fix: respect severity_threshold in SARIF file actionable count

[rafaelpereyra]

Issue #, if available:
N/A

Description of changes:
The SARIF file-based actionable findings count in run_ash_scan was counting all non-suppressed findings regardless of the configured severity_threshold. This caused ASH to exit with code 2 (actionable findings detected) even when all findings were below the threshold (e.g., LOW findings with MEDIUM threshold).

The fix applies the severity_threshold when counting from the SARIF file by:

• Resolving the effective threshold from ash_config.global_settings
• Checking issue_severity properties first (explicit scanner severity)
• Falling back to SARIF level mapping (error->critical, warning->medium, note->low)
• Only counting findings at or above the configured threshold

Includes 26 regression tests covering threshold filtering, SARIF file count behavior, explicit issue_severity handling, and end-to-end scenarios.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[github-actions]

ASH Security Scan Report

• Report generated: 2026-05-11T22:51:58+00:00
• Time since scan: 1 minute

Scan Metadata

• Project: ASH
• Scan executed: 2026-05-11T22:50:11+00:00
• ASH version: 3.5.0

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

• Severity levels:
  • Suppressed (S): Findings that have been explicitly suppressed and don't affect scanner status
  • Critical (C): Highest severity findings that require immediate attention
  • High (H): Serious findings that should be addressed soon
  • Medium (M): Moderate risk findings
  • Low (L): Lower risk findings
  • Info (I): Informational findings with minimal risk
• Duration (Time): Time taken by the scanner to complete its execution
• Actionable: Number of findings at or above the threshold severity level that require attention
• Result:
  • PASSED = No findings at or above threshold
  • FAILED = Findings at or above threshold
  • MISSING = Required dependencies not available
  • SKIPPED = Scanner explicitly disabled
  • ERROR = Scanner execution error
• Threshold: The minimum severity level that will cause a scanner to fail
  • Thresholds: ALL, LOW, MEDIUM, HIGH, CRITICAL
  • Source: Values in parentheses indicate where the threshold is set:
    • global (global_settings section in the ASH_CONFIG used)
    • config (scanner config section in the ASH_CONFIG used)
    • scanner (default configuration in the plugin, if explicitly set)
• Statistics calculation:
  • All statistics are calculated from the final aggregated SARIF report
  • Suppressed findings are counted separately and do not contribute to actionable findings
  • Scanner status is determined by comparing actionable findings to the threshold

Scanner	Suppressed	Critical	High	Medium	Low	Info	Actionable	Result	Threshold
bandit	0	0	0	0	0	0	0	PASSED	MEDIUM (global)
cdk-nag	0	0	0	0	0	0	0	MISSING	MEDIUM (global)
cfn-nag	0	0	0	0	0	0	0	MISSING	MEDIUM (global)
checkov	3	0	0	0	0	0	0	PASSED	LOW (config)
detect-secrets	17	0	0	0	0	0	0	PASSED	MEDIUM (global)
grype	0	0	0	0	0	0	0	PASSED	MEDIUM (global)
npm-audit	0	0	0	0	0	0	0	PASSED	MEDIUM (global)
opengrep	7	0	0	0	0	0	0	PASSED	MEDIUM (global)
semgrep	7	0	0	0	0	0	0	PASSED	MEDIUM (global)
syft	0	0	0	0	0	0	0	PASSED	MEDIUM (global)

---

Report generated by Automated Security Helper (ASH) at 2026-05-11T22:51:58+00:00