We should also report the severity level [1]. Since we're not doing it at the moment, all reports default to warning and this property is also supported by GitHub [2]. Supported levels are:

• warning
• error
• note
• none

[1] https://docs.oasis-open.org/sarif/sarif/v2.1.0/csprd01/sarif-v2.1.0-csprd01.html#_Toc10541086
[2] https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#result-object