felickz/dependabot-kev-action

Action to detect if any open Dependabot alerts are in the CISA Known Exploited Vulnerabilities (KEV) Catalog of CVEs and fail the workflow.

ATTENTION

This repo has been archived. For updated versions, please visit https://github.com/advanced-security/dependabot-kev-action

Dependabot CISA Known Exploitable Vulnerabilities Action

Action to detect if any open Dependabot alert CVEs are in the list of CISA Known Exploitable Vulnerabilities Catalog and fail the workflow.

name: 'Dependabot KEV Action'
on: [push]

jobs:
  dependabot-kev-action:
    name: 'CISA KEV Compliance Check'
    runs-on: ubuntu-latest
    steps:
      - name: 'KEV Policy'
        uses: felickz/dependabot-kev-action@v0
        env:
            GITHUB_TOKEN: ${{ secrets.DEPENDABOT_KEV_GITHUB_TOKEN }}

Required Credentials

• GITHUB_TOKEN
  • Classic Tokens
    • repo scope or security_events scope. For public repositories, you may instead use the public_repo scope.
  • Fine-grained personal access token permissions
    • Read-Only - Dependabot Alerts