heqnx - .:: cve-poc-mon: Scraping GitHub for CVE Proof-of-Concepts ::.

.:: cve-poc-mon: Scraping GitHub for CVE Proof-of-Concepts ::.

[ Introduction ]

cve-poc-mon is a Go-based tool designed for red team operators to scrape and
archive GitHub repositories containing CVE proof-of-concept (PoC) exploits. It
targets repos named cve-<current_year>, clones them into a local directory, and
maintains a README with descriptions and links.

Live instance at https://heqnx.com/cve with a simple search functionality. A
cronjob runs every 6 hours and updates the page for any new PoCs found. Source
available at https://cgit.heqnx.com/cve-poc-mon.

[ Motivation and Objectives ]

cve-poc-mon was created to address the fleeting nature of CVE PoC repositories
on GitHub, which often face takedowns due to misuse or policy violations. For
offensive security operators, preserving these PoCs is critical for research,
testing, and staying ahead of vulnerabilities in authorized environments.

The tool's goals are:

- Archive PoCs: Automatically clone CVE PoC repos to prevent loss from
  takedowns.
- Track New Exploits: Monitor GitHub for fresh cve-<year> repos daily.
- Enable Rapid Access: Maintain a local archive and RSS feed for quick
  reference.

[ Analysis ]

The core of cve-poc-mon lies in its main function and supporting utilities:

- GitHub API Query: Searches for repos with cve-<year> in the name, created on
  the specified or current date, using GitHub's API
- Cloning Repos: Uses go-git to clone matching repos into a user-defined
  directory (default: cve-pocs), naming them as <owner>_<repo>
- Tracking Clones: Maintains a cve-pocs.txt file to avoid duplicate cloning and
  supports updating existing repos with -auto-update
- README Updates: Appends repo URLs and descriptions to a README.md for easy
  reference
- Error Handling: Gracefully handles API errors, invalid tokens, and cloning
  failures, with optional silent mode for automation

[ Output ]

Running cve-poc-mon with a GitHub token:

$ ./cve-poc-mon-linux-amd64 -token <your-token> -cloneDir pocs
[inf] searching for repositories with keyword: cve-2025, created on: 2025-08-03
[inf] github api url: https://api.github.com/search/repositories?q="cve-2025"+created:2025-08-03&sort=updated&order=desc&per_page=100
[inf] new poc: https://github.com/user/cve-2025-1234
[inf] description: Exploit for CVE-2025-1234 affecting XYZ software

[ Tool Usage]

Red teams can use cve-poc-mon to:

- Preserve Exploits: Capture PoCs before they're removed, ensuring access for testing
- Monitor Vulnerabilities: Track new CVEs via the RSS feed or local archive
- Test Systems: Use cloned PoCs to validate vulnerabilities in authorized environments
- Automate Collection: Run via GitHub Actions for daily updates without manual effort

To use first generate a GitHub token with repo read access, then run:

$ ./cve-poc-mon-linux-amd64 -token <token> -cloneDir pocs

- Check pocs/ for cloned repos and README.md for details
- Enable -auto-update to keep repos current