Skip to content

cve-responder

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

cve-responder

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
SPEC.md
SPEC.md
 
 
config-lineage
config-lineage
 
 
cve-responder
cve-responder
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

README.md

cve-responder

Query and patch vulnerable images across your fleet.

The Problem

Critical CVE drops. You need to:

  1. Find which deployments run the vulnerable image
  2. Patch all of them to the fixed version

With GitOps, this means grep + edit + commit + PR + wait. Takes hours.

With ConfigHub: query + patch + apply. Takes minutes.

Usage

# Scan only - find affected units
./cve-responder --vulnerable nginx:1.24 --scan

# Patch all affected units
./cve-responder --vulnerable nginx:1.24 --patched nginx:1.25

# Dry run - show what would change
./cve-responder --vulnerable nginx:1.24 --patched nginx:1.25 --dry-run

# Limit to production spaces
./cve-responder --vulnerable nginx:1.24 --patched nginx:1.25 --spaces "*-prod-*"

# Sync back to Git
./cve-responder --vulnerable nginx:1.24 --patched nginx:1.25 --sync-git --git-repo ~/my-manifests

How It Works

  1. Query: Uses cub unit list --where "Data CONTAINS 'image'" to find affected units across all spaces
  2. Patch: Uses ConfigHub's set-image function to bulk update
  3. Apply: Deploys the patched units to clusters
  4. Sync: Exports changes and creates a PR to Git (optional)

Prerequisites

# ConfigHub CLI and auth
cub auth login
export CUB_TOKEN=$(cub auth get-token)

# For Git sync
gh auth login

Build

go build -o cve-responder .

Example

# A wild CVE appears
$ ./cve-responder --vulnerable log4j:2.14 --scan
Found 47 units with vulnerable image:
  - prod-us/trade-service: log4j:2.14.1
  - prod-eu/trade-service: log4j:2.14.1
  - prod-asia/trade-service: log4j:2.14.1
  - staging/trade-service: log4j:2.14.0
  ...

# Patch them all
$ ./cve-responder --vulnerable log4j:2.14 --patched log4j:2.17.1
Patching to log4j:2.17.1...
  ✓ prod-us/trade-service
  ✓ prod-eu/trade-service
  ✓ prod-asia/trade-service
  ✓ staging/trade-service
  ...
Patch complete: 47 succeeded, 0 failed

# Sync back to Git for audit trail
$ ./cve-responder --vulnerable log4j:2.14 --patched log4j:2.17.1 --sync-git --git-repo ~/manifests
Created PR for CVE patch on branch cve-patch-1702584000

Environment Variables

Variable Description Default
CUB_TOKEN ConfigHub API token required
CUB_API_URL ConfigHub API URL https://hub.confighub.com/api