Dependabot alert CVEs exceed an EPSS threshold and fail the workflow.
Action to detect if any open Dependabot alert CVEs exceed an EPSS threshold and fail the workflow.
Includes an Actions workflow summary:
name: 'Dependabot EPSS Action'
on: [push]
jobs:
dependabot-epss-action:
name: 'EPSS Compliance Check'
runs-on: ubuntu-latest
steps:
- name: 'EPSS Policy'
uses: advanced-security/dependabot-epss-action@v0
with:
token: ${{ secrets.DEPENDABOT_EPSS_GITHUB_TOKEN }}
epss-threshold: "0.6"-
token Required
- Classic Tokens
- repo scope or security_events scope. For public repositories, you may instead use the public_repo scope.
- Fine-grained personal access token permissions
- Read-Only - Dependabot Alerts
- Classic Tokens
-
epss-threshold Optional
- The threshold value for the Exploit Prediction Scoring System (EPSS). The EPSS is a scoring system that predicts the likelihood of a vulnerability being exploited in the wild based on a time threshold. It provides a score between 0 and 1, where 0 indicates a low likelihood of exploitation, and 1 indicates a high likelihood.The action will filter out vulnerabilities that have an EPSS score below this threshold. See EPSS at https://www.first.org/epss. Default is
0.6.
- The threshold value for the Exploit Prediction Scoring System (EPSS). The EPSS is a scoring system that predicts the likelihood of a vulnerability being exploited in the wild based on a time threshold. It provides a score between 0 and 1, where 0 indicates a low likelihood of exploitation, and 1 indicates a high likelihood.The action will filter out vulnerabilities that have an EPSS score below this threshold. See EPSS at https://www.first.org/epss. Default is
See EPSS at https://www.first.org/epss. Jay Jacobs, Sasha Romanosky, Benjamin Edwards, Michael Roytman, Idris Adjerid, (2021), Exploit Prediction Scoring System, Digital Threats Research and Practice, 2(3)
