Severity and state mappings for GitHub

Alert priority and resolution state mapping between GitHub and Incident Response.

GitHub alert priority mapping

Event name Field of interest GitHub payload value vs. Incident Response alert priority value
repository_vulnerability_alert alert.severity critical P1-Critical
high P2-Major
moderate P3-Moderate
low P4-Low
security_advisory security_advisory.severity critical P1-Critical
high P2-Major
moderate P3-Moderate
low P4-Low
check_run check_run.conclusion failure P3-Moderate
cancelled P4-Low
timed_out P4-Low
action_required P4-Low
Remaining values other than the one mentioned above P5-Informational
check_suite check_suite.conclusion failure P3-Moderate
cancelled P4-Low
timed_out P4-Low
action_required P4-Low
Remaining values other than the one mentioned above P5-Informational
issues - P4
code_scanning_alert alert.rule.severity error P1-Critical
warning P4-Low
note P5-Informational
Note: For events other than the ones mentioned above, the alert priority value is P5-Informational.

GitHub resolution state mapping

Event Field of interest GitHub payload value vs.Incident Response alert resolution state value
Code_scanning_alert action fixed CLOSED
closed_by_user CLOSED
For all other values NEW
issues action close CLOSED
For all other values NEW
repository_vulnerability_alert action resolve CLOSED
dismiss CLOSED
For all other values NEW
security_advisory action withdrawn CLOSED
For all other values NEW

For events other than the ones mentioned above, the alert resolution state value is New and you need to close the alert manually. To know the all the events that Incident Response supports for GitHub, see https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads.

Note: If you require any other severity and state mappings, use the Generic webhook integration.