Install OSV-Scanner from its GitHub releases page or via Go install for your platform
Run 'osv-scanner --recursive /path/to/repo' to scan all lockfiles and manifest files found anywhere in the directory tree
Review the default table output for vulnerability findings grouped by package and ecosystem
Add '--format json' to capture structured output for automated processing or CI artifact storage
Use '--format sarif' to produce SARIF output suitable for upload to GitHub Advanced Security or other SARIF-compatible tools
Check the exit code; OSV-Scanner exits non-zero when vulnerabilities are found, suitable for use as a CI gate
Known gotchas
Recursive mode discovers lockfiles by file name pattern; custom or renamed lockfiles will not be detected automatically — use '--lockfile' flags to point to non-standard file locations
OSV-Scanner matches against the OSV database which covers a wide range of ecosystems but may not reflect private or internal advisory sources; supplement with ecosystem-specific scanners for comprehensive coverage
Some lockfile formats include both direct and transitive dependencies; OSV-Scanner scans all entries and may report vulnerabilities in transitive dependencies that your code does not directly call
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp