Skip to main content

GitHub Action Reference

CVE Lite CLI ships a first-party GitHub Action on the GitHub Marketplace.

- uses: OWASP/cve-lite-cli@v1
with:
fail-on: high
sarif: "true"

All inputs are optional. The action installs CVE Lite CLI, runs the scan, and exits with the scan's exit code so CI fails the same way the CLI does.

For usage patterns and complete workflow examples, see Workflow Integration.


Scan inputs

InputDefaultDescriptionExample
path.Project path to scanpath: ./packages/app
fail-on(none)Exit non-zero at or above this severity (critical, high, medium, low)fail-on: high
allfalseShow all findings regardless of severity thresholdall: "true"
verbosefalseFull output: severity table, fix plan, findings table, coverage notesverbose: "true"
prod-onlyfalseExclude dev dependencies where availableprod-only: "true"
no-cachetrueSkip the OSV query cache and fetch fresh results; defaults to true in CIno-cache: "false"

Output inputs

InputDefaultDescriptionExample
sariffalseWrite SARIF 2.1.0 output to a timestamped .sarif file for GitHub Code Scanning uploadsarif: "true"
report(none)Write an HTML report to this directory path; --no-open is applied automaticallyreport: "./cve-report"
cdxfalseWrite a CycloneDX 1.4 SBOM to a timestamped .cdx.json filecdx: "true"

Offline inputs

InputDefaultDescriptionExample
offlinefalseRun using the local advisory database only - no OSV API callsoffline: "true"
offline-db(empty)Path to the advisory DB file; when offline mode is active and this is not set, defaults to ./.cache/cve-lite/advisories.dboffline-db: ./.cache/advisories.db
sync-advisoriesfalseBuild or refresh the local advisory database before scanningsync-advisories: "true"

Usage and reachability inputs

InputDefaultDescriptionExample
usagefalseScan source files to detect which vulnerable packages are actually importedusage: "true"
only-usedfalseOnly report findings for packages imported in source code (implies usage)only-used: "true"

Override hygiene inputs

InputDefaultDescriptionExample
check-overridesfalseRun override hygiene checks (OA001-OA008) inline with the scancheck-overrides: "true"
overridesfalseRun a dedicated override audit as a separate step in addition to the scanoverrides: "true"
overrides-fail-on(none)Exit non-zero when the override audit finds an issue at or above this severity (used with overrides: true)overrides-fail-on: high
check-networkfalseAllow the override audit to make registry calls for the OA007 drift checkcheck-network: "true"
audit-log(none)Stream override detection and fix events as NDJSON to this pathaudit-log: ./audit.ndjson

Network and proxy inputs

InputDefaultDescriptionExample
ca-cert(none)Path to a PEM CA certificate file for corporate SSL inspection proxiesca-cert: ./certs/ca.pem

Fix mode inputs

InputDefaultDescriptionExample
fixfalseApply validated direct dependency upgrades automatically. Only direct dependencies with OSV-validated fix versions are upgraded.fix: "true"
create-prfalseOpen or update a single batched pull request with the applied fixes. Requires fix: true and contents: write + pull-requests: write permissions on the workflow.create-pr: "true"
base-branch(repo default)Target branch for the fix PR. Defaults to the repository's default branch.base-branch: main
labelsdependencies,securityComma-separated labels applied to the fix PR. Labels are created in the repo if they do not exist.labels: "deps,security,automated"
token(workflow token)GitHub token for PR creation. Leave empty to use the built-in workflow token. Must have contents: write and pull-requests: write.token: ${{ secrets.GITHUB_TOKEN }}

Scheduled fix workflow (Dependabot alternative)

Add this file to your repository as .github/workflows/cve-lite-fix.yml to automatically open a pull request with validated dependency upgrades every week:

name: CVE Lite security fixes

on:
schedule:
- cron: '0 6 * * 1' # every Monday at 6am UTC
workflow_dispatch: # allow manual runs

permissions:
contents: write
pull-requests: write

jobs:
fix:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.repository.default_branch }}

- uses: OWASP/cve-lite-cli@v1
with:
fix: 'true'
create-pr: 'true'

Three things to get right:

  • No push trigger. The Action force-pushes to the cve-lite/fix branch. A push trigger would re-run the workflow on that push, causing an infinite loop.
  • No persist-credentials: false on checkout. The default (credentials persisted) is required for git push to work. If your existing scan workflow uses persist-credentials: false, do not copy that flag here.
  • No fail-on. Not appropriate in fix mode. Transitive findings will always remain after direct fixes are applied; failing the job on them would prevent the PR from being created.

How it behaves:

  • If there are no direct dependency fixes available, the workflow exits silently with no PR.
  • If a cve-lite/fix PR is already open, the next weekly run updates it in place with the latest findings.
  • If the open PR was merged or closed, the next run creates a fresh PR.
  • The PR body lists each upgraded package with its advisory IDs (GHSA-xxxx, CVE-xxxx) and before/after finding counts.

Action setup inputs

InputDefaultDescriptionExample
version1CVE Lite CLI version to install (1, 1.24.0, latest)version: "1.24.0"
node-version20Node.js version used to install and run CVE Lite CLInode-version: "22"