mirror of
https://github.com/imjasonh/rustvulncheck
synced 2026-07-08 12:15:03 +00:00
- Add --existing-db flag to enrich command to skip already-enriched advisories - Add --timeout-secs flag to stop processing after a time budget - Create .github/workflows/enrich.yml that runs hourly on a 55-minute budget - Workflow commits enriched vuln_db.json to repo, checkpointing progress - Each run picks up where the last left off, progressively enriching the backlog https://claude.ai/code/session_01Pp3k3jGUtnTTqvMMr1uP4Y
68 lines
1.9 KiB
YAML
68 lines
1.9 KiB
YAML
name: Enrich Vulnerability Database
|
|
|
|
on:
|
|
schedule:
|
|
# Run every hour
|
|
- cron: '0 * * * *'
|
|
workflow_dispatch: {}
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
concurrency:
|
|
group: enrich-vuln-db
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
enrich:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 60
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install Rust
|
|
uses: dtolnay/rust-toolchain@stable
|
|
|
|
- name: Cache cargo registry & build
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/.cargo/registry
|
|
~/.cargo/git
|
|
target
|
|
key: ${{ runner.os }}-cargo-enrich-${{ hashFiles('**/Cargo.lock') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-cargo-enrich-
|
|
|
|
- name: Build
|
|
run: cargo build --release
|
|
|
|
- name: Run enrichment (55 min budget)
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
# Use existing DB if present, otherwise start fresh
|
|
EXISTING_FLAG=""
|
|
if [ -f vuln_db.json ]; then
|
|
EXISTING_FLAG="--existing-db vuln_db.json"
|
|
fi
|
|
|
|
cargo run --release -- enrich \
|
|
--limit 999999 \
|
|
--timeout-secs 3300 \
|
|
$EXISTING_FLAG \
|
|
--output vuln_db.json
|
|
|
|
- name: Commit and push if changed
|
|
run: |
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "github-actions[bot]@users.noreply.github.com"
|
|
git add vuln_db.json
|
|
if git diff --cached --quiet; then
|
|
echo "No changes to vuln_db.json, skipping commit."
|
|
else
|
|
TOTAL=$(jq '.entries | length' vuln_db.json)
|
|
WITH_SYMBOLS=$(jq '[.entries[] | select(.vulnerable_symbols | length > 0)] | length' vuln_db.json)
|
|
git commit -m "chore: enrich vuln db (${TOTAL} entries, ${WITH_SYMBOLS} with symbols)"
|
|
git push
|
|
fi
|