Scanning your repository for known vulnerabilities is essential to maintain secure software. We recommend utilizing databases from the National Vulnerability Database NVD.
By default, all the repositories under Fermi-AD organization have GitHub Dependabot enabled. To view the security alerts:
For information on supported repositories and programming languages, refer to the Dependabot documentation
Another option for vulnerability scanning is the CVE Binary Tool, a free, open source tool. It uses data from the National Vulnerability Database (NVD), as well from Redhat, Open Source Vulnerability Database (OSV), Gitlab Advisory Database (GAD), and Curl. “It is intended to be used as part of your continuous integration system to enable regular vulnerability scanning and give you early warning of known issues in your supply chain. It can also be used to auto-detect components and create SBOMs.”
You can setup a GitHub Action to run the CVE tool as part of your CI/CD. Below is an example of the github action:
#.github/workflows/cve-scanner.yml
name: CVE Binary Tool Scanner
on:
pull_request:
branches: [ main ]
workflow_dispatch:
permissions:
contents: read
security-events: write
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: intel/cve-bin-tool-action@main