GitHub Action Reference
CVE Lite CLI ships a first-party GitHub Action on the GitHub Marketplace.
- uses: OWASP/cve-lite-cli@v1
with:
fail-on: high
sarif: "true"
All inputs are optional. The action installs CVE Lite CLI, runs the scan, and exits with the scan's exit code so CI fails the same way the CLI does.
For usage patterns and complete workflow examples, see Workflow Integration.
Scan inputs
| Input | Default | Description | Example |
|---|---|---|---|
path | . | Project path to scan | path: ./packages/app |
fail-on | (none) | Exit non-zero at or above this severity (critical, high, medium, low) | fail-on: high |
all | false | Show all findings regardless of severity threshold | all: "true" |
verbose | false | Full output: severity table, fix plan, findings table, coverage notes | verbose: "true" |
prod-only | false | Exclude dev dependencies where available | prod-only: "true" |
no-cache | true | Skip the OSV query cache and fetch fresh results; defaults to true in CI | no-cache: "false" |
Output inputs
| Input | Default | Description | Example |
|---|---|---|---|
sarif | false | Write SARIF 2.1.0 output to a timestamped .sarif file for GitHub Code Scanning upload | sarif: "true" |
report | (none) | Write an HTML report to this directory path; --no-open is applied automatically | report: "./cve-report" |
cdx | false | Write a CycloneDX 1.4 SBOM to a timestamped .cdx.json file | cdx: "true" |
Offline inputs
| Input | Default | Description | Example |
|---|---|---|---|
offline | false | Run using the local advisory database only - no OSV API calls | offline: "true" |
offline-db | (empty) | Path to the advisory DB file; when offline mode is active and this is not set, defaults to ./.cache/cve-lite/advisories.db | offline-db: ./.cache/advisories.db |
sync-advisories | false | Build or refresh the local advisory database before scanning | sync-advisories: "true" |
Usage and reachability inputs
| Input | Default | Description | Example |
|---|---|---|---|
usage | false | Scan source files to detect which vulnerable packages are actually imported | usage: "true" |
only-used | false | Only report findings for packages imported in source code (implies usage) | only-used: "true" |
Override hygiene inputs
| Input | Default | Description | Example |
|---|---|---|---|
check-overrides | false | Run override hygiene checks (OA001-OA008) inline with the scan | check-overrides: "true" |
overrides | false | Run a dedicated override audit as a separate step in addition to the scan | overrides: "true" |
overrides-fail-on | (none) | Exit non-zero when the override audit finds an issue at or above this severity (used with overrides: true) | overrides-fail-on: high |
check-network | false | Allow the override audit to make registry calls for the OA007 drift check | check-network: "true" |
audit-log | (none) | Stream override detection and fix events as NDJSON to this path | audit-log: ./audit.ndjson |
Network and proxy inputs
| Input | Default | Description | Example |
|---|---|---|---|
ca-cert | (none) | Path to a PEM CA certificate file for corporate SSL inspection proxies | ca-cert: ./certs/ca.pem |
Fix mode inputs
| Input | Default | Description | Example |
|---|---|---|---|
fix | false | Apply validated direct dependency upgrades automatically. Only direct dependencies with OSV-validated fix versions are upgraded. | fix: "true" |
create-pr | false | Open or update a single batched pull request with the applied fixes. Requires fix: true and contents: write + pull-requests: write permissions on the workflow. | create-pr: "true" |
base-branch | (repo default) | Target branch for the fix PR. Defaults to the repository's default branch. | base-branch: main |
labels | dependencies,security | Comma-separated labels applied to the fix PR. Labels are created in the repo if they do not exist. | labels: "deps,security,automated" |
token | (workflow token) | GitHub token for PR creation. Leave empty to use the built-in workflow token. Must have contents: write and pull-requests: write. | token: ${{ secrets.GITHUB_TOKEN }} |
Scheduled fix workflow (Dependabot alternative)
Add this file to your repository as .github/workflows/cve-lite-fix.yml to automatically open a pull request with validated dependency upgrades every week:
name: CVE Lite security fixes
on:
schedule:
- cron: '0 6 * * 1' # every Monday at 6am UTC
workflow_dispatch: # allow manual runs
permissions:
contents: write
pull-requests: write
jobs:
fix:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.repository.default_branch }}
- uses: OWASP/cve-lite-cli@v1
with:
fix: 'true'
create-pr: 'true'
Three things to get right:
- No
pushtrigger. The Action force-pushes to thecve-lite/fixbranch. Apushtrigger would re-run the workflow on that push, causing an infinite loop. - No
persist-credentials: falseon checkout. The default (credentials persisted) is required forgit pushto work. If your existing scan workflow usespersist-credentials: false, do not copy that flag here. - No
fail-on. Not appropriate in fix mode. Transitive findings will always remain after direct fixes are applied; failing the job on them would prevent the PR from being created.
How it behaves:
- If there are no direct dependency fixes available, the workflow exits silently with no PR.
- If a
cve-lite/fixPR is already open, the next weekly run updates it in place with the latest findings. - If the open PR was merged or closed, the next run creates a fresh PR.
- The PR body lists each upgraded package with its advisory IDs (GHSA-xxxx, CVE-xxxx) and before/after finding counts.
Action setup inputs
| Input | Default | Description | Example |
|---|---|---|---|
version | 1 | CVE Lite CLI version to install (1, 1.24.0, latest) | version: "1.24.0" |
node-version | 20 | Node.js version used to install and run CVE Lite CLI | node-version: "22" |