Automating CVE Tracking with Notion, Gemini, and Kestra

CVEs are vulnerabilities(!!!) and part 2 of my Notion automation

Amara Graham developed a vulnerability tracker integrating Notion, Gemini, and Kestra to manage large-scale security scanning. The system recently processed 1,568 CVEs in a single run.

Why This Matters

In enterprise environments, security-minded coding practices often lead to vulnerability anxiety due to the volume of library dependencies. This automation shifts tracking from manual spreadsheets to an orchestrated workflow, bridging the gap between raw security data and actionable remediation plans. By using orchestration, teams can handle the scale of vulnerabilities without manual data entry fatigue.

Key Insights

• Notion API Rich Text fields require an array of objects rather than simple strings for data ingestion (2026)
• Kestra plugin defaults allow for centralized apiToken and databaseId management to maintain cleaner workflow definitions
• The Kestra MAX_DURATION SLA can be set to CANCEL, FAIL, or NONE to manage long-running executions like the 1-hour limit used in this demo
• Integration of Gemini AI via Kestra’s ask_ai task enables automated priority assignment and mitigation action plans for CVEs
• Large datasets (1,568 CVEs) necessitate performance refactoring to pull only incremental updates rather than full pulls

Working Examples

Using plugin defaults to reuse API tokens and database IDs across multiple tasks.

pluginDefaults:
- type: io.kestra.plugin.notion
  values:
    apiToken: "{{ secret('NOTION_SECRET') }}"
    databaseId: "{{ secret('NOTION_CVE_DB') }}"

Task configuration for sending CVE data and AI-generated action plans to a Notion database.

- id: send_to_notion
  type: io.kestra.plugin.notion.database.CreateItem
  title: "{{ json(parent.taskrun.value).vulnerabilityName }}"
  properties:
    ID:
      rich_text: [
        {
          text:
            {
              content: "{{ json(parent.taskrun.value).cveID }}"
            }
        }
      ]
    Priority:
      select:
        name: "{{ outputs.ask_ai[parent.taskrun.value].predictions | first | jq('.priority') | first }}"
    "Mitigate now?":
      checkbox: "{{ outputs.ask_ai[parent.taskrun.value].predictions | first | jq('.mitigate_now') | first }}"
    "Action plan":
      rich_text: [
        {
          text:
            {
              content: "{{ outputs.ask_ai[parent.taskrun.value].predictions | first | jq('.action_plan') | first }}"
            }
        }
      ]

Workflow SLA configuration to cancel executions that exceed one hour.

sla:
- id: maxDuration
  type: MAX_DURATION
  duration: PT1H
  behavior: CANCEL #CANCEL, FAIL, NONE
  labels:
    sla: miss
    reason: durationExceeded

Practical Applications

• Use Case: Centralizing a security knowledge base within Notion to assign reviewers and track progress on vulnerability remediation. Pitfall: Treating rich text fields as simple strings causes API integration failures because Notion expects an array of objects.
• Use Case: Implementing a 1-hour SLA duration for data processing pipelines to prevent zombie executions in high-volume CVE environments. Pitfall: Selecting the wrong SLA behavior (NONE) allows overruns to continue unnoticed without alerting the team.
• Use Case: Using AI predictions to automatically categorize and prioritize CVEs based on severity and impact. Pitfall: Failing to refactor for incremental pulls leads to performance degradation when datasets reach thousands of entries.

References:

• https://dev.to/missamarakay/cves-are-vulnerabilities-and-part-2-of-my-notion-automation-439o