Define OpenPAKT severity model #3
Description
Problem
CI pipelines require deterministic thresholds to fail builds based on security findings.
Security scanners currently use inconsistent severity models, making it difficult to enforce consistent CI policies across tools.
For example:
- some tools use
critical / high / medium / low - others use numeric scoring systems
- others use custom labels
Without a normalized severity model, CI systems cannot reliably evaluate findings produced by different scanners.
In OpenPAKT, severity levels apply to the finding taxonomy defined in Issue #2.
Example:
type: prompt_injection
severity: highProposed Change
Define a standard severity model for OpenPAKT findings.
Proposed severity levels:
criticalhighmediumlowinformational
These levels represent the impact and urgency of a finding, independent of the scanner that produced it.
Considerations
The severity model should support:
- deterministic CI policy gates
- compatibility with SARIF and other reporting formats
- mapping to vendor severity models
- consistent evaluation across OpenPAKT-compliant tools
The severity levels should remain stable across specification versions to ensure CI policy rules remain valid over time.
Examples
Example OpenPAKT finding:
type: prompt_injection
severity: high
component: agent.prompt
description: Agent followed malicious instructions embedded in retrieved content.Example CI policy rule:
fail-on: high
Example CI behavior:
critical→ fail buildhigh→ fail buildmedium→ warninglow→ informationalinformational→ report only
Impact
A normalized severity model enables:
- deterministic CI security gates
- cross-tool compatibility for OpenPAKT findings
- easier integration with security dashboards
- consistent risk evaluation across the ecosystem