This work addresses the high false-positive rates and limited exploitability assessment of existing Log4j vulnerability scanners, which primarily rely on version comparison. To overcome these limitations, the authors propose a novel scanning approach that leverages dynamic analysis to evaluate the actual exploitability of vulnerabilities in real-world application contexts, thereby enabling precise identification and actionable remediation guidance. Departing from conventional static detection paradigms, the method integrates with GitHub Actions to facilitate automated, continuous vulnerability monitoring and immediate response within CI/CD pipelines. Evaluated across 28 open-source projects through 140 scans, the approach achieves an accuracy of 91.4%. The implemented tool has been released on the GitHub Marketplace, significantly enhancing both the practicality and efficiency of vulnerability detection.

Automated detection of software vulnerabilities remains a critical challenge in software security. Log4j is an industrial-grade Java logging framework listed as one of the top 100 critical open source projects. On Dec. 10, 2021 a severe vulnerability Log4Shell was disclosed before being fully patched with Log4j2 version 2.17.0 on Dec. 18, 2021. However, to this day about 4.1 million, or 33 percent of all Log4j downloads in the last 7 days contain vulnerable packages. Many Log4Shell scanners have since been created to detect if a user's installed Log4j version is vulnerable. Current detection tools primarily focus on identifying the version of Log4j installed, leading to numerous false positives, as they do not check if the software scanned is really vulnerable to malicious actors. This research aims to develop an advanced Log4j scanning tool that can evaluate the real-world exploitability of the software, thereby reducing false positives. Our approach first identifies vulnerabilities and then provides targeted recommendations for mitigating these detected vulnerabilities, along with instant feedback to users. By leveraging GitHub Actions, our tool offers automated and continuous scanning capabilities, ensuring timely identification of vulnerabilities as code changes occur. This integration into existing development workflows enables real-time monitoring and quicker responses to potential threats. We demonstrate the effectiveness of our approach by evaluating 28 open-source software projects across different releases, achieving an accuracy rate of 91.4% from a sample of 140 scans. Our GitHub action implementation is available at the GitHub marketplace and can be accessed by anyone interested in improving their software security and for future studies. This tool provides a dependable way to detect and mitigate vulnerabilities in open-source projects.