Add an OSV-Scanner step to the CI workflow that runs on pull request events using the official OSV-Scanner GitHub Action or a direct binary invocation
Pass '--format sarif' and '--output results.sarif' flags to write SARIF output to a file rather than stdout
Upload the SARIF file using the 'github/codeql-action/upload-sarif' action to surface findings as GitHub Code Scanning alerts on the pull request
Configure the OSV-Scanner step to fail the CI job on non-zero exit code, which OSV-Scanner returns when vulnerabilities are found
Optionally use '--severity' filtering flags if available in your version, or post-process the SARIF output to fail only on findings above a defined severity level
Add an osv-scanner.toml with approved ignores for accepted risks so the CI gate does not fail on known and accepted vulnerabilities
Known gotchas
SARIF upload to GitHub Code Scanning requires the repository to have Advanced Security enabled (available on public repos or with GHAS license); without it the upload step silently succeeds but findings do not appear
OSV-Scanner's exit code on finding vulnerabilities may differ by version; verify whether your version exits non-zero on any finding or only on findings above a threshold, and configure the CI failure condition accordingly
SARIF output from OSV-Scanner may not include severity levels for all ecosystems; filters based on severity in SARIF post-processing may not work uniformly across all package types
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp