README
¶
Venturi
Fast, concurrent vulnerability data ingestion for grype-db.
Venturi is a high-performance reimplementation of select vunnel providers. It produces 100% schema-compatible output for grype-db but leverages Go's concurrency to drastically reduce sync times.
Table of Contents
Why Venturi?
Speed. Venturi focuses on the most time-consuming vulnerability sources, parallelizing requests where vunnel is sequential.
| Provider | vunnel Sync | Venturi Sync | Speedup |
|---|---|---|---|
| NVD | 20+ min | 1m 40s | 12x |
| GitHub | 22 min | 7m 33s | 3x |
| Combined | 50+ min | 9m 13s | 5x |
Supported Providers
Venturi currently supports 16/20 vunnel providers, covering the majority of vulnerability data volume:
- Core: NVD, GitHub, EPSS, KEV
- OS: Alpine, Debian, Ubuntu, RHEL, Oracle, SLES, Mariner, Rocky, Alma, Amazon, Wolfi, Chainguard
See docs/user-guide/providers.md for full status and roadmap.
Quick Start
Installation
go install github.com/agentic-research/venturi/cmd/venturi@latest
Usage
-
Set API Keys (Recommended for rate limits):
export NVD_API_KEY="your-key" export GITHUB_TOKEN="your-token" -
Sync Data:
# Sync everything in parallel (fastest) venturi sync --all # Or sync specific providers venturi sync nvd github -
Build grype-db: Venturi output is fully compatible with
grype-db.See User Guide: Using with grype-db for the complete workflow.
Documentation
-
User Guide
- Usage Guide - How to sync data and build databases.
- Providers & Roadmap - Detailed status of supported data sources.
-
Development
- Contributing - Setup, building, and testing.
- Architecture - Design decisions and trade-offs.
- Implementation Guide - How to add new providers.
-
Reference
- Schema Specification - Data format details.
License
Apache 2.0
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
smelt
command
|
|
|
venturi
command
Venturi is a high-performance vulnerability data ingestion engine.
|
Venturi is a high-performance vulnerability data ingestion engine. |
|
internal
|
|
|
provider
Package provider defines the core Provider interface that all vulnerability data providers (NVD, GitHub, etc.) must implement.
|
Package provider defines the core Provider interface that all vulnerability data providers (NVD, GitHub, etc.) must implement. |
|
provider/epss
Package epss implements the Exploit Prediction Scoring System provider.
|
Package epss implements the Exploit Prediction Scoring System provider. |
|
provider/github
Package github implements the GitHub Security Advisories provider.
|
Package github implements the GitHub Security Advisories provider. |
|
provider/kev
Package kev implements the CISA Known Exploited Vulnerabilities provider.
|
Package kev implements the CISA Known Exploited Vulnerabilities provider. |
|
provider/nvd
Package nvd implements the NVD vulnerability data provider.
|
Package nvd implements the NVD vulnerability data provider. |
|
provider/ubuntu
Package ubuntu implements the Ubuntu CVE security provider.
|
Package ubuntu implements the Ubuntu CVE security provider. |
|
provider/wolfi
Package wolfi implements the Wolfi/Chainguard security provider.
|
Package wolfi implements the Wolfi/Chainguard security provider. |
|
ratelimit
Package ratelimit provides proactive rate limiting using token bucket algorithm.
|
Package ratelimit provides proactive rate limiting using token bucket algorithm. |
|
store
Package store provides SQLite storage compatible with vunnel's schema.
|
Package store provides SQLite storage compatible with vunnel's schema. |
|
ui
Package ui provides a fixed-table progress display for multi-provider syncs.
|
Package ui provides a fixed-table progress display for multi-provider syncs. |
|
worker
Package worker provides a bounded worker pool using errgroup.
|
Package worker provides a bounded worker pool using errgroup. |
|
pkg
|
|
|
schema
Package schema defines the output record structures for grype-db compatibility.
|
Package schema defines the output record structures for grype-db compatibility. |
Click to show internal directories.
Click to hide internal directories.