Overview
Vectra Guard automatically scans your project dependencies for known CVEs (Common Vulnerabilities and Exposures). The CVE database is synced locally for fast, offline scanning.
Key Features
- Local CVE database for fast, offline scanning
- Automatic scanning on dependency changes
- Severity-based filtering and reporting
- Integration with package managers (npm, pip, cargo, etc.)
- Detailed vulnerability reports with remediation steps
Quick Start
Get started with CVE scanning in three simple steps:
# 1. Sync the CVE database
vg cve sync --path .
# 2. Scan your project
vg cve scan --path .
# 3. View detailed report
vg cve report --path . --format jsonDatabase Management
The CVE database is stored locally in .vectra-guard/cve/. Keep it updated for accurate scanning.
# Sync database (downloads latest CVEs)
vg cve sync --path .
# Force update (ignores cache)
vg cve sync --path . --force
# Check database status
vg cve status --path .
# Output:
# Database: .vectra-guard/cve/
# Last updated: 2024-01-15 10:30:00
# Total CVEs: 250,000+
# Size: 45 MBNote: The database syncs automatically on first scan. Manual sync is recommended weekly or before important deployments.
Scanning Your Project
Vectra Guard automatically detects package managers and scans their lock files for vulnerabilities.
# Scan current directory
vg cve scan --path .
# Scan specific directory
vg cve scan --path /path/to/project
# Scan with severity filter
vg cve scan --path . --severity high,critical
# Scan and output JSON
vg cve scan --path . --format json
# Scan and save report
vg cve scan --path . --output report.jsonSupported Package Managers
- npm (package.json, package-lock.json)
- yarn (yarn.lock)
- pnpm (pnpm-lock.yaml)
- pip (requirements.txt)
- poetry (poetry.lock)
- pipenv (Pipfile.lock)
- cargo (Cargo.lock)
- go.mod, go.sum
Severity Levels
CVEs are categorized by severity to help prioritize remediation efforts.
Low
Minor issues with limited impact. Usually informational.
Example: Information disclosure, minor configuration issues
Medium
Moderate risk. May require specific conditions to exploit.
Example: Privilege escalation, denial of service
High
Significant risk. Can lead to data breach or system compromise.
Example: Remote code execution, SQL injection
Critical
Immediate threat. Easy to exploit, severe impact.
Example: Authentication bypass, remote root access
Configuration
Configure CVE scanning behavior in your .vectra-guard/config.yaml:
cve:
enabled: true
auto_scan: true # Scan on dependency changes
severity_threshold: medium # Only report medium+
update_interval: 86400 # Update DB daily (seconds)
ignore_list:
- CVE-2023-XXXXX # Ignore specific CVEs
- "package:name@version" # Ignore specific packages
# Package manager specific
npm:
enabled: true
scan_lockfile: true
pip:
enabled: true
scan_requirements: trueCI/CD Integration
Integrate CVE scanning into your CI/CD pipeline to catch vulnerabilities before deployment.
# GitHub Actions example
name: CVE Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install Vectra Guard
run: |
curl -fsSL https://raw.githubusercontent.com/xadnavyaai/vectra-guard/main/install.sh | bash
- name: Sync CVE Database
run: vg cve sync --path .
- name: Scan for CVEs
run: vg cve scan --path . --severity high,critical
continue-on-error: true
- name: Generate Report
run: vg cve report --path . --format json --output cve-report.json
- name: Upload Report
uses: actions/upload-artifact@v3
with:
name: cve-report
path: cve-report.jsonBest Practices
1. Regular Scanning
Scan your project regularly, especially after dependency updates. Consider setting up automated scans in CI/CD.
2. Keep Database Updated
Sync the CVE database weekly or before important deployments to ensure you're checking against the latest vulnerabilities.
3. Prioritize by Severity
Focus on high and critical severity CVEs first. Use severity filters to reduce noise in reports.
4. Review False Positives
Some CVEs may not apply to your use case. Use the ignore list in configuration to exclude them.