category
- SQL Injection
# Specify the value for the tags, such as cvss_score or severity, that you would like to use
# Optionally, you can add a custom tag (e.g, a tag indicating the reason a vuln is
# marked as such)
- key: cvss_score
value: 5
- key: severity
value: medium
- key: reason
value: appsec_approved

Step 2: Run the action

ShiftLeft will automatically check your config file for rules defined as finding-modifications. If this exists, ShiftLeft will modify your findings whenever you run sl analyze as part of your Action.

Testing your changes

Once you've implemented these changes, all identified SQL Injection vulnerabilities will be automatically marked with a status of medium instead of critical once your workflow runs.