fix: update ci-integration.md to use OWASP org refs and add --all to CI examples (#248)

sonukapoor · web-flow · commit 8fd7dacb2163 · 2026-04-28T12:36:16.000-04:00
Replaces three remaining sonukapoor/cve-lite-cli references with OWASP/cve-lite-cli. Adds --all to CLI and GitHub Actions CI examples so build logs surface all findings, and adds the corresponding all input to action.yml. Closes #247
diff --git a/action.yml b/action.yml
@@ -19,6 +19,10 @@ inputs:
     description: "Exit non-zero at or above this severity"
     required: false
     default: ""
+  all:
+    description: "Show all findings in the table regardless of severity threshold"
+    required: false
+    default: "false"
   verbose:
     description: "Run the scan with verbose output"
     required: false
@@ -105,6 +109,7 @@ runs:
         PROJECT_PATH: ${{ steps.resolve.outputs.project-path }}
         USE_OFFLINE: ${{ steps.resolve.outputs.use-offline }}
         OFFLINE_DB_PATH: ${{ steps.resolve.outputs.offline-db }}
+        INPUT_ALL: ${{ inputs.all }}
         INPUT_FAIL_ON: ${{ inputs.fail-on }}
         INPUT_VERBOSE: ${{ inputs.verbose }}
         INPUT_PROD_ONLY: ${{ inputs.prod-only }}
@@ -113,6 +118,10 @@ runs:
 
         args=("${PROJECT_PATH}")
 
+        if [[ "${INPUT_ALL}" == "true" ]]; then
+          args+=("--all")
+        fi
+
         if [[ "${INPUT_VERBOSE}" == "true" ]]; then
           args+=("--verbose")
         fi
diff --git a/docs/ci-integration.md b/docs/ci-integration.md
@@ -65,18 +65,18 @@ This works well in a `pre-push` hook or another team-approved hook to catch high
 ### Basic release gate
 
 ```bash
-cve-lite . --verbose --fail-on high
+cve-lite . --all --verbose --fail-on high
 ```
 
-Use `--verbose` in CI so build logs include the full fix plan, dependency paths, detailed table output, and suggested fix commands when a scan fails.
+Use `--all` so the build log includes every finding regardless of severity threshold. Use `--verbose` so the log includes the full fix plan, dependency paths, detailed table output, and suggested fix commands when a scan fails.
 
 ### Controlled or restricted environments
 
 Sync the advisory DB separately, then scan offline:
 
 ```bash
 cve-lite advisories sync --output ./.cache/advisories.db
-cve-lite . --offline-db ./.cache/advisories.db --verbose --fail-on high
+cve-lite . --all --offline-db ./.cache/advisories.db --verbose --fail-on high
 ```
 
 ---
@@ -100,13 +100,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: sonukapoor/cve-lite-cli@v1
+      - uses: OWASP/cve-lite-cli@v1
         with:
+          all: "true"
           verbose: "true"
           fail-on: high
 ```
 
-This repository also uses CVE Lite CLI in its own CI to scan itself. See [`self-scan.yml`](https://github.com/sonukapoor/cve-lite-cli/blob/main/.github/workflows/self-scan.yml).
+This repository also uses CVE Lite CLI in its own CI to scan itself. See [`self-scan.yml`](https://github.com/OWASP/cve-lite-cli/blob/main/.github/workflows/self-scan.yml).
 
 ---
 
@@ -125,11 +126,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: sonukapoor/cve-lite-cli@v1
+      - uses: OWASP/cve-lite-cli@v1
         with:
           sync-advisories: "true"
           offline: "true"
           offline-db: ./.cache/cve-lite/advisories.db
+          all: "true"
           verbose: "true"
           fail-on: high
 ```
