Note: please test this well before using in production, this is a sample action! The action itself should work, however it depends on how you wish to trigger it as you need a CVE-ID to make this action useful.
This GitHub Action checks a CVE security alert (e.g. from Dependabot) for known malware exploits using the Cisco Kenna Security VI+ API and a NodeJS GitHub Action. For more information on this API, please check out this blog post.
- Set the Kenna Security API Key (
KENNA_API_KEY
) as repository secrets in the repository that you want to run the action in. The CVE ID will be parsed automatically from the GitHub alert.
- Create a file called
kenna_cve_check.yml
with the following content in the.github/workflows
directory of your repository from where you want to run the action:
name: Check CVE with Kenna VI+ API JS Action
on:
pull_request:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
dependabot:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}
steps:
- name: Dependabot fetch metadata
id: metadata
uses: dependabot/fetch-metadata@v1.3.1
with:
alert-lookup: true
compat-lookup: true
github-token: "${{ secrets.GITHUB_TOKEN }}"
- run: echo ${{ steps.dependabot-metadata.outputs }}
kenna_vi_api_call:
runs-on: ubuntu-latest
name: CVE Check for Malware Exploits with Kenna VI+ API
steps:
- name: GET Request Kenna VI+ API
uses: chrivand/action-webex-js@main
env:
KENNA_API_KEY: ${{ secrets.KENNA_API_KEY }}
CVE_ID: "${{ steps.dependabot-metadata.outputs.external-id }}"
- Adjust the
yml
file as needed, especially theCVE_ID
environment variable. You can for example trigger this based on security alerts or based on certain output of other actions that you have run before. This does NOT have to be Dependabot, it can also be a different (SAST) solution that produces a CVE-ID as output. Please check the GitHub documentation for all context that you can use.