Scan project dependencies for known vulnerabilities (CVEs). Use when reviewing dependency files (package.json, requirements.txt, go.mod, pom.xml, Gemfile, Cargo.toml, etc.), triaging Dependabot/Renovate alerts, or performing pre-deployment security checks.
Installation
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
If no scanner is installed, stop and ask the user to install one (e.g., brew install osv-scanner). Manual analysis is not viable — even small projects have 50+ dependencies. For individual package triage, point the user to OSV.dev.
Analyze Results — For each vulnerability: determine reachability (is the vulnerable code path used?), check exploitability context (deployment matters), and identify fix availability (patch vs major version bump).
Dependency Health — Beyond CVEs, flag unmaintained packages (2+ years inactive), typosquatting risks, license concerns, and version pinning issues.
Output
Scan summary (ecosystems, dependency count, scanner used), findings sorted by severity using templates/finding.md, condensed table for medium/low, dependency health flags, and exact remediation commands.