Add a workflow file in .github/workflows/ that checks out the repository and installs or uses the `google/osv-scanner-action` GitHub Action
Configure the action step with `scan-args` pointing to the repository root or specific lockfile paths and set `output-file` to a SARIF filename
Set `fail-on-vuln: true` (or the equivalent input) to cause the workflow step to exit non-zero when vulnerabilities are found, blocking PR merges via required status checks
Add a subsequent step using `github/codeql-action/upload-sarif` to upload the generated SARIF file to GitHub Advanced Security for display in the repository Security tab
Configure an osv-scanner.toml at the repository root to ignore accepted/false-positive vulnerability IDs so they do not repeatedly block CI
Known gotchas
The `google/osv-scanner-action` GitHub Action wraps the CLI but may lag a version or two behind the latest OSV-Scanner release; pin to a specific action version tag rather than `@main` for reproducibility
SARIF upload via `github/codeql-action/upload-sarif` requires that GitHub Advanced Security is enabled on the repository; it is free for public repos but requires a license for private repos
If `fail-on-vuln` blocks CI on a dependency you cannot immediately upgrade, use an osv-scanner.toml ignore entry with an expiry date and a comment explaining the accepted risk
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp