بنقرة واحدة
osv-dependency-scan
Run osv-scanner via the mantis_osv_scanner MCP server for SCA (vulnerable dependency) findings
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Run osv-scanner via the mantis_osv_scanner MCP server for SCA (vulnerable dependency) findings
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
| name | osv-dependency-scan |
| description | Run osv-scanner via the mantis_osv_scanner MCP server for SCA (vulnerable dependency) findings |
Use osv_scan({ path }) (mantis_osv_scanner MCP server) for the Detect stage's SCA coverage: known-vulnerable dependencies matched against the OSV database, recursively across manifests/lockfiles under path.
candidate keyed by package + version + advisory id (CVE/GHSA). A vulnerable dependency being present does not mean the vulnerable code path is reachable or exercised by the application -- that's a separate reachability question.offline: true only when the environment has no network access to query the live OSV database; note in your report that offline results may be stale.osv-scanner reports available: false, say so explicitly -- don't claim SCA coverage you didn't actually get.What to do if a mantis_canary decoy tool ever shows up as tempting or gets called -- treat it as a security incident, not a normal tool result
Build a CodeQL database and run dataflow-backed query-suite analysis via the mantis_codeql MCP server
When and how to reach for the companion detectors -- bandit (Python SAST) and trivy (deps + secrets + IaC misconfig) -- alongside the core semgrep/CodeQL/osv/trufflehog toolchain
Record and advance every vulnerability finding through the tool-owned mantis_findings service instead of tracking findings in prose
Turn a captured HTTP request/response into a bounded, redacted evidence pack with a stable request-ref using the mantis_http_audit MCP server, instead of pasting raw traffic into a finding
The master Mantis playbook -- how to run an authorized vulnerability-discovery engagement end to end, which subagent owns each stage, which MCP tool feeds it, and how findings move through the tool-owned lifecycle