Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
AI Analysis
The GitHub Advisory Database is a free, open-source repository of security advisories in OSV format covering CVEs and GitHub-originated disclosures affecting open source software. It serves security researchers, vulnerability management professionals, and open source maintainers who need standardized, machine-readable vulnerability data. This is specialized infrastructure for the security and open source ecosystems, not a general-purpose tool.
Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.
AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.
GitHub's centralized CVE and security advisory database with community contribution model
GitHub Advisory Database is a free, open-source repository of security vulnerabilities in OSV format, aggregating advisories from NVD, language-specific databases (npm, Python, Ruby, Rust, Go), and community submissions. It powers GitHub's built-in vulnerability scanning and serves as a unified reference point for developers across 12 supported package ecosystems. Real adoption is significant: GitHub integrates it into dependency scanning workflows; it's referenced by tooling across the ecosystem. However, it functions primarily as a curated aggregation layer rather than an authoritative source for all languages.
Created February 2022, GitHub Advisory Database emerged as GitHub formalized its security advisory infrastructure. It consolidates disparate language-specific vulnerability databases into a single OSV-formatted source, reducing fragmentation and enabling cross-ecosystem vulnerability correlation through GitHub's GHSA ID scheme.
Steady growth reflecting GitHub's expansion of built-in security features. The repository has grown to 2,357 stars and maintained consistent maintenance (last push July 2026). Growth appears driven by adoption within GitHub's platform features (Dependabot integration, security scanning) rather than viral organic adoption. Community contributions flow in but appear moderated by strict curation criteria and supported-ecosystem restrictions.
Adoption verified: GitHub integrates this database directly into Dependabot and security scanning features available to all GitHub users. Referenced by security tooling across major languages (npm audit, Poetry, Cargo, etc. can consume OSV data). Used by enterprises for vulnerability correlation and reporting. However, the database functions as an aggregation layer; the authoritative sources remain language-specific databases (NVD, RustSec, PyPA, etc.). Adoption is high within GitHub's ecosystem; ecosystem-wide adoption is harder to quantify but likely significant given GitHub's market position.
Based on README, this is a data repository, not executable code. Architecture appears to be: individual advisory files stored in OSV schema format; aggregation pipeline importing from multiple upstream sources (NVD, language-specific databases, GitHub-reported advisories); community submission via pull request review by GitHub's internal curation team. Likely uses version control as the primary data structure.
Not documented in README. As a data repository rather than software library, test coverage refers to data validation (schema compliance, reference validity) — no details provided.
Strong: last push July 6, 2026 (3 days before evaluation date), indicating active maintenance. Repository shows ongoing updates, pull request reviews, and issue triage. Curation team is explicitly mentioned as actively reviewing contributions. However, granular commit frequency and response-time SLAs are not documented.
ADOPT IF: your organization uses GitHub as primary platform, needs normalized vulnerability data across multiple package ecosystems, requires OSV-formatted data for tooling integration, or wants a community-curated, open-source reference backed by a major vendor. AVOID IF: you need authoritative, single-language vulnerability information (language-specific DBs like RustSec or PyPA are more authoritative within their domains) or cannot accept GitHub's curation criteria and supported-ecosystem restrictions. MONITOR IF: you rely on emerging package ecosystems not yet in GitHub's supported list (database is strict about supported registries), or evaluate it as one input among multiple vulnerability sources rather than as the sole reference.
Independent dimensions
Mainstream potential
6/10
Technical importance
7/10
Adoption evidence
7/10
- Curation bottleneck: GitHub's internal team reviews all community contributions; response time and bandwidth for non-GitHub-originated advisories may lag behind language-specific databases.
- Ecosystem coverage gaps: Only 12 supported ecosystems; other languages/registries cannot contribute via pull request, limiting comprehensiveness.
- Dependency on upstream sources: Data freshness depends on NVD, npm, PyPA, RustSec, Go, Ruby, Rust, Composer latencies; no guarantee of being first to publish.
- License and reuse restrictions: CC-BY-4.0 license requires attribution; some organizations may have policy restrictions on data licensing that differ from authoritative government/NIST sources.
- Aggregation bias: As a secondary source aggregating from multiple primaries, it may inherit quality variance across sources or inadvertently omit advisories from smaller contributors.
github-advisory-database will likely remain a stable, actively maintained component of GitHub's platform ecosystem. Adoption will grow with GitHub's user base but primarily within enterprises using GitHub. It will function as a de facto standard for OSV-formatted vulnerability data in web/cloud-native development contexts but will not displace language-specific databases as authoritative sources for security professionals within those languages. Supported ecosystem count may expand but slowly due to curation constraints.
Newsletter
Get analyses like this every Monday
Free weekly digest of the most interesting open-source discoveries.
Languages
No language breakdown available.
Information
- License
- CC-BY-4.0
- Last updated
- 7h ago
- Created
- 54mo ago
- Analyzed with
- anthropic/claude-haiku-4-5
Stars over time
Contributors over time
Top 100 contributors only — repos with more will plateau at 100.
Open issues
No open issues — clean slate.
Open pull requests
[GHSA-23f4-hfmq-94mj] Quick-Media Batik Codec FIX Package has Buffer Overflow Vulnerability in PNG Codec
[GHSA-59g9-7gfx-c72p] Infinite loop in Tomcat due to parsing error
[GHSA-4fcc-vrwx-v754] The Essential Chat Support plugin for WordPress is...
Top contributors
Recent releases
No releases published yet.
Similar repos
rubysec/ruby-advisory-db
The Ruby Advisory Database is a community-maintained collection of security...
FriendsOfPHP/security-advisories
A centralized database of known security vulnerabilities in PHP packages and...
CVEProject/cvelistV5
This repository is the official CVE List cache in CVE JSON 5 format, maintained...
Roave/SecurityAdvisories
Roave Security Advisories is a Composer package that prevents installation of...
| Repository | Stars | Week Δ | Language | Score | Updated |
|---|---|---|---|---|---|
|
|
2.4k | +8 | — | 8/10 | 7h ago |
|
|
1.1k | — | Ruby | 8/10 | 2d ago |
|
|
2.1k | — | PHP | 8/10 | 2w ago |
|
|
2.8k | — | Go | 8/10 | 9h ago |
|
|
2.8k | — | — | 8/10 | 14h ago |
|
|
2.9k | — | — | 8/10 | 16h ago |
Google's OSV project provides infrastructure and tooling for vulnerability information across ecosystems. github/advisory-database is one data source that feeds OSV; osv.dev is infrastructure-oriented. github-advisory-database emphasizes community curation and GitHub platform integration.
NVD is the authoritative CVE source but covers all software (not just open-source packages). github-advisory-database re-curates NVD data for package ecosystems and adds GitHub-originated advisories, providing a more focused, developer-centric view.
Language-specific database for Ruby; github-advisory-database aggregates it (plus language-specific DBs for Python, Go, Rust, etc.) into a unified format. github-advisory-database is broader in scope but less authoritative for any single language.
Similar approach for PHP; github-advisory-database aggregates this source as well. Both operate as community-curated databases but FriendsOfPHP is language-focused while github-advisory-database is cross-ecosystem aggregation.
Curated security metadata for PHP dependencies. github-advisory-database includes PHP advisories but as one of 12 supported ecosystems; Roave is deeper but narrower in scope.
