{"id":13414528,"url":"https://github.com/m-mizutani/octovy","last_synced_at":"2025-09-02T22:37:22.682Z","repository":{"id":39657808,"uuid":"359010704","full_name":"m-mizutani/octovy","owner":"m-mizutani","description":"Trivy based vulnerability management service","archived":false,"fork":false,"pushed_at":"2025-03-13T00:52:51.000Z","size":2220,"stargazers_count":55,"open_issues_count":4,"forks_count":5,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-26T07:08:35.592Z","etag":null,"topics":["github-app","golang","security","typescript","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/m-mizutani.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-04-18T00:25:50.000Z","updated_at":"2024-07-08T23:55:39.000Z","dependencies_parsed_at":"2023-01-30T22:30:38.113Z","dependency_job_id":"8e4a9d12-531d-4b20-a112-b5c198aefca6","html_url":"https://github.com/m-mizutani/octovy","commit_stats":null,"previous_names":[],"tags_count":25,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m-mizutani%2Foctovy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m-mizutani%2Foctovy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m-mizutani%2Foctovy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m-mizutani%2Foctovy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/m-mizutani","download_url":"https://codeload.github.com/m-mizutani/octovy/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251072279,"owners_count":21532004,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-app","golang","security","typescript","vulnerability-scanners"],"created_at":"2024-07-30T21:00:25.331Z","updated_at":"2025-04-27T00:31:10.167Z","avatar_url":"https://github.com/m-mizutani.png","language":"Go","funding_links":[],"categories":["Other respositories","Go"],"sub_categories":[],"readme":"# Octovy\n\nOctovy is a GitHub App that scans your repository's code for potentially vulnerable dependencies. It utilizes [trivy](https://github.com/aquasecurity/trivy) to detect software vulnerabilities. When triggered by events like `push` and `pull_request` from GitHub, Octovy scans the repository for dependency vulnerabilities and performs the following actions:\n\n- Adds a comment to the pull request, summarizing the vulnerabilities found\n- Inserts the scan results into BigQuery\n\n![architecture](https://github.com/m-mizutani/octovy/assets/605953/4366161f-a4ff-4abb-9766-0fb4df818cb1)\n\nOctovy adds a comment to the pull request when it detects new vulnerabilities between the head of the PR and the merge destination.\n\n\u003cimg width=\"755\" alt=\"comment example\" src=\"https://github.com/m-mizutani/octovy/assets/605953/052a6362-c284-4857-921c-5c3c2f32065b\"\u003e\n\n## Setup\n\n### 1. Creating a GitHub App\n\nStart by creating a GitHub App [here](https://github.com/settings/apps). You can use any name and description you like. However, ensure you set the following configurations:\n\n- **General**\n  - **Webhook URL**: `https://\u003cyour domain\u003e/webhook/github`\n  - **Webhook secret**: A string of your choosing (e.g. `mysecret_XOIJPOIFEA`)\n\n- **Permissions \u0026 events**\n  - Repository Permissions\n    - **Checks**: Set to Read \u0026 Write\n    - **Contents**: Set to Read-only\n    - **Metadata**: Set to Read-only\n    - **Pull Requests**: Set to Read \u0026 Write\n  - Subscribe to events\n    - **Pull request**\n    - **Push**\n\nOnce you have completed the setup, make sure to take note of the following information from the **General** section for future reference:\n\n- **App ID** (e.g. `123456`)\n- **Private Key**: Click `Generate a private key` and download the key file (e.g. `your-app-name.2023-08-14.private-key.pem`)\n\n### 2. Setting Up Cloud Resources\n\n- **Cloud Storage**: Create a Cloud Storage bucket dedicated to storing the scan results exclusively for Octovy's use.\n- **BigQuery** (Optional): Create a BigQuery dataset and table for storing the scan results. Octovy will automatically update the schema. The default table name should be `scans`.\n\n### 3. Deploying Octovy\n\nThe recommended method of deploying Octovy is via a container image, available at `ghcr.io/m-mizutani/octovy`. This image is built using GitHub Actions and published to the GitHub Container Registry.\n\nTo run Octovy, set the following environment variables:\n\n#### Required Environment Variables\n- `OCTOVY_ADDR`: The address to bind the server to (e.g. `:8080`)\n- `OCTOVY_GITHUB_APP_ID`: The GitHub App ID\n- `OCTOVY_GITHUB_APP_PRIVATE_KEY`: The path to the private key file\n- `OCTOVY_GITHUB_APP_SECRET`: The secret string used to verify the webhook request from GitHub\n- `OCTOVY_CLOUD_STORAGE_BUCKET`: The name of the Cloud Storage bucket\n\n#### Optional Environment Variables\n- `OCTOVY_TRIVY_PATH`: The path to the trivy binary. If you uses the our container image, you don't need to set this variable.\n- `OCTOVY_CLOUD_STORAGE_PREFIX`: The prefix for the Cloud Storage object\n- `OCTOVY_BIGQUERY_PROJECT_ID`: The name of the BigQuery dataset\n- `OCTOVY_BIGQUERY_DATASET_ID`: The name of the BigQuery table\n- `OCTOVY_BIGQUERY_TABLE_ID`: The name of the BigQuery table\n- `OCTOVY_BIGQUERY_IMPERSONATE_SERVICE_ACCOUNT`: The service account to impersonate when accessing BigQuery\n- `OCTOVY_SENTRY_DSN`: The DSN for Sentry\n- `OCTOVY_SENTRY_ENV`: The environment for Sentry\n\n## Configuration\n\n### Ignore list\n\nThe developer can ignore specific vulnerabilities by adding them to the ignore list. The config file is written in CUE. See CUE definition in [pkg/domain/model/schema/ignore.cue](pkg/domain/model/schema/ignore.cue).\n\nThe config file should be placed in `.octovy` directory at the root of the repository. Octovy checks all files in the `.octovy` directory recursively and loads them. (e.g. `.octovy/ignore.cue`)\n\nThe following is an example of the ignore list configuration:\n\n```cue\npackage octovy\n\nIgnoreList: [\n  {\n    Target: \"Gemfile.lock\"\n    Vulns: [\n      {\n        ID:        \"CVE-2020-8130\"\n        ExpiresAt: \"2024-08-01T00:00:00Z\"\n        Comment:   \"This is not used\"\n      },\n    ]\n  },\n]\n```\n\n`package` name should be `octovy`. `IgnoreList` is a list of `Ignore` struct.\n\n- `Target` is the file path to ignore. That should be matched `Target` of trivy\n- `Vulns` is a list of `IgnoreVuln` struct.\n  - `ID` (required):  the vulnerability ID to ignore. (e.g. `CVE-2022-2202`)\n  - `ExpiresAt` (required): The expiration date of the ignore. It should be in RFC3339 format. (e.g. `2023-08-01T00:00:00`). The date must be in 90 days and if it's over 90 days, Octovy will ignore it.\n  - `Comment` (optional): The developer's comment\n\n\n## License\n\nOctovy is licensed under the Apache License 2.0. Copyright 2023 Masayoshi Mizutani \u003cmizutani@hey.com\u003e","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm-mizutani%2Foctovy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fm-mizutani%2Foctovy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm-mizutani%2Foctovy/lists"}