Enrichment Settings

Back to Settings Help
IP Geo-lookup

Resolves visitor IP addresses to country for the Web Traffic map. Lookups are performed locally using a bundled database โ€” no external API calls. Results are cached in-process.

geoip2fast (MIT license) โ€” local database sourced from IANA/RIR delegated statistics (public domain). No external API calls, no registration, no API key required. Bundled with the Python package.
GitHub: https://github.com/rabuchaim/geoip2fast
CVE / Vulnerability Enrichment

Automatically extracts library and SDK versions from OTEL telemetry (telemetry.sdk.* ResourceAttributes and instrumentation scope versions), then checks OSV.dev daily for known CVEs. Findings are stored in sobs_cve_findings and displayed on the Web Traffic page.

Last scan: 2026-05-28T14:16:28
OSV.dev โ€” open-source vulnerability database (Apache 2.0, free, no API key required). Covers PyPI, npm, Go, Maven, crates.io, RubyGems, NuGet, Packagist, Pub, and more.
API reference: https://google.github.io/osv.dev/api/
GitHub Dependency Enrichment

When enabled, SOBS will automatically fetch lockfiles (requirements.txt, package-lock.json, go.sum, etc.) from each app's GitHub repository to build a richer library inventory for CVE scanning.

How repo URLs are configured: Each app registered in SOBS has a Repository URL field (set via the Release Registry or the CI helper --repo-url arg). SOBS uses the global GitHub token from AI Settings โ†’ GitHub token to access all configured repositories โ€” a single personal access token or GitHub App installation token with contents:read scope is sufficient.
Required GitHub token scope:
contents:read โ€” read access to repository file contents (lockfiles).
No write access or issue access is needed for dependency enrichment. Set the token in AI Settings.
Limits GitHub lockfile fetch work per scan. Higher values increase coverage but can make scans slower.
Cancel