ign8cve-tracker 0.1.0

Self-hosted CVE tracker — syncs NVD, scans assets via OpenVAS/OVAL/Insights, raises GitHub Issues on matches, ships a live status page.

ign8cve-tracker

Self-hosted CVE tracker. Syncs the full NVD feed, discovers vulnerable software across your fleet via OpenVAS, OVAL scanning, and Red Hat Insights, raises a GitHub Issue for every new match, and ships a live status page.

pipx install "ign8cve-tracker[infra]"
ign8cve deploy   # provision Hetzner + deploy full stack

---

What it does

Component	What it does
nvd-sync	Full NVD sync on first run, incremental (lastModified) hourly after
inventory-sync	Pulls host + software records from OpenVAS via python-gvm, upserts assets
oscap-sync	Runs oscap oval eval on remote hosts over SSH, imports results
insights-sync	Fetches CVE exposure lists from Red Hat Insights for enrolled RHEL systems
matcher	Cross-joins assets × CVEs on CPE vendor+product, opens GitHub Issues for new matches
status-page	aiohttp dashboard: CVE counts by severity, match list, 30-day sparklines
ign8cve	CLI to provision/destroy the whole stack on Hetzner Cloud

---

Install

# just the daemons + status page
pip install ign8cve-tracker

# + deploy CLI (hcloud, paramiko, typer)
pip install "ign8cve-tracker[infra]"

---

Deploy

Requires Hetzner Cloud and (optionally) Cloudflare credentials as environment variables:

export HETZNER_TOKEN=...
export IGN8_CLOUDFLARE_TOKEN=...   # optional — for DNS
export IGN8_CLOUDFLARE_ZONE_ID=... # optional
export IGN8_DOMAIN=example.com     # optional

ign8cve deploy

Provisions a Hetzner cx23, installs Docker, uploads the stack, obtains a Let's Encrypt cert, and runs all services. DNS is configured in Cloudflare before TLS so certbot can complete the HTTP-01 challenge.

State is written to .ign8cve/state.json. SSH key at .ign8cve/keys/ign8cve.

ign8cve destroy   # tear down server + DNS

---

Run locally

cp .env.example .env   # fill in credentials

# individual daemons
nvd-sync
inventory-sync
matcher

# or all via Docker Compose
docker compose up

Database migrations:

alembic upgrade head

---

Configuration

All settings via environment variables (or .env). Key variables:

Variable	Default	Description
DATABASE_URL	postgresql+asyncpg://ign8cve:ign8cve@localhost:5432/ign8cve	PostgreSQL connection string
NVD_API_KEY	—	Raises NVD rate limit from 5 to 50 req/30 s
NVD_SYNC_INTERVAL	3600	Seconds between NVD syncs
OPENVAS_HOST	localhost	OpenVAS/GVM host
OPENVAS_PORT	9390	OpenVAS/GVM port
OPENVAS_USERNAME	admin
OPENVAS_PASSWORD	—
GITHUB_TOKEN	—	For opening Issues on new CVE matches
GITHUB_REPO	—	org/repo — e.g. acme/vulnerabilities
INSIGHTS_OFFLINE_TOKEN	—	Red Hat Insights offline token
INSIGHTS_SYSTEMS	—	JSON array: [{"id": "<uuid>", "display_name": "<host>"}]

---

Architecture

Three independent async daemons share a PostgreSQL database:

NVD API ──► nvd-sync ──► cves table
                                      ┐
OpenVAS/OVAL/Insights ──► inventory-sync / oscap-sync / insights-sync
                       ──► assets table ──► matcher ──► matches table ──► GitHub Issues

CPE matching is intentionally loose: vendor + product must match, version is ignored. This catches CVEs whose CPE wildcards the version. Precise version-range matching (versionStartIncluding / versionEndExcluding) is the main area for future improvement.