Scan project dependencies for known vulnerabilities (CVEs). Use when reviewing dependency files (package.json, requirements.txt, go.mod, pom.xml, Gemfile, Cargo.toml, etc.), triaging Dependabot/Renovate alerts, or performing pre-deployment security checks.
Installation
Installer avec Codex ou Claude Copiez ce prompt, collez-le dans Codex, Claude ou un autre assistant, puis laissez-le vérifier la page du skill et l'installer pour vous.
If no scanner is installed, stop and ask the user to install one (e.g., brew install osv-scanner). Manual analysis is not viable — even small projects have 50+ dependencies. For individual package triage, point the user to OSV.dev.
Analyze Results — For each vulnerability: determine reachability (is the vulnerable code path used?), check exploitability context (deployment matters), and identify fix availability (patch vs major version bump).
Dependency Health — Beyond CVEs, flag unmaintained packages (2+ years inactive), typosquatting risks, license concerns, and version pinning issues.
Output
Scan summary (ecosystems, dependency count, scanner used), findings sorted by severity using templates/finding.md, condensed table for medium/low, dependency health flags, and exact remediation commands.