/cve-bin-tool-action

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

CVE Binary Tool GitHub Action

CVE Binary Tool GitHub Action helps you to scan your GitHub repositories more conveniently. Just add this Action by following the instructions below and It will start doing it's work and will give you updates through the security tab.

Inputs

scan_mode

Optional CVE Binary Tool GitHub Action has three scan modes. The scan modes are listed below:

  1. repo-only (default): In this mode cve-bin-tool will automatically detect binary and requirement files and scan them.
  2. sbom-only: In this mode cve-bin-tool will only automatically detect supported SBOM files and scan them.
  3. both: In this mode cve-bin-tool will automatically detect SBOM, binary and requirement files and scan them.

NOTE: Scans may have duplicate results when using the both option as scan_mode.

nvd_api_key

Optional NVD API Key is required for downloading National Vulnerbility Database.

NOTE: CVE Binary Tool GitHub Action uses https://cveb.in as mirror to fetch the latest CVEs, and this mirror gets updated every day. So when you provide the nvd_api_key it uses the latest NVD data instead of one day old mirror data.

exclude_dir

Optional While scanning, CVE Binary Tool will ignore these directories.

NOTE: To mention multiple directories, use comma as a separator and don't include spaces.

alerts_based_on_file

Optional Split security alerts based on source file. By default it creates separate security alerts for every component.

build_command

Optional It will run the build_command before running CVE Binary Tool on the build output and the repository content.

sbom_type

Optional CVE Binary Tool GitHub Action provides SBOM report in security tab along with HTML/PDF scan reports. Valid SBOM types are spdx, cyclonedx. (default: spdx)

sbom_format

Optional Valid SBOM formats are tag, json, yaml. (default: json)

triage_input_file

Optional Provide input filename for triage data. The supported format is CycloneDX VEX. Find more information here.

Example usage

name: CVE Binary Tool Scanner

on:
  push:
  pull_request:
  workflow_dispatch:
  schedule:
    - cron: '20 2 * * *'

permissions:
  security-events: write

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: intel/cve-bin-tool-action@main
        with:
          nvd_api_key: '${{ secrets.NVD_API_KEY }}'
          exclude_dir: test

Build before scanning

Make example

name: CVE Binary Tool Scanner

on:
  push:
  workflow_dispatch:

permissions:
  security-events: write

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: intel/cve-bin-tool-action@main
        with:
          nvd_api_key: '${{ secrets.NVD_API_KEY }}'
          alerts_based_on_file: true
          build_command: make

Node.js/Electron.js example

name: CVE Binary Tool Scanner

on:
  push:
  workflow_dispatch:

permissions:
  security-events: write

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Setup node v16 (for build process)
        run: |
          curl -sL https://deb.nodesource.com/setup_16.x | sudo bash -
          sudo apt -y install nodejs
      - uses: intel/cve-bin-tool-action@main
        with:
          nvd_api_key: '${{ secrets.NVD_API_KEY }}'
          build_command: npm run build

Update SBOM automatically with a PR in regular interval

name: Update SBOM Action
on:
  schedule:
    - cron: '20 2 * * *'

permissions:
  security-events: write
  contents: write
  pull-requests: write

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: intel/cve-bin-tool-action@main
        with:
          nvd_api_key: '${{ secrets.NVD_API_KEY }}'
          exclude_dir: binary
          sbom_type: spdx
          sbom_format: json
          alerts_based_on_file: false

      - run: |
          mkdir -p reports
          mv SBOM.spdx.json reports/SBOM.spdx.json # by default the SBOM file will be stored in the root directory of the repository, in this example the SBOM file is moved to reports directory in the repository

      - name: Create Pull Request
        uses: peter-evans/create-pull-request@v5
        with:
          commit-message: 'chore: update sbom'
          title: 'chore: update sbom'
          branch: chore-update-sbom
          delete-branch: true
          author: GitHub <noreply@github.com>

Screenshots

image

image

image