name: CVE Scan
on:
schedule:
- cron: "0 8 * * 1" # Monday 08:00 UTC
workflow_dispatch:
inputs:
severity_threshold:
description: "Minimum severity to queue"
required: false
default: "HIGH"
type: choice
options:
- CRITICAL
- HIGH
- MEDIUM
- LOW
dry_run:
description: "Report findings without writing to queue"
required: false
default: false
type: boolean
repos:
description: "Comma-separated repos to scan (blank = all managed)"
required: false
type: string
jobs:
scan:
name: Scan dependencies for CVEs
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
- name: Install dependencies
run: npm ci
- name: Build
run: npm run build
- name: Run CVE scan
env:
GITHUB_TOKEN: ${{ secrets.GIT_FABRIC_TOKEN }}
STATE_REPO: ${{ vars.STATE_REPO }}
MANAGED_REPOS: ${{ vars.MANAGED_REPOS }}
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
run: |
node bin/cli.js scan \
--severity-threshold "${{ inputs.severity_threshold || 'HIGH' }}" \
--dry-run "${{ inputs.dry_run || 'false' }}" \
${{ inputs.repos && format('--repos "{0}"', inputs.repos) || '' }}
- name: Trigger triage
if: ${{ inputs.dry_run != true }}
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GIT_FABRIC_TOKEN }}
script: |
await github.rest.actions.createWorkflowDispatch({
owner: context.repo.owner,
repo: context.repo.repo,
workflow_id: 'cve-triage.yml',
ref: 'main',
});
