CLI for efficiently coordinating vulnerability reports and remediations with GitHub Security Advisories (GHSA)
Project description
ghsa-cli
CLI for efficiently coordinating vulnerability reports and remediations with GitHub Security Advisories (GHSA).
Install from PyPI (python -m pip install ghsa-cli) and
authenticate using a GH_TOKEN environment variable within the shell
session with a GitHub personal access token. Repository automatically
resolves to the upstream/origin remote of the current working directory
git repository or can be set manually via GH_REPO or --repo.
Below are some common workflows this tool is designed for:
Assigning yourself as 'Coordinator' for a ticket
Assign yourself as a coordinator. The alias me works for
options specified via the command line to mean the
currently authenticated user.
ghsa-cli credit GHSA-xxxx-xxxx-xxxx --coordinator me
Adding collaborators by name
Adds collaborators by name, either teams or individual users.
ghsa-cli collaborators GHSA-xxxx-xxxx-xxxx --login sethmlarson
ghsa-cli collaborators GHSA-xxxx-xxxx-xxxx --team python/fuzzers
Moving a GHSA to a public GitHub issue
Prompts the user with a new GitHub issue templated with the same title and description as the current ticket. By default, closes the GHSA if the GHSA isn't already closed.
ghsa-cli move-to-issue GHSA-xxxx-xxxx-xxxx
You can skip closing the GHSA after the issue templating page is
opened by passing --no-close.
Listing open GHSAs where you are assigned 'Coordinator'
Useful for prioritizing which ticket you should work on next depending on their state, age, and whether a fix has been developed and reviewed.
ghsa-cli list --coordinator me
┏━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━━━┳━━━━━━┳━━━━━━┓
┃ id ┃ title ┃ state ┃ age ┃ cvss ┃
┡━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━╇━━━━━━━━╇━━━━━━╇━━━━━━┩
│ GHSA-xxxx-xxxx-xxxx │ ... │ triage │ 10d │ 6.5 │
│ GHSA-xxxx-xxxx-xxxx │ ... │ draft │ 16d │ 7.0 │
│ GHSA-xxxx-xxxx-xxxx │ ... │ draft │ 21d │ 2.0 │
│ GHSA-xxxx-xxxx-xxxx │ ... │ draft │ 60d │ 2.0 │
└─────────────────────┴───────┴────────┴──────┴──────┘
Prioritizing reports based on CVSS or age
ghsa-cli list --sort cvss age
┏━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━━━┳━━━━━━┳━━━━━━┓
┃ id ┃ title ┃ state ┃ age ┃ cvss ┃
┡━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━╇━━━━━━━━╇━━━━━━╇━━━━━━┩
│ GHSA-xxxx-xxxx-xxxx │ ... │ draft │ 16d │ 7.0 │
│ GHSA-xxxx-xxxx-xxxx │ ... │ triage │ 10d │ 6.5 │
│ GHSA-xxxx-xxxx-xxxx │ ... │ draft │ 60d │ 2.0 │
│ GHSA-xxxx-xxxx-xxxx │ ... │ draft │ 21d │ 2.0 │
└─────────────────────┴───────┴────────┴──────┴──────┘
Searching for reports based on text
Use the search command and supply text to
search through advisory titles and descriptions.
ghsa-cli search crlf
┏━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ id ┃ state ┃ title ┃
┡━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ GHSA-xxxx-xxxx-xxxx │ closed │ IMAP Protocol Command Injection (CRLF) in imaplib │
│ GHSA-xxxx-xxxx-xxxx │ closed │ POP3 Protocol Command Injection (CRLF) in poplib │
└─────────────────────┴────────┴───────────────────────────────────────────────────┘
Creating reports and integrating with CVE APIs
CVE APIs require a CVE Services API key. Set
the CVE_USERNAME, CVE_CNA, and CVE_API_KEY
environment variables to access properties about CVE
IDs and records.
Use the --columns parameter with list to add
additional columns to the report.
ghsa-cli list --state triage draft closed --columns id state cve_id cve_state
┏━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┓
┃ id ┃ state ┃ cve_id ┃ cve_state ┃
┡━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━┩
│ GHSA-xxxx-xxxx-xxxx │ triage │ │ │
│ GHSA-xxxx-xxxx-xxxx │ closed │ CVE-YYY-YYYY │ published │
│ GHSA-xxxx-xxxx-xxxx │ draft │ CVE-YYY-YYYY │ reserved │
└─────────────────────┴────────┴────────────────┴───────────┘
Creating a template CVE Record from a GHSA
The command cve-record will create a template
CVE record from the information available in a GHSA
for use with a program like Vulnogram. This makes
creating a CVE record quick and transfers information
like credits and CVSS automatically.
ghsa-cli cve-record GHSA-xxxx-yyyy-zzzz
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-YYYY-XXXX",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"title": "...",
"affected": [
{
"vendor": "Python Software Foundation",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"defaultStatus": "unaffected",
"versions": [
{
"versionType": "python",
"version": "0"
}
],
"modules": []
}
]
...
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ghsa_cli-2026.5.1.tar.gz.
File metadata
- Download URL: ghsa_cli-2026.5.1.tar.gz
- Upload date:
- Size: 11.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ec52bf1f766f728ab8b3c7c328e45e0b627bb5509cf33fecca9eaf0cc4f26b9d
|
|
| MD5 |
d7448e28fa7fcff0ed5596eab84e3ce0
|
|
| BLAKE2b-256 |
5a2f2e1b5dd349eb7c2550b9db0de4733c9026446e583ee269c3b2721322f45a
|
Provenance
The following attestation bundles were made for ghsa_cli-2026.5.1.tar.gz:
Publisher:
publish.yml on sethmlarson/ghsa-cli
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ghsa_cli-2026.5.1.tar.gz -
Subject digest:
ec52bf1f766f728ab8b3c7c328e45e0b627bb5509cf33fecca9eaf0cc4f26b9d - Sigstore transparency entry: 1421692560
- Sigstore integration time:
-
Permalink:
sethmlarson/ghsa-cli@bbfcca8c01b691ac1694644c6e93df2240310da5 -
Branch / Tag:
refs/tags/2026.5.1 - Owner: https://github.com/sethmlarson
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@bbfcca8c01b691ac1694644c6e93df2240310da5 -
Trigger Event:
push
-
Statement type:
File details
Details for the file ghsa_cli-2026.5.1-py3-none-any.whl.
File metadata
- Download URL: ghsa_cli-2026.5.1-py3-none-any.whl
- Upload date:
- Size: 11.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c1384dd6d4f93f1e84e73b08f6c552adcf752628b3287a3d06ed3107473639c3
|
|
| MD5 |
c066a3f00d682b2c4717a61a46f1dbd2
|
|
| BLAKE2b-256 |
20e5d0d1610f783ee712c7c66433e6cf30f15d2ceadb1a16c8722cf03069f7af
|
Provenance
The following attestation bundles were made for ghsa_cli-2026.5.1-py3-none-any.whl:
Publisher:
publish.yml on sethmlarson/ghsa-cli
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ghsa_cli-2026.5.1-py3-none-any.whl -
Subject digest:
c1384dd6d4f93f1e84e73b08f6c552adcf752628b3287a3d06ed3107473639c3 - Sigstore transparency entry: 1421692696
- Sigstore integration time:
-
Permalink:
sethmlarson/ghsa-cli@bbfcca8c01b691ac1694644c6e93df2240310da5 -
Branch / Tag:
refs/tags/2026.5.1 - Owner: https://github.com/sethmlarson
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@bbfcca8c01b691ac1694644c6e93df2240310da5 -
Trigger Event:
push
-
Statement type:
