🐙 GitHub Security Advisories Scraper

🚀 Export the GitHub Security Advisories catalogue in seconds. Pull GHSA + CVE-paired advisories with CVSS v4 and v3 scores, affected packages, vulnerable version ranges, first-patched versions, and CWE weakness mappings across 13 ecosystems. No sign-up, no token, no manual pagination.

🕒 Last updated: 2026-05-15 · 📊 26 fields per record · 🐙 25,000+ advisories · 🌐 13 ecosystems · 🎯 CVSS v4 + v3 scoring

The GitHub Security Advisories Scraper pulls advisories from the GitHub Security Advisory database and returns 26 normalised fields per record, including the GHSA identifier, paired CVE, summary and full description, CVSS v4 and v3 base scores plus vector strings, every affected package and its vulnerable version range, the first patched version, CWE weakness list, references, credits, and review status. The catalogue is the primary source for npm, pip, RubyGems, Maven, NuGet, Composer, Go, Cargo, Hex, Pub, Swift, GitHub Actions, and other-ecosystem advisories used by Dependabot, GitHub Code Scanning, and the GHSA database itself.

The catalogue covers 25,000+ reviewed and community advisories spanning every major package ecosystem GitHub tracks, plus malware advisories that flag malicious packages discovered in the wild. This Actor makes that data downloadable as CSV, Excel, JSON, or XML in minutes. Filters apply at the source, so you skip pagination, severity normalisation, and patched-version extraction entirely.

🎯 Target Audience	💡 Primary Use Cases
Security teams, vulnerability managers, package maintainers, SBOM tool builders, dependency-scanner vendors, incident responders, threat researchers	Dependabot enrichment, SBOM scanning, package risk reports, malware-package detection, CVE-to-GHSA cross-walks, ecosystem trend analysis

---

📋 What the GitHub Security Advisories Scraper does

Multiple workflows in a single Actor:

• 🆔 Single GHSA lookup. Fetch one advisory by its identifier (e.g. GHSA-jfh8-c2jp-5v3q).
• 📦 Batch GHSA lookup. Pass an array of GHSA IDs and get every match in one run.
• 🔎 CVE-paired lookup. Find the GHSA that wraps a given CVE.
• 🎚️ Severity, type, and ecosystem filters. Restrict to Critical / High / Medium / Low, reviewed / unreviewed / malware, or any of 13 ecosystems.
• 📦 Affects filter. Find every advisory that affects a specific package or package@version.
• 🧬 CWE filter. Slice by weakness numbers (e.g. 79,89,787).
• 📅 Published / updated / modified-after windows. Pull recent advisories or full date-range crawls for incremental syncs.
• 🚫 Withdrawn-only filter. Surface advisories the GitHub team has marked as withdrawn.

Each record includes the GHSA and CVE IDs, identifiers list, summary and full description, advisory type, severity tier, source code location, references, publication and review timestamps, every affected package with vulnerable range, the first patched version, CVSS v4 and v3 scores, CWEs, and credits.

💡 Why it matters: GitHub Security Advisories are the upstream source for Dependabot and most modern dependency scanners. Building your own ingestion means handling pagination, the new cvss_severities shape with v3 + v4, multi-package affect ranges, and the GHSA-to-CVE alias model. This Actor skips all of that and gives you a clean, downloadable dataset.

---

🎬 Full Demo

🚧 Coming soon: a 3-minute walkthrough showing how to go from sign-up to a downloaded advisory dataset.

---

⚙️ Input

Input	Type	Default	Behavior
ghsaId	string	""	Single GHSA ID (e.g. GHSA-jfh8-c2jp-5v3q).
ghsaIds	string[]	[]	Batch list of GHSA IDs (recommended max ~100 per run).
cveId	string	""	Filter to advisories with this CVE ID.
type	enum	""	One of reviewed, unreviewed, malware.
severity	enum	""	One of critical, high, medium, low, unknown.
ecosystem	enum	""	One of 13 ecosystems including npm, pip, maven, rubygems, nuget, composer, go, rust, swift, pub, erlang, actions, other.
affects	string	""	Comma-separated packages (e.g. lodash,axios@1.0.0).
cwes	string	""	Comma-separated CWE numbers (e.g. 79,89,787).
published, updated, modifiedAfter	string	""	ISO date or range like 2024-01-01..2024-12-31.
isWithdrawn	boolean	false	Restrict to withdrawn advisories.
maxItems	integer	10	Records to return. Free plan caps at 10, paid plan at 1,000,000.

Example: every Critical npm advisory published in 2025.

{
    "type": "reviewed",
    "severity": "critical",
    "ecosystem": "npm",
    "published": "2025-01-01..2025-12-31",
    "maxItems": 500
}

Example: batch GHSA lookup.

{
    "ghsaIds": ["GHSA-jfh8-c2jp-5v3q", "GHSA-7rjr-3q55-vv33", "GHSA-8489-44mv-ggj8"]
}

⚠️ Good to Know: the GHSA database aliases CVEs, so the same vulnerability can appear under both a GHSA-xxxx-xxxx-xxxx ID and a CVE-xxxx-xxxxx ID. When mapping advisories back to your asset inventory, use the cve_id field to deduplicate against NVD-sourced data.

---

📊 Output

Each record contains 26 fields. Download the dataset as CSV, Excel, JSON, or XML.

🧾 Schema

Field	Type	Example
🆔 ghsa_id	string	"GHSA-jfh8-c2jp-5v3q"
🔗 cve_id	string | null	"CVE-2021-44228"
🔗 url	string	"https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
🔗 html_url	string | null	"https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
📝 summary	string | null	"Remote code injection in Log4j"
📄 description	string | null	"Apache Log4j2 versions 2.0-beta9..."
🏷️ type	string | null	"reviewed"
🎚️ severity	string | null	"critical"
📂 source_code_location	string | null	"https://github.com/apache/logging-log4j2"
🪪 identifiers	object[]	[{ "type": "GHSA", "value": "GHSA-jfh8-c2jp-5v3q" }, { "type": "CVE", "value": "CVE-2021-44228" }]
📚 references	string[]	["https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "..."]
📅 published_at	ISO 8601 | null	"2021-12-10T00:00:35Z"
🕒 updated_at	ISO 8601 | null	"2025-01-14T08:36:01Z"
👀 github_reviewed_at	ISO 8601 | null	"2021-12-10T00:00:00Z"
🛡️ nvd_published_at	ISO 8601 | null	"2021-12-10T10:15:09Z"
🚫 withdrawn_at	ISO 8601 | null	null
📦 vulnerabilities	object[]	[{ "package": { "ecosystem": "maven", "name": "org.apache.logging.log4j:log4j-core" }, "vulnerable_version_range": ">= 2.0-beta9, < 2.3.2", "first_patched_version": "2.3.2" }]
🛠️ firstPatchedVersion	string | null	"2.3.2"
🎯 cvssScore	number | null	10.0
🎯 cvssVectorString	string | null	"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
🎯 cvssV3Score	number | null	10.0
🎯 cvssV3VectorString	string | null	"CVSS:3.1/AV:N/..."
🎯 cvssV4Score	number | null	10.0
🎯 cvssV4VectorString	string | null	"CVSS:4.0/AV:N/..."
📂 repository_advisory_url	string | null	"https://github.com/apache/logging-log4j2/security/advisories/..."
🧬 cwes	object[]	[{ "cwe_id": "CWE-20", "name": "Improper Input Validation" }]
🙌 credits	object[]	[{ "user": { "login": "..." }, "type": "reporter" }]
🕒 scrapedAt	ISO 8601	"2026-05-15T00:00:00.000Z"

📦 Sample record

---

✨ Why choose this Actor

	Capability
🐙	Authoritative source. Pulls directly from the GitHub Security Advisories catalogue, the upstream feed for Dependabot.
🎯	CVSS v4 + v3. Both scoring versions surfaced as separate fields plus a unified top-level score.
📦	Patched versions. First patched version extracted for every advisory.
🦠	Malware advisories. Set type=malware to surface advisories for malicious packages found in the wild.
🌐	13 ecosystems. npm, pip, maven, rubygems, nuget, composer, go, rust, swift, pub, erlang, actions, other.
🔗	CVE pairing. Each advisory carries its cve_id for cross-walks with NVD-sourced data.
🚫	No sign-up. Works with public GitHub data. No login or token needed.

📊 GitHub Security Advisories drive Dependabot, GitHub Code Scanning, and most modern dependency scanners. Owning a clean local copy is a multiplier for every supply-chain workflow.

---

📈 How it compares to alternatives

Approach	Cost	Coverage	Refresh	Filters	Setup
⭐ GitHub Security Advisories Scraper (this Actor)	$5 free credit, then pay-per-use	25,000+ advisories	Live per run	severity, type, ecosystem, package, CWE, date	⚡ 2 min
Commercial SCA platforms	$20,000+/year	GHSA + extras	Streaming	Many	⏳ Days
Manual exports	Free	Full	Stale	None	🐢 Hours
Self-built ingestion	Engineering time	Full	Custom	Custom	🛠️ Weeks

Pick this Actor when you want a clean GHSA dataset with CVSS v4 already normalised.

---

🚀 How to use

1. 📝 Sign up. Create a free account with $5 credit (takes 2 minutes).
2. 🌐 Open the Actor. Go to the GitHub Security Advisories Scraper page on the Apify Store.
3. 🎯 Set input. Pick a severity, ecosystem, package, or GHSA ID, then set maxItems.
4. 🚀 Run it. Click Start and let the Actor collect your data.
5. 📥 Download. Grab your results in the Dataset tab as CSV, Excel, JSON, or XML.

⏱️ Total time from signup to downloaded dataset: 3-5 minutes. No coding required.

---

💼 Business use cases

🛠️ DevSecOps & SBOM Daily SBOM enrichment with patched-version metadata CI gate that fails builds when fixes exist for direct dependencies Auto-PRs that bump dependencies to the first patched version Slack alerts when an ecosystem you ship hits a Critical advisory	🦠 Malware & Supply-Chain Defense Daily ingestion of type=malware advisories for typosquats and back-doors Block-lists for internal package proxies Incident response for known malicious packages in repos Continuous monitoring of internal registry mirrors
🔍 Vulnerability Management Cross-walk GHSA to CVE for unified vulnerability views Severity-based patch queues for SOC and IT Vendor risk reports filtered by ecosystem Coverage dashboards comparing GHSA vs NVD vs OSV	📊 Security Reporting & Dashboards Executive dashboards showing advisory volume per ecosystem Customer-facing trust pages with patch SLAs M&A due diligence on target dependency hygiene Insurance underwriting models for cyber risk

---

🔌 Automating GitHub Security Advisories Scraper

Control the scraper programmatically for scheduled runs and pipeline integrations:

• 🟢 Node.js. Install the apify-client NPM package.
• 🐍 Python. Use the apify-client PyPI package.
• 📚 See the Apify documentation for full details.

The Apify Schedules feature lets you trigger this Actor on any cron interval. Hourly, daily, or weekly refreshes keep your downstream SBOM and dependency tooling in sync automatically.

---

🌟 Beyond business use cases

Data like this powers more than commercial workflows. The same structured records support research, education, civic projects, and personal initiatives.

🎓 Research and academia Open source ecosystem vulnerability studies Time-to-patch and disclosure-lag research Coursework on supply-chain security and SBOM tooling Reproducible studies with cited, versioned dataset pulls	🎨 Personal and creative Hobbyist dependency dashboards for your own projects Newsletter research on the latest GHSAs Portfolio projects that show off security data engineering Personal alerting bots for libraries you maintain
🤝 Non-profit and civic Open-source maintainers monitoring their package risk Civic-tech projects mapping advisory coverage by ecosystem Educational outreach for open-source security literacy Community advocacy around responsible disclosure	🧪 Experimentation Train ML models on advisory text and severity Prototype agent pipelines that summarise GHSAs Test SBOM diff tooling against historical waves Build dashboards on top of live ecosystem feeds

---

🤖 Ask an AI assistant about this scraper

Open a ready-to-send prompt about this ParseForge actor in the AI of your choice:

• 💬 ChatGPT
• 🧠 Claude
• 🔍 Perplexity
• 🅒 Copilot

---

❓ Frequently Asked Questions

🧩 How does it work?

Configure your filters in the input form, click Start, and the Actor pulls matching advisories from the GitHub Security Advisories catalogue, normalises the schema (including the new CVSS v4 fields), and emits one clean record per advisory.

📏 How accurate is the data?

Records are mirror-copies of the official GHSA catalogue at run time. Severity, affected ranges, patched versions, references, and credits are taken verbatim from the source.

🔁 How often is the dataset refreshed?

GitHub publishes new advisories continuously as the security team curates submissions and as malware advisories are filed. Every run reflects the catalogue as of run time.

🎯 Which CVSS versions are included?

The Actor surfaces CVSS v4.0 and v3.x base scores and vector strings whenever the source provides them. Older advisories may carry only v3; newer ones have v4 as well. A unified top-level cvssScore is also exposed.

🌐 Which ecosystems are supported?

npm, pip, maven, rubygems, nuget, composer, go, rust (cargo), swift, pub (Dart), erlang/elixir, GitHub Actions, and other. Leave the field empty for cross-ecosystem search.

🦠 What is a malware advisory?

GitHub publishes type=malware advisories for packages confirmed to be malicious (typosquats, back-doors, credential stealers). They are first-class citizens in the catalogue and crucial for supply-chain defense.

🧬 What is a CWE?

CWE (Common Weakness Enumeration) is the standard taxonomy of software weaknesses. Each advisory is mapped to one or more CWE IDs that classify the underlying flaw type.

⏰ Can I schedule regular runs?

Yes. Use Apify Schedules to run this Actor on any cron interval. A common pattern is an hourly schedule that pulls every new advisory and pushes them into a SBOM tool or Slack channel.

⚖️ Is this data legal to use?

GitHub Security Advisories are published under permissive open licensing. You should review the source license for your specific application but raw advisory metadata is generally public.

💳 Do I need a paid Apify plan to use this Actor?

No. The free Apify plan is enough for testing and small runs (10 records per run). A paid plan lifts the limit and gives you scheduling, higher concurrency, and larger datasets.

🆘 What if I need help?

Our support team is here to help. Contact us through the Apify platform or use the Tally form linked below.

---

🔌 Integrate with any app

GitHub Security Advisories Scraper connects to any cloud service via Apify integrations:

• Make - Automate multi-step workflows
• Zapier - Connect with 5,000+ apps
• Slack - Get advisory alerts in your security channels
• Airbyte - Pipe GHSA data into your warehouse
• GitHub - Trigger runs from commits and releases
• Google Drive - Export datasets straight to Sheets

You can also use webhooks to trigger downstream actions when a run finishes. Push fresh advisory data into your SBOM tooling, or alert your team in Slack when a Critical hits a tracked package.

---

🔗 Recommended Actors

• 🛡️ NIST NVD CVE Scraper - Official NVD catalogue with CVSS v4/v3/v2 scores
• 🚨 CISA KEV Scraper - Known Exploited Vulnerabilities catalogue with due dates
• 📈 EPSS Exploit Prediction Scraper - 30-day exploitation probability scores
• 📦 OSV Vulnerabilities Scraper - Open source vulnerabilities across 30+ ecosystems
• 🔬 CIRCL CVE Scraper - CIRCL Luxembourg CVE catalogue with CWE and CAPEC

💡 Pro Tip: browse the complete ParseForge collection for more security and reference-data scrapers.

---

🆘 Need Help? Open our contact form to request a new scraper, propose a custom data project, or report an issue.

---

⚠️ Disclaimer: this Actor is an independent tool and is not affiliated with, endorsed by, or sponsored by GitHub, Microsoft, or any of the package maintainers referenced in the catalogue. All trademarks mentioned are the property of their respective owners. Only publicly available security advisory data is collected.