# GitHub Security Advisories (GHSA) by Ecosystem (`v0iddo/github-security-advisories`) Actor For each ecosystem (NPM, PIP, MAVEN, NUGET, RUBYGEMS, RUST, GO, ACTIONS, SWIFT, …), pull recent GitHub Security Advisories via GraphQL. One row per advisory: severity, CVE/CWE mapping, affected packages, version ranges, fix versions. For AppSec + supply-chain auditors. - **URL**: https://apify.com/v0iddo/github-security-advisories.md - **Developed by:** [vøiddo](https://apify.com/v0iddo) (community) - **Categories:** Business, News - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, 0 bookmarks - **User rating**: No ratings yet ## Pricing $0.50 / 1,000 github security advisory extracteds This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## GitHub Security Advisories (GHSA) by Ecosystem Pull recent GitHub Security Advisories — the curated CVE-plus ecosystem mapping behind `github.com/advisories` — as a paginated, date-filtered dataset. One row per advisory, with affected packages and fix versions in structured form. ### What you get ```` { "ghsaId": "GHSA-rrqh-7r3p-mvf9", "summary": "Cross-site scripting in react-markdown when using…", "description": "react-markdown < 9.0.1 renders untrusted user…", "severity": "HIGH", "classification": "GENERAL", "publishedAt": "2026-05-30T20:14:00Z", "updatedAt": "2026-05-31T11:02:00Z", "withdrawnAt": null, "url": "https://github.com/advisories/GHSA-rrqh-7r3p-mvf9", "cves": \["CVE-2026-12345"], "references": \["https://nvd.nist.gov/vuln/detail/CVE-2026-12345", "https://github.com/remarkjs/react-markdown/security/…"], "cwes": \[ {"cweId": "CWE-79", "name": "Improper Neutralization of Input…"} ], "affected": \[ { "ecosystem": "NPM", "package": "react-markdown", "vulnerableRange": "< 9.0.1", "firstPatchedVersion": "9.0.1" } ], "queryEcosystem": "NPM" } ```` ### How to use **Input.** ```json { "ecosystems": ["NPM", "PIP", "MAVEN"], "sinceDays": 7, "maxPerEcosystem": 500, "githubToken": "" } ```` `ecosystems` — one of `NPM`, `PIP`, `MAVEN`, `COMPOSER`, `NUGET`, `RUBYGEMS`, `RUST`, `GO`, `PUB`, `ERLANG`, `ACTIONS`, `SWIFT`, or `ALL` to skip the ecosystem filter. `githubToken` — optional. Without it, GitHub limits anonymous GraphQL to 60 req/h (fine for one ecosystem with `maxPerEcosystem ≤ 500`). With a token: 5 000 req/h. **A classic PAT with no scopes works** — the `securityAdvisories` endpoint is public. ### Why this matters `github.com/advisories` is the canonical curated CVE→ecosystem mapping used by Dependabot, Renovate, Snyk's free tier, and most other supply- chain tools. The GraphQL endpoint exposes the same data behind a tidy schema; this actor packages it into a daily feed you can ship into JIRA, Slack, or a custom dashboard. ### Pricing PAY\_PER\_EVENT · `$0.002 per advisory_extracted` · 500 advisories = $1. ### Buyer - AppSec / Product Security teams. - DevOps building custom dep-pin policies (Renovate / Dependabot consumers wanting their own categorization). - Supply-chain auditors snapshotting weekly delta. - Insurance / compliance dashboards. ### Source GitHub GraphQL `securityAdvisories` — same source as `gh advisories` CLI and the web UI. Filter: `publishedSince` for the date window; `ecosystem` enum for the ecosystem filter; per-advisory `vulnerabilities` filtered to the same ecosystem so the `affected` list is clean. # Actor input Schema ## `ecosystems` (type: `array`): Which ecosystems to pull advisories for. Each ecosystem is a separate API page; the actor pages through all results within the date window. Valid: NPM, PIP, MAVEN, COMPOSER, NUGET, RUBYGEMS, RUST, GO, PUB, ERLANG, ACTIONS, SWIFT, or ALL (pull every advisory regardless). ## `sinceDays` (type: `integer`): Pull advisories published in the last N days. GitHub filters server-side; even a 1-day window is fast. ## `maxResults` (type: `integer`): Hard cap on emitted rows. When you pass multiple ecosystems, the actor emits one row per (advisory × ecosystem) pair, so a single advisory affecting NPM + PIP counts as two rows. ## `githubToken` (type: `string`): Personal Access Token. WITHOUT a token: anonymous 60 req/h limit shared across all Apify users on the same outbound IP — your run will almost certainly return 0 rows. WITH a token: 5 000 req/h. A classic PAT with no scopes works (the GraphQL securityAdvisories endpoint is public; auth just lifts the rate limit). Recommend creating a token at https://github.com/settings/tokens with NO scopes selected and pasting it here. ## Actor input object example ```json { "ecosystems": [ "NPM", "PIP" ], "sinceDays": 7, "maxResults": 500 } ``` # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "ecosystems": [ "NPM", "PIP" ] }; // Run the Actor and wait for it to finish const run = await client.actor("v0iddo/github-security-advisories").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "ecosystems": [ "NPM", "PIP", ] } # Run the Actor and wait for it to finish run = client.actor("v0iddo/github-security-advisories").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "ecosystems": [ "NPM", "PIP" ] }' | apify call v0iddo/github-security-advisories --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=v0iddo/github-security-advisories", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "GitHub Security Advisories (GHSA) by Ecosystem", "description": "For each ecosystem (NPM, PIP, MAVEN, NUGET, RUBYGEMS, RUST, GO, ACTIONS, SWIFT, …), pull recent GitHub Security Advisories via GraphQL. One row per advisory: severity, CVE/CWE mapping, affected packages, version ranges, fix versions. For AppSec + supply-chain auditors.", "version": "0.1", "x-build-id": "jTe1aTqLwKclmBhK7" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/v0iddo~github-security-advisories/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-v0iddo-github-security-advisories", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/v0iddo~github-security-advisories/runs": { "post": { "operationId": "runs-sync-v0iddo-github-security-advisories", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/v0iddo~github-security-advisories/run-sync": { "post": { "operationId": "run-sync-v0iddo-github-security-advisories", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "ecosystems" ], "properties": { "ecosystems": { "title": "Package ecosystems", "type": "array", "description": "Which ecosystems to pull advisories for. Each ecosystem is a separate API page; the actor pages through all results within the date window. Valid: NPM, PIP, MAVEN, COMPOSER, NUGET, RUBYGEMS, RUST, GO, PUB, ERLANG, ACTIONS, SWIFT, or ALL (pull every advisory regardless).", "items": { "type": "string" } }, "sinceDays": { "title": "Window — last N days", "minimum": 1, "maximum": 730, "type": "integer", "description": "Pull advisories published in the last N days. GitHub filters server-side; even a 1-day window is fast.", "default": 7 }, "maxResults": { "title": "Max rows total", "minimum": 1, "maximum": 50000, "type": "integer", "description": "Hard cap on emitted rows. When you pass multiple ecosystems, the actor emits one row per (advisory × ecosystem) pair, so a single advisory affecting NPM + PIP counts as two rows.", "default": 500 }, "githubToken": { "title": "GitHub token (strongly recommended)", "type": "string", "description": "Personal Access Token. WITHOUT a token: anonymous 60 req/h limit shared across all Apify users on the same outbound IP — your run will almost certainly return 0 rows. WITH a token: 5 000 req/h. A classic PAT with no scopes works (the GraphQL securityAdvisories endpoint is public; auth just lifts the rate limit). Recommend creating a token at https://github.com/settings/tokens with NO scopes selected and pasting it here." } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```