Action to detect if any open Dependabot alert CVEs exceed an EPSS threshold and fail the workflow.
Includes an Actions workflow summary:
Usage
name: 'Dependabot EPSS Action'
on: [push]
jobs:
dependabot-epss-action:
name: 'EPSS Compliance Check'
runs-on: ubuntu-latest
steps:
- name: 'EPSS Policy'
uses: advanced-security/dependabot-epss-action@v0
with:
token: ${{ secrets.DEPENDABOT_EPSS_GITHUB_TOKEN }}
epss-threshold: "0.6"Inputs
-
token Required
- Classic Tokens
- repo scope or security_events scope. For public repositories, you may instead use the public_repo scope.
- Fine-grained personal access token permissions
- Read-Only - Dependabot Alerts
- Classic Tokens
-
epss-threshold Optional
- The threshold value for the Exploit Prediction Scoring System (EPSS). The EPSS is a scoring system that predicts the likelihood of a vulnerability being exploited in the wild based on a time threshold. It provides a score between 0 and 1, where 0 indicates a low likelihood of exploitation, and 1 indicates a high likelihood.The action will filter out vulnerabilities that have an EPSS score below this threshold. See EPSS at https://www.first.org/epss. Default is
0.6.
- The threshold value for the Exploit Prediction Scoring System (EPSS). The EPSS is a scoring system that predicts the likelihood of a vulnerability being exploited in the wild based on a time threshold. It provides a score between 0 and 1, where 0 indicates a low likelihood of exploitation, and 1 indicates a high likelihood.The action will filter out vulnerabilities that have an EPSS score below this threshold. See EPSS at https://www.first.org/epss. Default is
Attribution
See EPSS at https://www.first.org/epss. Jay Jacobs, Sasha Romanosky, Benjamin Edwards, Michael Roytman, Idris Adjerid, (2021), Exploit Prediction Scoring System, Digital Threats Research and Practice, 2(3)