I’ve been working on a CVE tracker that automatically monitors GitHub Security Advisories and sends alerts to Microsoft Teams. Figured I’d write up why I built it and how it works.
Why I Built It
Staying on top of security vulnerabilities is annoying. GitHub’s Security Advisories are great, but they’re scattered across different repos, and manually checking for new CVEs is tedious. I wanted something that would just notify me automatically about new CVEs, but only the ones that actually matter to me.
So I built a GitHub Actions workflow that runs every hour, fetches the latest advisories, filters them based on what I care about, and sends them to Teams. It’s been pretty useful so far.
How It Works
The workflow is pretty straightforward. It fetches all GitHub Security Advisories via the API, filters for CVEs only (ignores GHSA-only advisories), applies my custom filters, checks for duplicates, and then sends formatted cards to Teams.
I chose GitHub Actions because it’s free for public repos, runs automatically on a schedule, and I don’t have to manage any infrastructure. Teams integration because we already use it, and Adaptive Cards actually look pretty good.
Features I’m Happy With
The filtering is done through simple JSON config files. You can filter by technologies (with partial matching, so “pip” catches “pip-serverless”), severities, and CVSS scores. There’s also keyword-based importance marking - CVEs matching keywords like “RCE” or “unauthenticated” get marked as IMPORTANT in the cards.
The cards include all the important stuff: CVE ID with severity color coding, CVSS scores (v3.1 and v4.0 if available), summary and description, affected technologies with vulnerable version ranges, CWE information, and links. The link categorization is automatic - it detects code review links, release links, POC links, etc. and groups them nicely. It also deduplicates links and never links to api.github.com URLs since those aren’t useful.
The filtering logic is simple: empty arrays mean “include everything”, and once you add items, it becomes exclusive filtering. I started with everything enabled and narrowed it down as I learned what I actually cared about.
Deduplication uses GitHub Actions cache to track sent CVEs, so you never get duplicate alerts. Once a CVE is sent, it won’t be sent again.
What I Learned
Working with the GitHub Security Advisories API was interesting. The data structure is pretty comprehensive, but there’s a lot of edge cases to handle - like multiple security advisories for the same CVE, or links that point to API endpoints instead of actual pages.
Adaptive Cards are powerful but have some quirks. The markdown support is limited, and some formatting doesn’t work the way you’d expect. But overall they look way better than plain text messages.
The hardest part was getting the link categorization right. I wanted it to automatically detect what type of link each reference was, so I built a pattern matching system that checks URLs against different categories. It’s not perfect, but it works well enough.
The Result
Now I get timely CVE alerts in Teams without having to manually check anything. The cards are informative but not overwhelming, and I can quickly see what matters. The filtering means I only see CVEs for technologies I actually use, and the keyword system helps surface the most critical vulnerabilities.
It’s been running for a while now and has been really useful for staying on top of security issues. If you want to check it out or use it yourself, it’s available on GitHub. The setup is pretty simple - just fork it, add a Teams webhook URL as a secret, and customize the config files if you want.