Merge pull request #93 from sonukapoor/feature/issue-92-github-action

[Feature] Add a reusable first-party GitHub Action

Author: sonukapoor

README.md

@@ -501,6 +501,49 @@ cve-lite . --offline
 
 This repository also uses CVE Lite CLI in its own GitHub Actions workflow to scan itself as part of CI. See [`self-scan.yml`](https://github.com/sonukapoor/cve-lite-cli/blob/main/.github/workflows/self-scan.yml).
 
+Use the reusable first-party GitHub Action in another repository:
+
+```yaml
+name: Dependency Scan
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  cve-lite:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: sonukapoor/cve-lite-cli@v1.1.1
+        with:
+          verbose: "true"
+          fail-on: high
+```
+
+For an offline GitHub Actions workflow that refreshes the advisory DB first:
+
+```yaml
+name: Offline Dependency Scan
+
+on:
+  pull_request:
+
+jobs:
+  cve-lite:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: sonukapoor/cve-lite-cli@v1.1.1
+        with:
+          sync-advisories: "true"
+          offline: "true"
+          offline-db: ./.cache/cve-lite/advisories.db
+          verbose: "true"
+          fail-on: high
+```
+
 For CI, we recommend using `--verbose` so build logs include the full fix plan, dependency paths, and detailed table output when a scan fails.
 
 Use it as a release gate in CI:
@@ -733,7 +776,6 @@ CVE Lite CLI is evolving from a vulnerability scanner into a comprehensive remed
 * **Deduplication Analysis:** Identify instances where multiple versions of the same vulnerable package exist and suggest a single version for consolidation.
 
 ### Phase 2: Ecosystem & Integration (Mid-Term)
-* **Official GitHub Action:** Create a dedicated Action for one-line setup in CI/CD pipelines.
 * **Expanded Lockfile Support:** Introduce parsers for emerging JS/TS ecosystems, including `bun.lockb`.
 * **IDE Integration:** Develop a lightweight extension to highlight vulnerable packages directly within the code editor.
 * **Workflow Integration Guidance:** Expand official workflow patterns for local scripts, hooks, CI, and offline developer adoption.

action.yml

@@ -0,0 +1,134 @@
+name: "CVE Lite CLI"
+description: "Run CVE Lite CLI in GitHub Actions for JS/TS dependency vulnerability scanning."
+author: "Sonu Kapoor"
+
+branding:
+  icon: "shield"
+  color: "green"
+
+inputs:
+  node-version:
+    description: "Node.js version used to install and run CVE Lite CLI"
+    required: false
+    default: "20"
+  path:
+    description: "Project path to scan"
+    required: false
+    default: "."
+  fail-on:
+    description: "Exit non-zero at or above this severity"
+    required: false
+    default: ""
+  verbose:
+    description: "Run the scan with verbose output"
+    required: false
+    default: "false"
+  prod-only:
+    description: "Exclude dev dependencies where available"
+    required: false
+    default: "false"
+  offline:
+    description: "Run the scan using the local advisory database"
+    required: false
+    default: "false"
+  offline-db:
+    description: "Path to the local advisory database file"
+    required: false
+    default: ""
+  sync-advisories:
+    description: "Build or refresh the local advisory database before scanning"
+    required: false
+    default: "false"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Node
+      uses: actions/setup-node@v4
+      with:
+        node-version: ${{ inputs.node-version }}
+        cache: npm
+        cache-dependency-path: ${{ github.action_path }}/package-lock.json
+
+    - name: Install CVE Lite CLI dependencies
+      shell: bash
+      working-directory: ${{ github.action_path }}
+      run: npm ci
+
+    - name: Build CVE Lite CLI
+      shell: bash
+      working-directory: ${{ github.action_path }}
+      run: npm run build
+
+    - name: Resolve action inputs
+      id: resolve
+      shell: bash
+      env:
+        INPUT_PATH: ${{ inputs.path }}
+        INPUT_OFFLINE: ${{ inputs.offline }}
+        INPUT_OFFLINE_DB: ${{ inputs.offline-db }}
+        INPUT_SYNC_ADVISORIES: ${{ inputs.sync-advisories }}
+      run: |
+        set -euo pipefail
+
+        project_path="${INPUT_PATH:-.}"
+        requested_offline_db="${INPUT_OFFLINE_DB:-}"
+        use_offline="false"
+        resolved_offline_db=""
+
+        if [[ "${INPUT_OFFLINE}" == "true" || "${INPUT_SYNC_ADVISORIES}" == "true" || -n "${requested_offline_db}" ]]; then
+          use_offline="true"
+          resolved_offline_db="${requested_offline_db:-./.cache/cve-lite/advisories.db}"
+        fi
+
+        {
+          echo "project-path=${project_path}"
+          echo "use-offline=${use_offline}"
+          echo "offline-db=${resolved_offline_db}"
+        } >> "$GITHUB_OUTPUT"
+
+    - name: Sync local advisory database
+      if: ${{ inputs.sync-advisories == 'true' }}
+      shell: bash
+      working-directory: ${{ github.workspace }}
+      env:
+        ACTION_PATH: ${{ github.action_path }}
+        OFFLINE_DB_PATH: ${{ steps.resolve.outputs.offline-db }}
+      run: |
+        set -euo pipefail
+        mkdir -p "$(dirname "${OFFLINE_DB_PATH}")"
+        node "${ACTION_PATH}/dist/index.js" advisories sync --output "${OFFLINE_DB_PATH}"
+
+    - name: Run CVE Lite CLI scan
+      shell: bash
+      working-directory: ${{ github.workspace }}
+      env:
+        ACTION_PATH: ${{ github.action_path }}
+        PROJECT_PATH: ${{ steps.resolve.outputs.project-path }}
+        USE_OFFLINE: ${{ steps.resolve.outputs.use-offline }}
+        OFFLINE_DB_PATH: ${{ steps.resolve.outputs.offline-db }}
+        INPUT_FAIL_ON: ${{ inputs.fail-on }}
+        INPUT_VERBOSE: ${{ inputs.verbose }}
+        INPUT_PROD_ONLY: ${{ inputs.prod-only }}
+      run: |
+        set -euo pipefail
+
+        args=("${PROJECT_PATH}")
+
+        if [[ "${INPUT_VERBOSE}" == "true" ]]; then
+          args+=("--verbose")
+        fi
+
+        if [[ "${INPUT_PROD_ONLY}" == "true" ]]; then
+          args+=("--prod-only")
+        fi
+
+        if [[ -n "${INPUT_FAIL_ON}" ]]; then
+          args+=("--fail-on" "${INPUT_FAIL_ON}")
+        fi
+
+        if [[ "${USE_OFFLINE}" == "true" ]]; then
+          args+=("--offline-db" "${OFFLINE_DB_PATH}")
+        fi
+
+        node "${ACTION_PATH}/dist/index.js" "${args[@]}"