Navigate to the directory containing your go.sum file (and optionally go.mod) which OSV-Scanner uses as the dependency manifest for Go modules
Run `osv-scanner scan source .` to scan the current directory; OSV-Scanner automatically detects go.sum and other supported lockfile formats
Inspect the output table; each row shows the package name, version, vulnerability ID (GHSA or CVE), severity, and whether a fix is available
To output JSON for further processing, add `--format json` and pipe or redirect to a file, then use jq or a script to filter entries where severity is HIGH or CRITICAL
Use `osv-scanner fix` (guided remediation) in the same directory to get suggested version updates that resolve the most vulnerabilities with the fewest dependency changes
Known gotchas
OSV-Scanner reads go.sum for Go projects; if go.sum is absent (e.g., a module with no dependencies or using vendor mode exclusively) results may be incomplete
The tool reports vulnerabilities in transitive dependencies as well as direct ones; a high-severity finding may be in a dependency you do not control directly, requiring an update to an intermediate package
OSV-Scanner does not currently distinguish between vulnerabilities that are reachable in your code versus those only present in unused code paths; triage findings in context
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp