Skip to content

Add notify-new-cves action for daily CVE notifications#54

Draft
peter-at-progress wants to merge 1 commit intomainfrom
peter-at-progress/notify-new-cves-clean
Draft

Add notify-new-cves action for daily CVE notifications#54
peter-at-progress wants to merge 1 commit intomainfrom
peter-at-progress/notify-new-cves-clean

Conversation

@peter-at-progress
Copy link
Copy Markdown
Collaborator

@peter-at-progress peter-at-progress commented Apr 22, 2026

Implements automated daily notifications for newly discovered CVEs via Microsoft Teams.

Features:

  • Queries scan database for CVEs first observed in the last N days
  • Groups by product/channel with severity counts
  • Sends formatted Teams message with CVE links and details
  • Supports GitHub Actions summary output
  • Read-only database access with configurable lookback period

Action inputs:

  • database-url: PostgreSQL connection string (read-only)
  • data-repo-path: Path to chef-vuln-scan-data for metadata
  • teams-webhook-url: Microsoft Teams incoming webhook
  • lookback-days: CVE discovery window (default: 1)

See SETUP.md for configuration details and workflow integration examples.

Description

Related Issue

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Chore (non-breaking change that does not add functionality or fix an issue)

Checklist:

  • I have read the CONTRIBUTING document.
  • I have run the pre-merge tests locally and they pass.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • If Gemfile.lock has changed, I have used --conservative to do it and included the full output in the Description above.
  • All new and existing tests passed.
  • All commits have been signed-off for the Developer Certificate of Origin.

@peter-at-progress
Add notify-new-cves action for daily CVE notifications
5d11422 
Implements automated daily notifications for newly discovered CVEs via Microsoft Teams.

Features:
- Queries scan database for CVEs first observed in the last N days
- Groups by product/channel with severity counts
- Sends formatted Teams message with CVE links and details
- Supports GitHub Actions summary output
- Read-only database access with configurable lookback period

Action inputs:
- database-url: PostgreSQL connection string (read-only)
- data-repo-path: Path to chef-vuln-scan-data for metadata
- teams-webhook-url: Microsoft Teams incoming webhook
- lookback-days: CVE discovery window (default: 1)

See SETUP.md for configuration details and workflow integration examples.

Signed-off-by: Peter Arsenault <parsenau@progress.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brianLoomis brianLoomis Awaiting requested review from brianLoomis brianLoomis will be requested when the pull request is marked ready for review brianLoomis is a code owner

@sean-sype-simmons sean-sype-simmons Awaiting requested review from sean-sype-simmons sean-sype-simmons will be requested when the pull request is marked ready for review sean-sype-simmons is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@peter-at-progress