Action to detect if any open Dependabot alert CVEs exceed an EPSS threshold and fail the workflow.

Includes an Actions workflow summary:

name: 'Dependabot EPSS Action'
on: [push]

jobs:
  dependabot-epss-action:
    name: 'EPSS Compliance Check'
    runs-on: ubuntu-latest
    steps:
      - name: 'EPSS Policy'
        uses: advanced-security/dependabot-epss-action@v0
        with:
            token: ${{ secrets.DEPENDABOT_EPSS_GITHUB_TOKEN }}
            epss-threshold: "0.6"

• token Required

  • Classic Tokens
    • repo scope or security_events scope. For public repositories, you may instead use the public_repo scope.
  • Fine-grained personal access token permissions
    • Read-Only - Dependabot Alerts

• epss-threshold Optional

  • The threshold value for the Exploit Prediction Scoring System (EPSS). The EPSS is a scoring system that predicts the likelihood of a vulnerability being exploited in the wild based on a time threshold. It provides a score between 0 and 1, where 0 indicates a low likelihood of exploitation, and 1 indicates a high likelihood.The action will filter out vulnerabilities that have an EPSS score below this threshold. See EPSS at https://www.first.org/epss. Default is 0.6.

See EPSS at https://www.first.org/epss. Jay Jacobs, Sasha Romanosky, Benjamin Edwards, Michael Roytman, Idris Adjerid, (2021), Exploit Prediction Scoring System, Digital Threats Research and Practice, 2(3)