If no scanner is installed, stop and ask the user to install one (e.g., brew install osv-scanner). Manual analysis is not viable — even small projects have 50+ dependencies. For individual package triage, point the user to OSV.dev.
Analyze Results — For each vulnerability: determine reachability (is the vulnerable code path used?), check exploitability context (deployment matters), and identify fix availability (patch vs major version bump).
Dependency Health — Beyond CVEs, flag unmaintained packages (2+ years inactive), typosquatting risks, license concerns, and version pinning issues.
Output
Scan summary (ecosystems, dependency count, scanner used), findings sorted by severity using templates/finding.md, condensed table for medium/low, dependency health flags, and exact remediation commands.