From e6a219c6b3f8b217e9556fcbdc2c23be63192a2d Mon Sep 17 00:00:00 2001 From: Sonu Kapoor Date: Sat, 4 Apr 2026 18:54:50 -0400 Subject: [PATCH] feat: add reusable GitHub Action --- README.md | 44 +++++++++++++++++- action.yml | 134 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 177 insertions(+), 1 deletion(-) create mode 100644 action.yml diff --git a/README.md b/README.md index 2d72508..4f12b92 100644 --- a/README.md +++ b/README.md @@ -501,6 +501,49 @@ cve-lite . --offline This repository also uses CVE Lite CLI in its own GitHub Actions workflow to scan itself as part of CI. See [`self-scan.yml`](https://github.com/sonukapoor/cve-lite-cli/blob/main/.github/workflows/self-scan.yml). +Use the reusable first-party GitHub Action in another repository: + +```yaml +name: Dependency Scan + +on: + pull_request: + push: + branches: [main] + +jobs: + cve-lite: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: sonukapoor/cve-lite-cli@v1.1.1 + with: + verbose: "true" + fail-on: high +``` + +For an offline GitHub Actions workflow that refreshes the advisory DB first: + +```yaml +name: Offline Dependency Scan + +on: + pull_request: + +jobs: + cve-lite: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: sonukapoor/cve-lite-cli@v1.1.1 + with: + sync-advisories: "true" + offline: "true" + offline-db: ./.cache/cve-lite/advisories.db + verbose: "true" + fail-on: high +``` + For CI, we recommend using `--verbose` so build logs include the full fix plan, dependency paths, and detailed table output when a scan fails. Use it as a release gate in CI: @@ -733,7 +776,6 @@ CVE Lite CLI is evolving from a vulnerability scanner into a comprehensive remed * **Deduplication Analysis:** Identify instances where multiple versions of the same vulnerable package exist and suggest a single version for consolidation. ### Phase 2: Ecosystem & Integration (Mid-Term) -* **Official GitHub Action:** Create a dedicated Action for one-line setup in CI/CD pipelines. * **Expanded Lockfile Support:** Introduce parsers for emerging JS/TS ecosystems, including `bun.lockb`. * **IDE Integration:** Develop a lightweight extension to highlight vulnerable packages directly within the code editor. * **Workflow Integration Guidance:** Expand official workflow patterns for local scripts, hooks, CI, and offline developer adoption. diff --git a/action.yml b/action.yml new file mode 100644 index 0000000..b6efab9 --- /dev/null +++ b/action.yml @@ -0,0 +1,134 @@ +name: "CVE Lite CLI" +description: "Run CVE Lite CLI in GitHub Actions for JS/TS dependency vulnerability scanning." +author: "Sonu Kapoor" + +branding: + icon: "shield" + color: "green" + +inputs: + node-version: + description: "Node.js version used to install and run CVE Lite CLI" + required: false + default: "20" + path: + description: "Project path to scan" + required: false + default: "." + fail-on: + description: "Exit non-zero at or above this severity" + required: false + default: "" + verbose: + description: "Run the scan with verbose output" + required: false + default: "false" + prod-only: + description: "Exclude dev dependencies where available" + required: false + default: "false" + offline: + description: "Run the scan using the local advisory database" + required: false + default: "false" + offline-db: + description: "Path to the local advisory database file" + required: false + default: "" + sync-advisories: + description: "Build or refresh the local advisory database before scanning" + required: false + default: "false" + +runs: + using: "composite" + steps: + - name: Setup Node + uses: actions/setup-node@v4 + with: + node-version: ${{ inputs.node-version }} + cache: npm + cache-dependency-path: ${{ github.action_path }}/package-lock.json + + - name: Install CVE Lite CLI dependencies + shell: bash + working-directory: ${{ github.action_path }} + run: npm ci + + - name: Build CVE Lite CLI + shell: bash + working-directory: ${{ github.action_path }} + run: npm run build + + - name: Resolve action inputs + id: resolve + shell: bash + env: + INPUT_PATH: ${{ inputs.path }} + INPUT_OFFLINE: ${{ inputs.offline }} + INPUT_OFFLINE_DB: ${{ inputs.offline-db }} + INPUT_SYNC_ADVISORIES: ${{ inputs.sync-advisories }} + run: | + set -euo pipefail + + project_path="${INPUT_PATH:-.}" + requested_offline_db="${INPUT_OFFLINE_DB:-}" + use_offline="false" + resolved_offline_db="" + + if [[ "${INPUT_OFFLINE}" == "true" || "${INPUT_SYNC_ADVISORIES}" == "true" || -n "${requested_offline_db}" ]]; then + use_offline="true" + resolved_offline_db="${requested_offline_db:-./.cache/cve-lite/advisories.db}" + fi + + { + echo "project-path=${project_path}" + echo "use-offline=${use_offline}" + echo "offline-db=${resolved_offline_db}" + } >> "$GITHUB_OUTPUT" + + - name: Sync local advisory database + if: ${{ inputs.sync-advisories == 'true' }} + shell: bash + working-directory: ${{ github.workspace }} + env: + ACTION_PATH: ${{ github.action_path }} + OFFLINE_DB_PATH: ${{ steps.resolve.outputs.offline-db }} + run: | + set -euo pipefail + mkdir -p "$(dirname "${OFFLINE_DB_PATH}")" + node "${ACTION_PATH}/dist/index.js" advisories sync --output "${OFFLINE_DB_PATH}" + + - name: Run CVE Lite CLI scan + shell: bash + working-directory: ${{ github.workspace }} + env: + ACTION_PATH: ${{ github.action_path }} + PROJECT_PATH: ${{ steps.resolve.outputs.project-path }} + USE_OFFLINE: ${{ steps.resolve.outputs.use-offline }} + OFFLINE_DB_PATH: ${{ steps.resolve.outputs.offline-db }} + INPUT_FAIL_ON: ${{ inputs.fail-on }} + INPUT_VERBOSE: ${{ inputs.verbose }} + INPUT_PROD_ONLY: ${{ inputs.prod-only }} + run: | + set -euo pipefail + + args=("${PROJECT_PATH}") + + if [[ "${INPUT_VERBOSE}" == "true" ]]; then + args+=("--verbose") + fi + + if [[ "${INPUT_PROD_ONLY}" == "true" ]]; then + args+=("--prod-only") + fi + + if [[ -n "${INPUT_FAIL_ON}" ]]; then + args+=("--fail-on" "${INPUT_FAIL_ON}") + fi + + if [[ "${USE_OFFLINE}" == "true" ]]; then + args+=("--offline-db" "${OFFLINE_DB_PATH}") + fi + + node "${ACTION_PATH}/dist/index.js" "${args[@]}"