GitHub Security Advisories Scraper

🔎 GitHub security advisories for GHSA, CVE, and package checks

GitHub Security Advisories Scraper collects public GitHub Security Advisory records and saves them as clean Apify dataset rows. Use it to export GHSA feeds, look up known CVEs, check affected packages, and pull advisory facts such as CVSS, EPSS, CWE, vulnerable version ranges, fixed versions, references, credits, and timestamps.

• github security advisories - export source-backed GHSA rows for AppSec, DevSecOps, vulnerability research, and security reporting.
• github advisory database api - run focused GitHub Advisory Database pulls from Apify and consume the output through the Apify API.
• github security advisory database - build repeatable advisory exports with filters for severity, ecosystem, advisory type, CWE, dates, and withdrawn advisories.
• github advisory database download - save analysis-ready advisory rows to JSON, CSV, Excel, XML, RSS, or HTML.
• GitHub Security Advisories scraper GitHub API GHSA scraping tool - use a ready-made Actor when you want the data in Apify datasets, schedules, webhooks, or integrations.

📦 Data you can extract

Each dataset row is one successfully scraped GitHub Security Advisory. Fields can include:

• ghsaId and cveIds
• summary, description, classification, and severity
• cvss with preferred score/vector plus v3 and v4 score/vector objects
• epss percentage and percentile when GitHub provides them
• cwes with CWE IDs and names
• affectedPackages with ecosystem, package name, vulnerable version range, and first patched version
• references, credits, sourceCodeLocation, and repositoryAdvisoryUrl
• publishedAt, updatedAt, githubReviewedAt, nvdPublishedAt, and withdrawnAt

Missing source values are returned as null or empty arrays. The Actor does not invent CVE, CVSS, EPSS, CWE, package, patch, credit, or timestamp facts.

🚀 How to run it

1. Open the Actor input.
2. Fill one target section:
   • Collect advisory feed for recent or filtered GHSA exports.
   • GHSA IDs when you already know advisory IDs such as GHSA-jfh8-c2jp-5v3q.
   • CVE IDs when you want to map CVEs such as CVE-2021-44228 to GitHub Security Advisories.
   • Affected packages when you want advisories for packages such as org.apache.logging.log4j:log4j-core.
3. Add optional filters for ecosystem, advisory type, severity, CWE, date windows, withdrawn status, sort order, or maximum advisories.
4. Add a GitHub token only when you need larger public GitHub pulls.
5. Run the Actor and open the dataset.

The default feed target is useful for a first run. Direct GHSA, CVE, or package targets override the default feed target when you provide them.

⚙️ Input options

Field	What it does
collectFeed	Collects matching advisories from the public GitHub Security Advisories catalogue.
ghsaIds	Fetches exact GitHub Security Advisory IDs.
cveIds	Maps CVE IDs to linked GitHub Security Advisory records.
affectedPackages	Finds advisories for package names or package@version values.
ecosystems	Limits results to package ecosystems such as npm, pip, Maven, Go, RubyGems, Rust, Swift, and GitHub Actions.
advisoryTypes	Filters reviewed, unreviewed, or malware advisories.
severities	Filters critical, high, medium, low, or unknown advisories.
cweIds	Filters by CWE numbers such as 79 or CWE-862.
publishedFrom, publishedTo	Filters by advisory publication date.
updatedFrom, updatedTo	Filters by advisory update date.
modifiedAfter	Collects advisories changed after a date.
withdrawnOnly	Collects only advisories marked as withdrawn.
sortBy, sortDirection	Sorts feed results by published date, updated date, EPSS percentage, or EPSS percentile.
maxItems	Caps the number of advisory rows saved.
githubToken	Optional token for larger public GitHub pulls.

Example input:

{
  "collectFeed": true,
  "severities": ["critical", "high"],
  "ecosystems": ["npm", "maven"],
  "publishedFrom": "2026-01-01",
  "sortBy": "published",
  "sortDirection": "desc",
  "maxItems": 25
}

Exact CVE lookup:

{
  "cveIds": ["CVE-2021-44228"],
  "maxItems": 5
}

📄 Output example

{
  "ghsaId": "GHSA-jfh8-c2jp-5v3q",
  "cveIds": ["CVE-2021-44228"],
  "summary": "Remote code injection in Log4j",
  "description": "Apache Log4j2 versions 2.0-beta9 through 2.15.0 are vulnerable to remote code execution.",
  "classification": "reviewed",
  "severity": "critical",
  "cvss": {
    "score": 10,
    "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
    "v3": {
      "score": 10,
      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
    },
    "v4": {
      "score": null,
      "vector": null
    }
  },
  "epss": {
    "percentage": 0.94321,
    "percentile": 0.99874
  },
  "cwes": [
    {
      "cweId": "CWE-20",
      "name": "Improper Input Validation"
    }
  ],
  "affectedPackages": [
    {
      "ecosystem": "maven",
      "name": "org.apache.logging.log4j:log4j-core",
      "vulnerableVersionRange": ">= 2.0-beta9, < 2.3.2",
      "firstPatchedVersion": "2.3.2"
    }
  ],
  "references": [
    "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
  ],
  "credits": [
    {
      "login": "chenzhaojun",
      "type": "reporter"
    }
  ],
  "sourceCodeLocation": "https://github.com/apache/logging-log4j2",
  "repositoryAdvisoryUrl": "https://github.com/apache/logging-log4j2/security/advisories/GHSA-jfh8-c2jp-5v3q",
  "publishedAt": "2021-12-10T00:00:35Z",
  "updatedAt": "2025-01-14T08:36:01Z",
  "githubReviewedAt": "2021-12-10T00:00:00Z",
  "nvdPublishedAt": "2021-12-10T10:15:09Z",
  "withdrawnAt": null
}

💳 Pricing

This Actor uses pay-per-event pricing. You are charged for each successfully scraped advisory row. Empty runs, no-result lookups, and failed lookups do not create result charges.

🔌 Integrations

• Export rows as JSON, CSV, Excel, XML, RSS, or HTML from the dataset.
• Call the Actor through the Apify API for CI, security dashboards, or internal tools.
• Schedule recurring runs to monitor new or updated advisories.
• Connect runs to webhooks so downstream systems receive fresh advisory data.
• Send dataset exports to spreadsheets, warehouses, BI tools, or vulnerability triage workflows.

❓ FAQ

🔎 Can this work as a GHSA scraping tool for GitHub API data?

Yes. It collects GHSA records from the public GitHub Security Advisories API and saves them as Apify dataset rows. That makes it useful when you want a scraper-style workflow around GitHub API data.

🔌 Can I use this as a GitHub advisory database API?

Yes. You can run the Actor through the Apify API and read the default dataset items after each run. The output is structured for automation, exports, and recurring advisory checks.

📥 Can I download the GitHub advisory database?

You can export the rows collected by each run as JSON, CSV, Excel, XML, RSS, or HTML. Use maxItems, filters, and schedules to control how much of the public advisory catalogue you collect.

🧩 Does it support CVE and package lookups?

Yes. You can submit CVE IDs to find linked GitHub Security Advisories, or submit affected package names and package@version values to find matching advisories.

🔑 Do I need a GitHub token?

No for normal small public runs. Add an optional GitHub token when you need larger pulls and want higher public GitHub rate limits.

🛑 What happens when no advisory matches my input?

The run finishes successfully, logs that no GitHub Security Advisories matched, and saves no dataset rows. You are not charged for result rows that do not exist.

⚙️ Why not use the GitHub API?

Use the GitHub API when you want to build and maintain your own integration. Use this Actor when you want Apify inputs, datasets, exports, schedules, webhooks, and a reusable scraper workflow around the same source data.

🧭 What are GitHub alternatives?

For broader vulnerability coverage, teams often compare GitHub Security Advisories with NVD, OSV.dev, CISA KEV, EPSS, and package-specific security feeds. This Actor stays focused on GitHub Security Advisories and does not merge those other sources into the output.

📝 Changelog

• 0.1: Initial release.

🆘 Support

For issues, questions, or feature requests, file a ticket and I'll fix or implement it in less than 24h 🫡

🔗 Other actors

• SSL Certificate Checker ↗ - Monitor public HTTPS certificates, expiry, trust, hostname match, and TLS posture.
• Email MX Verifier ↗ - Check email syntax, MX records, disposable domains, role addresses, and send decisions.
• Sitemap Validator ↗ - Validate public XML sitemaps and check listed URLs for status, redirects, and issues.
• Schema Markup Validator ↗ - Audit JSON-LD, Microdata, RDFa, meta tags, and rich-result readiness on public pages.
• YAML Validator & Converter ↗ - Validate YAML, JSON, and TOML, then convert valid documents for automation workflows.

Made with ❤️ by Maxime Dupré