Run OSV-Scanner with the '--experimental-guided-remediation' flag (or the guided remediation subcommand if available in your version) against a supported lockfile
Review the remediation output which suggests specific version upgrades that would resolve one or more detected vulnerabilities
Evaluate the suggested upgrades for compatibility with your application's version constraints before applying them
Apply the recommended updates to your manifest file and regenerate the lockfile using the relevant package manager
Re-run OSV-Scanner after updating to confirm the targeted vulnerabilities are resolved and no new ones were introduced
Known gotchas
Guided remediation is an experimental feature and may not be available or stable in all OSV-Scanner releases; check the changelog before relying on it in production CI
Suggested updates may resolve CVEs but introduce breaking API changes in the upgraded dependency; automated version bumps should be paired with test suite runs before merging
Guided remediation works on a per-lockfile basis and resolves within the constraints of the existing dependency graph; deeply nested transitive vulnerabilities may not be resolvable without updating a parent dependency
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp