Skip to content

coreos/coreos-cve-agent

BranchesTags

Repository files navigation

CoreOS CVE Agent

An intelligent agent system for processing and analyzing RHEL CoreOS (RHCOS) Common Vulnerabilities and Exposures (CVEs) using Google's Agent Development Kit (ADK) and AI models.

Overview

The CoreOS CVE Agent automatically gathers, processes, and verifies CVE information related to Red Hat Enterprise Linux CoreOS from the Red Hat Jira instance. It uses a multi-agent pipeline to:

  1. Query Jira for RHCOS CVEs and extract associated OCPBUGS
  2. Find RHEL package fixes for each CVE
  3. Get latest OCP versions for affected components
  4. Verify package presence in RHCOS builds

How to get started

Prerequisites

  • Python 3.11+
  • uv Python package manager
  • Google API key
  • Access to Red Hat Jira instance

Installation and Setup

  1. Clone and install dependencies:

    git clone <repository-url>
cd coreos-cve-agent
uv sync

  2. Set up environment variables:

    cp .env.example .env
# Edit .env with your API keys

  3. Run the agent:

    # Using ADK run
uv run adk run

# Using ADK web interface
uv run adk web

# Using the direct script
uv run python run_agent.py

Telemetry and Tracing with Phoenix (Optional)

For observability and debugging, you can run Phoenix to monitor agent performance and trace execution flows:

podman run --rm -p 6006:6006 -p 4317:4317 -i -t arizephoenix/phoenix:latest

Access the Phoenix UI at http://localhost:6006 to view traces and telemetry data.

Documentation

  • User Guide: Comprehensive user guide with features, limitations, and usage guidelines
  • Data Flow Diagram: Visual representation of system integrations and data flows

Configuration

Environment Variables (.env)

Create a .env file with the following variables:

# Gemini model configurations
GEMINI_FLASH_MODEL="gemini-2.5-flash"
GEMINI_PRO_MODEL="gemini-2.5-pro"

# Google API Key for Gemini models
GOOGLE_API_KEY="your-google-api-key"
GOOGLE_GENAI_USE_VERTEXAI="FALSE"

# Red Hat Jira credentials
JIRA_TOKEN="your-jira-token"

# OpenShift release accepted URL
OCP_RELEASE_ACCEPTED_URL="https://amd64.ocp.releases.ci.openshift.org/api/v1/releasestreams/accepted"

# Red Hat Jira URL
JIRA_URL="https://issues.redhat.com"

# Registry Authentication
REGISTRY_AUTH_FILE="you registry auth file path, ie: ${XDG_RUNTIME_DIR}/containers/auth.json"

AI Models

The agent uses Google's Gemini models:

  • Gemini Flash (gemini-2.5-flash): For Jira queries and version lookups
  • Gemini Pro (gemini-2.5-pro): For build verification tasks

About

Agent used to verify is a RHEL CVE is fixed in RHEL CoreOS

Resources

Readme

License

MIT license

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 5

Languages