GitHub Security Advisories Scraper — GHSA & CVE Feed
Pricing
from $3.00 / 1,000 results
GitHub Security Advisories Scraper — GHSA & CVE Feed
Extract GitHub Security Advisories (GHSA) with CVE IDs, CVSS scores, CWE classifications, affected packages, and patched version ranges. Filter by severity, ecosystem, or CVE ID. Fresh vulnerability intelligence for security and DevSecOps teams.
Pricing
from $3.00 / 1,000 results
Rating
0.0
(0)
Developer
Compute Edge
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
5 days ago
Last modified
Categories
Share
GitHub Security Advisories Scraper — CVE & Vulnerability Feed
Pull software vulnerability advisories directly from the GitHub Advisory Database — one of the most authoritative open-source vulnerability feeds, covering 13+ package ecosystems (npm, pip, Maven, NuGet, Go, RubyGems, crates.io, etc.) and cross-referencing CVE, CWE, and CVSS metadata.
What this Actor does
This Actor wraps GitHub's public /advisories API and outputs clean structured records of software vulnerabilities, including affected version ranges, fixed versions, severity, CVSS scores, and reference URLs.
Use cases:
- DevSecOps: Feed an internal vulnerability dashboard or SBOM scanner without standing up your own ingestion pipeline.
- Security research: Pull advisories filtered by CVE, CWE, or ecosystem for threat intel reports.
- Open-source maintainers: Monitor advisories that touch your dependency tree.
- Insurance/audit: Build evidence packs of disclosed vulnerabilities in third-party software.
- AI / LLM grounding: Ingest curated, structured CVE data into a RAG pipeline for security copilots.
How to scrape GitHub Security Advisories
- (Optional) Set Severity to
critical,high,medium, orlow. - (Optional) Set Ecosystem to focus on one package manager (
npm,pip,maven, etc.). - (Optional) Provide a CVE ID to pull a single advisory.
- (Optional) Set Published After (YYYY-MM-DD) to incrementally pull new entries.
- Set Max Results (default 200).
- Run.
Output fields
| Field | Description |
|---|---|
| ghsaId | GitHub Security Advisory ID (e.g. GHSA-xxxx-xxxx-xxxx) |
| cveId | Cross-referenced CVE identifier |
| summary | Short title |
| description | Full markdown description |
| severity | low / medium / high / critical |
| cvssScore | CVSS v3 base score (0–10) |
| cvssVector | Full CVSS vector string |
| cweIds | Common Weakness Enumeration IDs |
| ecosystems | List of affected package ecosystems |
| affectedPackages | Array of {ecosystem, name, vulnerableVersionRange, firstPatchedVersion} |
| references | External references (vendor advisories, commits, blog posts) |
| identifiers | Cross-identifiers (CVE, GHSA, etc.) |
| publishedAt / updatedAt / withdrawnAt | Timestamps |
| type | reviewed / unreviewed / malware |
| sourceCodeLocation | Repo URL when available |
| htmlUrl | Public advisory page |
Pricing
Pay-per-result. The unauthenticated GitHub API allows 60 requests/hour (100 advisories per request), so a single run cleanly returns up to ~6,000 results. For larger pulls, run incrementally with publishedAfter.
Example input
{"severity": "critical","ecosystem": "npm","publishedAfter": "2025-01-01","maxResults": 500}
Example output (single record)
{"ghsaId": "GHSA-248r-7h7q-cr24","cveId": "CVE-2026-45411","severity": "critical","cvssScore": 9.8,"ecosystems": ["npm"],"affectedPackages": [{"ecosystem":"npm","name":"vm2","vulnerableVersionRange":"<= 3.9.19","firstPatchedVersion":""}],"publishedAt": "2026-04-12T18:00:00Z","htmlUrl": "https://github.com/advisories/GHSA-248r-7h7q-cr24"}
FAQ
Q: Is this the same as the NVD CVE feed? No — GitHub's advisory database is curated, often published before NVD assigns a score, and is the canonical feed for advisories filed against GitHub-hosted projects. Use it together with NIST NVD for the fullest picture.
Q: What about malware advisories? Set type=malware to pull supply-chain malware advisories (e.g., malicious npm packages).
Q: Why not just use the GraphQL API? GraphQL requires authentication. This Actor uses the REST endpoint so it works out of the box.
Q: Are withdrawn advisories included? Yes — check the withdrawnAt field. Withdrawn entries usually indicate the report was a false positive.
Legal disclaimer
This Actor accesses the public GitHub Advisory Database REST API per GitHub's REST API terms. Output data is provided under GitHub's terms of service — attribute GitHub as the source when reusing the data. Not affiliated with or endorsed by GitHub, Inc.