Enumerate dependencies from your lockfile or SBOM (package name, version, ecosystem such as PyPI, npm, Go, Maven, etc.) into a structured list.
Send a batch query with POST https://api.osv.dev/v1/querybatch, supplying a JSON body with a queries array where each element contains a package object with name and ecosystem, plus version.
Parse the results array in the response; each element corresponds to the input query at the same index and contains a vulns array of matching OSV records with id, aliases (CVE IDs), summary, severity, and affected version ranges.
Deduplicate findings by OSV ID across packages (the same vulnerability can appear for multiple dependency paths) and correlate aliases to CVE IDs for downstream enrichment.
Integrate the batch call into CI pipelines so that dependency additions or version bumps trigger an automatic OSV check; fail the build or open a ticket when vulns with CVSS score above a threshold are found.
Known gotchas
The OSV API does not require authentication and is free, but it is a shared public service; implement reasonable request batching (hundreds of packages per call) rather than one request per package.
OSV ecosystem names are case-sensitive and must match the canonical ecosystem strings (PyPI, npm, Go, crates.io, Maven, NuGet, etc.); a wrong ecosystem name returns zero results silently.
OSV data coverage varies by ecosystem; for C/C++ projects without a package manager, use the commit-hash-based query or the determineversion API, not the package/version query.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp