Install osv-scanner and run it against the repository root to scan lock files and manifest files for vulnerable dependencies
Review the output for affected packages and note the associated OSV advisory IDs
Optionally query the OSV REST API directly with a package name and version to retrieve full advisory detail and affected version ranges
Cross-reference OSV results with your SBOM to confirm component identity alignment
Integrate osv-scanner as a CI step that fails on vulnerabilities above a defined severity threshold
Track remediation progress by re-running the scan after dependency updates
Known gotchas
OSV uses package ecosystem identifiers that must match exactly; querying with the wrong ecosystem string (e.g., PyPI vs pip) returns no results even if vulnerabilities exist
OSV advisory data is community-contributed and may lag behind NVD for some ecosystems; supplement with an NVD or vendor advisory feed for critical packages
osv-scanner only scans files it can parse as known lock file formats; vendored source code or unusual dependency management setups may produce no results
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp