From b1a1a7a238875f905bfe4be37400fb5df2da11ba Mon Sep 17 00:00:00 2001
From: GitHub Actions <actions@github.com>
Date: Tue, 24 Feb 2026 08:03:05 +0000
Subject: [PATCH] fix: enhance CodeQL SARIF parsing for improved severity level
 detection

---
 .../pre-commit-hooks/codeql-check-findings.sh | 24 +++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/scripts/pre-commit-hooks/codeql-check-findings.sh b/scripts/pre-commit-hooks/codeql-check-findings.sh
index 87ef94b7..03a012e6 100755
--- a/scripts/pre-commit-hooks/codeql-check-findings.sh
+++ b/scripts/pre-commit-hooks/codeql-check-findings.sh
@@ -31,7 +31,17 @@ check_sarif() {
                     .runs[] as $run
                     | $run.results[]
                     | . as $result
-                    | (($result.level // ($run.tool.driver.rules[$result.ruleIndex].defaultConfiguration.level // "")) | ascii_downcase) as $effectiveLevel
+                    | ($run.tool.driver.rules // []) as $rules
+                    | ((
+                        $result.level
+                        // (if (($result.ruleIndex | type) == "number") then ($rules[$result.ruleIndex].defaultConfiguration.level // empty) else empty end)
+                        // ([
+                            $rules[]?
+                            | select((.id // "") == ($result.ruleId // ""))
+                            | (.defaultConfiguration.level // empty)
+                        ][0] // empty)
+                        // ""
+                    ) | ascii_downcase) as $effectiveLevel
                     | select($effectiveLevel == "error" or $effectiveLevel == "warning")
                 ] | length' "$sarif_file" 2>/dev/null || echo 0)
 
@@ -43,7 +53,17 @@ check_sarif() {
                             .runs[] as $run
                             | $run.results[]
                             | . as $result
-                            | (($result.level // ($run.tool.driver.rules[$result.ruleIndex].defaultConfiguration.level // "")) | ascii_downcase) as $effectiveLevel
+                            | ($run.tool.driver.rules // []) as $rules
+                            | ((
+                                $result.level
+                                // (if (($result.ruleIndex | type) == "number") then ($rules[$result.ruleIndex].defaultConfiguration.level // empty) else empty end)
+                                // ([
+                                    $rules[]?
+                                    | select((.id // "") == ($result.ruleId // ""))
+                                    | (.defaultConfiguration.level // empty)
+                                ][0] // empty)
+                                // ""
+                            ) | ascii_downcase) as $effectiveLevel
                             | select($effectiveLevel == "error" or $effectiveLevel == "warning")
                             | "\($effectiveLevel): \($result.ruleId // "<unknown-rule>"): \($result.message.text) (\($result.locations[0].physicalLocation.artifactLocation.uri):\($result.locations[0].physicalLocation.region.startLine))"
                         ' "$sarif_file" 2>/dev/null | head -10