GitHub Security Advisories Scraper
Under maintenancePricing
$0.01 / 1,000 scraped advisories
GitHub Security Advisories Scraper
Under maintenanceGitHub Security Advisories Scraper for GHSA feeds, CVE lookup, package lookup, severity filters, CVSS, EPSS, CWE, fixed versions, references, credits, and advisory timestamps.
Pricing
$0.01 / 1,000 scraped advisories
Rating
0.0
(0)
Developer
Maxime Dupré
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
7 days ago
Last modified
Categories
Share
🔎 GitHub advisory database API for GHSA exports
GitHub Security Advisories Scraper collects public GitHub Security Advisory records and saves clean rows for AppSec, DevSecOps, vulnerability research, and dependency-risk workflows. Use it to export GHSA feeds, map CVEs, check affected packages, and pull source-backed advisory facts such as CVSS, EPSS, CWE, vulnerable ranges, fixed versions, references, credits, and timestamps.
- github advisory database api - run focused GitHub Advisory Database pulls from Apify and read the results through the Apify API.
- github security advisory database - build repeatable GHSA exports with severity, ecosystem, advisory type, CWE, date, and withdrawn-advisory filters.
- github advisory database download - export analysis-ready advisory rows to JSON, CSV, Excel, XML, RSS, or HTML.
- GitHub Security Advisories scraper GitHub API GHSA scraping tool - use a ready-made Actor when you want GitHub API data in Apify datasets, schedules, webhooks, or integrations.
- CVE and package advisory lookup - map CVE IDs or affected package names to matching GitHub Security Advisories with patched-version and reference data.
📦 Data you can extract
Each dataset row is one successfully scraped GitHub Security Advisory. Fields can include:
ghsaIdandcveIdssummary,description,classification, andseveritycvsswith preferred score/vector plus v3 and v4 score/vector objectsepsspercentage and percentile when GitHub provides themcweswith CWE IDs and namesaffectedPackageswith ecosystem, package name, vulnerable version range, and first patched versionreferences,credits,sourceCodeLocation, andrepositoryAdvisoryUrlpublishedAt,updatedAt,githubReviewedAt,nvdPublishedAt, andwithdrawnAt
Missing source values are returned as null or empty arrays. The Actor does not invent CVE, CVSS, EPSS, CWE, package, patch, credit, or timestamp facts.
🚀 How to run it
- Open the Actor input.
- Fill one target section:
- Collect advisory feed for recent or filtered GHSA exports.
- GHSA IDs when you already know advisory IDs such as
GHSA-jfh8-c2jp-5v3q. - CVE IDs when you want to map CVEs such as
CVE-2021-44228to GitHub Security Advisories. - Affected packages when you want advisories for packages such as
org.apache.logging.log4j:log4j-core.
- Add optional filters for ecosystem, advisory type, severity, CWE, date windows, withdrawn status, sort order, or maximum advisories.
- Add a GitHub token only when you need larger public GitHub pulls.
- Run the Actor and open the dataset.
The default feed target is useful for a first run. Direct GHSA, CVE, or package targets override the default feed target when you provide them.
⚙️ Input options
| Field | What it does |
|---|---|
collectFeed | Collects matching advisories from the public GitHub Security Advisories catalogue. |
ghsaIds | Fetches exact GitHub Security Advisory IDs. |
cveIds | Maps CVE IDs to linked GitHub Security Advisory records. |
affectedPackages | Finds advisories for package names or package@version values. |
ecosystems | Limits results to package ecosystems such as npm, pip, Maven, Go, RubyGems, Rust, Swift, and GitHub Actions. |
advisoryTypes | Filters reviewed, unreviewed, or malware advisories. |
severities | Filters critical, high, medium, low, or unknown advisories. |
cweIds | Filters by CWE numbers such as 79 or CWE-862. |
publishedFrom, publishedTo | Filters by advisory publication date. |
updatedFrom, updatedTo | Filters by advisory update date. |
modifiedAfter | Collects advisories changed after a date. |
withdrawnOnly | Collects only advisories marked as withdrawn. |
sortBy, sortDirection | Sorts feed results by published date, updated date, EPSS percentage, or EPSS percentile. |
maxItems | Caps the number of advisory rows saved. |
githubToken | Optional token for larger public GitHub pulls. |
Example feed input:
{"collectFeed": true,"severities": ["critical", "high"],"ecosystems": ["npm", "maven"],"publishedFrom": "2026-01-01","sortBy": "published","sortDirection": "desc","maxItems": 25}
Exact CVE lookup:
{"cveIds": ["CVE-2021-44228"],"maxItems": 5}
📄 Output example
{"ghsaId": "GHSA-jfh8-c2jp-5v3q","cveIds": ["CVE-2021-44228"],"summary": "Remote code injection in Log4j","description": "Apache Log4j2 versions 2.0-beta9 through 2.15.0 are vulnerable to remote code execution.","classification": "reviewed","severity": "critical","cvss": {"score": 10,"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","v3": {"score": 10,"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},"v4": {"score": null,"vector": null}},"epss": {"percentage": 0.94321,"percentile": 0.99874},"cwes": [{"cweId": "CWE-20","name": "Improper Input Validation"}],"affectedPackages": [{"ecosystem": "maven","name": "org.apache.logging.log4j:log4j-core","vulnerableVersionRange": ">= 2.0-beta9, < 2.3.2","firstPatchedVersion": "2.3.2"}],"references": ["https://nvd.nist.gov/vuln/detail/CVE-2021-44228"],"credits": [{"login": "chenzhaojun","type": "reporter"}],"sourceCodeLocation": "https://github.com/apache/logging-log4j2","repositoryAdvisoryUrl": "https://github.com/apache/logging-log4j2/security/advisories/GHSA-jfh8-c2jp-5v3q","publishedAt": "2021-12-10T00:00:35Z","updatedAt": "2025-01-14T08:36:01Z","githubReviewedAt": "2021-12-10T00:00:00Z","nvdPublishedAt": "2021-12-10T10:15:09Z","withdrawnAt": null}
💳 Pricing
This Actor uses pay-per-event pricing. You are charged for each successfully scraped advisory. Empty runs, no-result lookups, and failed lookups do not create result charges.
🔌 Integrations
- Export rows as JSON, CSV, Excel, XML, RSS, or HTML from the dataset.
- Call the Actor through the Apify API for CI, security dashboards, or internal tools.
- Schedule recurring runs to monitor new or updated advisories.
- Connect runs to webhooks so downstream systems receive fresh advisory data.
- Send dataset exports to spreadsheets, warehouses, BI tools, or vulnerability triage workflows.
❓ FAQ
🔎 Can this work as a GitHub Security Advisories scraper tool with the GitHub API?
Yes. It collects public GHSA records from GitHub Security Advisories and saves them as Apify dataset rows. Use it when you want scraper-style exports around the same source data.
🔌 Can I use this as a GitHub advisory database API?
Yes. You can run the Actor through the Apify API and read the default dataset items after each run. The output is structured for automation, exports, and recurring advisory checks.
📥 Can I download the GitHub advisory database?
You can export the rows collected by each run as JSON, CSV, Excel, XML, RSS, or HTML. Use maxItems, filters, and schedules to control how much of the public advisory catalogue you collect.
🧩 Does it support CVE and package lookups?
Yes. You can submit CVE IDs to find linked GitHub Security Advisories, or submit affected package names and package@version values to find matching advisories.
🔑 Do I need a GitHub token?
No for normal small public runs. Add an optional GitHub token when you need larger pulls and want higher public GitHub rate limits.
🛑 What happens when no advisory matches my input?
The run finishes successfully, logs that no GitHub Security Advisories matched, and saves no dataset rows. You are not charged for result rows that do not exist.
⚙️ Why not use the GitHub API?
Use the GitHub API when you want to build and maintain your own integration. Use this Actor when you want Apify inputs, datasets, exports, schedules, webhooks, and a reusable scraper workflow around the same source data.
🧭 What are GitHub alternatives?
For broader vulnerability coverage, teams often compare GitHub Security Advisories with GitLab security advisories, NVD, OSV.dev, CISA KEV, EPSS, and package-specific security feeds. This Actor stays focused on GitHub Security Advisories and does not merge those other sources into the output.
📝 Changelog
- 0.1: Initial release.
🆘 Support
For issues, questions, or feature requests, file a ticket and I'll fix or implement it in less than 24h 🫡
🔗 Other actors
- SSL Certificate Checker ↗ - Monitor public HTTPS certificates, expiry, trust, hostname match, and TLS posture.
- Email MX Verifier ↗ - Check email syntax, MX records, disposable domains, role addresses, free providers, typo suggestions, and delivery risk.
- Sitemap Validator ↗ - Validate public XML sitemaps and check listed URLs for status, redirects, and issues.
- Schema Markup Validator ↗ - Audit JSON-LD, Microdata, RDFa, meta tags, and rich-result readiness on public pages.
- YAML Validator & Converter ↗ - Validate YAML, JSON, and TOML, then convert valid documents for automation workflows.
Made with ❤️ by Maxime Dupré