cc-audit 3.11.0

Security auditor for Claude Code skills, hooks, and MCP servers
Documentation
name: CVE Database Update

on:
  schedule:
    # Run daily at 09:00 UTC (18:00 JST)
    - cron: '0 9 * * *'
  workflow_dispatch:
    inputs:
      days_back:
        description: 'Number of days to look back for CVEs'
        required: false
        default: '90'

permissions:
  contents: write
  pull-requests: write

env:
  PYTHON_VERSION: '3.11'

jobs:
  update-cve-database:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v7
        with:
          fetch-depth: 0

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: ${{ env.PYTHON_VERSION }}

      - name: Run CVE update script
        env:
          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
        run: |
          python scripts/update-cve-database.py

      - name: Check for changes
        id: check-changes
        run: |
          if git diff --quiet data/cve-database.json; then
            echo "changed=false" >> $GITHUB_OUTPUT
          else
            echo "changed=true" >> $GITHUB_OUTPUT
            echo "Database has been updated"
          fi

      - name: Get new CVE count
        id: cve-count
        if: steps.check-changes.outputs.changed == 'true'
        run: |
          # Count new CVE entries
          OLD_COUNT=$(git show HEAD:data/cve-database.json | jq '.entries | length')
          NEW_COUNT=$(jq '.entries | length' data/cve-database.json)
          DIFF=$((NEW_COUNT - OLD_COUNT))
          echo "new_count=$DIFF" >> $GITHUB_OUTPUT
          echo "total_count=$NEW_COUNT" >> $GITHUB_OUTPUT

          # Get new CVE IDs for PR description
          NEW_CVES=$(git diff data/cve-database.json | grep '+"id":' | sed 's/.*"id": "\([^"]*\)".*/\1/' | tr '\n' ', ' | sed 's/,$//')
          echo "new_cves=$NEW_CVES" >> $GITHUB_OUTPUT

      - name: Install Rust toolchain
        if: steps.check-changes.outputs.changed == 'true'
        uses: dtolnay/rust-toolchain@stable

      - name: Bump patch version
        id: bump-version
        if: steps.check-changes.outputs.changed == 'true'
        run: |
          # Get current version from Cargo.toml
          CURRENT_VERSION=$(grep '^version = ' Cargo.toml | head -1 | sed 's/version = "\(.*\)"/\1/')
          echo "current_version=$CURRENT_VERSION" >> $GITHUB_OUTPUT

          # Parse major.minor.patch
          MAJOR=$(echo $CURRENT_VERSION | cut -d. -f1)
          MINOR=$(echo $CURRENT_VERSION | cut -d. -f2)
          PATCH=$(echo $CURRENT_VERSION | cut -d. -f3)

          # Increment patch version
          NEW_PATCH=$((PATCH + 1))
          NEW_VERSION="${MAJOR}.${MINOR}.${NEW_PATCH}"
          echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT

          # Update Cargo.toml
          sed -i "s/^version = \"${CURRENT_VERSION}\"/version = \"${NEW_VERSION}\"/" Cargo.toml

          # Update Cargo.lock
          cargo update -p cc-audit

          echo "Bumped version from $CURRENT_VERSION to $NEW_VERSION"

      - name: Create Pull Request
        id: create-pr
        if: steps.check-changes.outputs.changed == 'true'
        uses: peter-evans/create-pull-request@v8
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          commit-message: |
            fix(cve): update CVE database (v${{ steps.bump-version.outputs.new_version }})

            Add ${{ steps.cve-count.outputs.new_count }} new CVE(s)
            Total entries: ${{ steps.cve-count.outputs.total_count }}
            Version: ${{ steps.bump-version.outputs.current_version }} → ${{ steps.bump-version.outputs.new_version }}
          branch: fix/cve-database-update
          delete-branch: true
          title: "fix(cve): Update CVE database (+${{ steps.cve-count.outputs.new_count }} entries) [v${{ steps.bump-version.outputs.new_version }}]"
          body: |
            ## CVE Database Update

            This PR updates the CVE database with newly discovered vulnerabilities.

            ### Changes
            - **New CVEs added**: ${{ steps.cve-count.outputs.new_count }}
            - **Total entries**: ${{ steps.cve-count.outputs.total_count }}
            - **New CVE IDs**: ${{ steps.cve-count.outputs.new_cves }}
            - **Version bump**: `${{ steps.bump-version.outputs.current_version }}` → `${{ steps.bump-version.outputs.new_version }}`

            ---
            *This PR was automatically generated by the CVE Database Update workflow.*
          labels: |
            dependencies
            security
            automated

      - name: Enable auto-merge
        if: steps.create-pr.outputs.pull-request-number
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh pr merge ${{ steps.create-pr.outputs.pull-request-number }} \
            --auto --squash