License: CISCO published

Cisco Kenna: Check CVE for Malware Exploits [DRAFT]

Note: please test this well before using in production, this is a sample action! The action itself should work, however it depends on how you wish to trigger it as you need a CVE-ID to make this action useful.

This GitHub Action checks a CVE security alert (e.g. from Dependabot) for known malware exploits using the Cisco Kenna Security VI+ API and a NodeJS GitHub Action. For more information on this API, please check out this blog post.

Usage

  1. Set the Kenna Security API Key (KENNA_API_KEY) as repository secrets in the repository that you want to run the action in. The CVE ID will be parsed automatically from the GitHub alert.

  1. Create a file called kenna_cve_check.yml with the following content in the .github/workflows directory of your repository from where you want to run the action:
name: Check CVE with Kenna VI+ API JS Action

on: 
  pull_request:

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - name: Dependabot fetch metadata
        id: metadata
        uses: dependabot/fetch-metadata@v1.3.1
        with:
          alert-lookup: true
          compat-lookup: true
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - run: echo ${{ steps.dependabot-metadata.outputs }}

  kenna_vi_api_call:
    runs-on: ubuntu-latest
    name: CVE Check for Malware Exploits with Kenna VI+ API
    steps:
      - name: GET Request Kenna VI+ API
        uses: chrivand/action-webex-js@main
        env:
          KENNA_API_KEY: ${{ secrets.KENNA_API_KEY }}
          CVE_ID: "${{ steps.dependabot-metadata.outputs.external-id }}"
  1. Adjust the yml file as needed, especially the CVE_ID environment variable. You can for example trigger this based on security alerts or based on certain output of other actions that you have run before. This does NOT have to be Dependabot, it can also be a different (SAST) solution that produces a CVE-ID as output. Please check the GitHub documentation for all context that you can use.