github

github/advisory-database

CC-BY-4.0 Security

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

2.4k stars
663 forks
active
GitHub +8 / week

2.4k

Stars

663

Forks

670

Open issues

30

Contributors

AI Analysis

The GitHub Advisory Database is a free, open-source repository of security advisories in OSV format covering CVEs and GitHub-originated disclosures affecting open source software. It serves security researchers, vulnerability management professionals, and open source maintainers who need standardized, machine-readable vulnerability data. This is specialized infrastructure for the security and open source ecosystems, not a general-purpose tool.

Security Security Tool Discovery value: 3/10
Documentation 8/10
Activity 9/10
Community 8/10
Code quality 5/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 8/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

security vulnerability-database osv-format open-source community-sourced
Actively maintained Well documented Community favorite Niche/specialized use case Production ready
Deep Analysis · Based on README and public signals
20h ago

GitHub's centralized CVE and security advisory database with community contribution model

GitHub Advisory Database is a free, open-source repository of security vulnerabilities in OSV format, aggregating advisories from NVD, language-specific databases (npm, Python, Ruby, Rust, Go), and community submissions. It powers GitHub's built-in vulnerability scanning and serves as a unified reference point for developers across 12 supported package ecosystems. Real adoption is significant: GitHub integrates it into dependency scanning workflows; it's referenced by tooling across the ecosystem. However, it functions primarily as a curated aggregation layer rather than an authoritative source for all languages.

Origin

Created February 2022, GitHub Advisory Database emerged as GitHub formalized its security advisory infrastructure. It consolidates disparate language-specific vulnerability databases into a single OSV-formatted source, reducing fragmentation and enabling cross-ecosystem vulnerability correlation through GitHub's GHSA ID scheme.

Growth

Steady growth reflecting GitHub's expansion of built-in security features. The repository has grown to 2,357 stars and maintained consistent maintenance (last push July 2026). Growth appears driven by adoption within GitHub's platform features (Dependabot integration, security scanning) rather than viral organic adoption. Community contributions flow in but appear moderated by strict curation criteria and supported-ecosystem restrictions.

In production

Adoption verified: GitHub integrates this database directly into Dependabot and security scanning features available to all GitHub users. Referenced by security tooling across major languages (npm audit, Poetry, Cargo, etc. can consume OSV data). Used by enterprises for vulnerability correlation and reporting. However, the database functions as an aggregation layer; the authoritative sources remain language-specific databases (NVD, RustSec, PyPA, etc.). Adoption is high within GitHub's ecosystem; ecosystem-wide adoption is harder to quantify but likely significant given GitHub's market position.

Code analysis
Architecture

Based on README, this is a data repository, not executable code. Architecture appears to be: individual advisory files stored in OSV schema format; aggregation pipeline importing from multiple upstream sources (NVD, language-specific databases, GitHub-reported advisories); community submission via pull request review by GitHub's internal curation team. Likely uses version control as the primary data structure.

Tests

Not documented in README. As a data repository rather than software library, test coverage refers to data validation (schema compliance, reference validity) — no details provided.

Maintenance

Strong: last push July 6, 2026 (3 days before evaluation date), indicating active maintenance. Repository shows ongoing updates, pull request reviews, and issue triage. Curation team is explicitly mentioned as actively reviewing contributions. However, granular commit frequency and response-time SLAs are not documented.

Honest verdict

ADOPT IF: your organization uses GitHub as primary platform, needs normalized vulnerability data across multiple package ecosystems, requires OSV-formatted data for tooling integration, or wants a community-curated, open-source reference backed by a major vendor. AVOID IF: you need authoritative, single-language vulnerability information (language-specific DBs like RustSec or PyPA are more authoritative within their domains) or cannot accept GitHub's curation criteria and supported-ecosystem restrictions. MONITOR IF: you rely on emerging package ecosystems not yet in GitHub's supported list (database is strict about supported registries), or evaluate it as one input among multiple vulnerability sources rather than as the sole reference.

Independent dimensions

Mainstream potential

6/10

Technical importance

7/10

Adoption evidence

7/10

Risks
  • Curation bottleneck: GitHub's internal team reviews all community contributions; response time and bandwidth for non-GitHub-originated advisories may lag behind language-specific databases.
  • Ecosystem coverage gaps: Only 12 supported ecosystems; other languages/registries cannot contribute via pull request, limiting comprehensiveness.
  • Dependency on upstream sources: Data freshness depends on NVD, npm, PyPA, RustSec, Go, Ruby, Rust, Composer latencies; no guarantee of being first to publish.
  • License and reuse restrictions: CC-BY-4.0 license requires attribution; some organizations may have policy restrictions on data licensing that differ from authoritative government/NIST sources.
  • Aggregation bias: As a secondary source aggregating from multiple primaries, it may inherit quality variance across sources or inadvertently omit advisories from smaller contributors.
Prediction

github-advisory-database will likely remain a stable, actively maintained component of GitHub's platform ecosystem. Adoption will grow with GitHub's user base but primarily within enterprises using GitHub. It will function as a de facto standard for OSV-formatted vulnerability data in web/cloud-native development contexts but will not displace language-specific databases as authoritative sources for security professionals within those languages. Supported ecosystem count may expand but slowly due to curation constraints.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

No language breakdown available.

Information

License
CC-BY-4.0
Last updated
7h ago
Created
54mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Recent releases

No releases published yet.

Similar repos

rubysec

rubysec/ruby-advisory-db

The Ruby Advisory Database is a community-maintained collection of security...

1.1k Ruby Security
FriendsOfPHP

FriendsOfPHP/security-advisories

A centralized database of known security vulnerabilities in PHP packages and...

2.1k PHP Security
google

google/osv.dev

OSV.dev is Google's open-source vulnerability database and triage service that...

2.8k Go Security
CVEProject

CVEProject/cvelistV5

This repository is the official CVE List cache in CVE JSON 5 format, maintained...

Roave

Roave/SecurityAdvisories

Roave Security Advisories is a Composer package that prevents installation of...

vs. alternatives
google/osv.dev

Google's OSV project provides infrastructure and tooling for vulnerability information across ecosystems. github/advisory-database is one data source that feeds OSV; osv.dev is infrastructure-oriented. github-advisory-database emphasizes community curation and GitHub platform integration.

NVD (National Vulnerability Database)

NVD is the authoritative CVE source but covers all software (not just open-source packages). github-advisory-database re-curates NVD data for package ecosystems and adds GitHub-originated advisories, providing a more focused, developer-centric view.

rubysec/ruby-advisory-db

Language-specific database for Ruby; github-advisory-database aggregates it (plus language-specific DBs for Python, Go, Rust, etc.) into a unified format. github-advisory-database is broader in scope but less authoritative for any single language.

FriendsOfPHP/security-advisories

Similar approach for PHP; github-advisory-database aggregates this source as well. Both operate as community-curated databases but FriendsOfPHP is language-focused while github-advisory-database is cross-ecosystem aggregation.

Roave/SecurityAdvisories

Curated security metadata for PHP dependencies. github-advisory-database includes PHP advisories but as one of 12 supported ecosystems; Roave is deeper but narrower in scope.