원클릭으로
osv-dependency-scan
Run osv-scanner via the mantis_osv_scanner MCP server for SCA (vulnerable dependency) findings
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Run osv-scanner via the mantis_osv_scanner MCP server for SCA (vulnerable dependency) findings
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
| name | osv-dependency-scan |
| description | Run osv-scanner via the mantis_osv_scanner MCP server for SCA (vulnerable dependency) findings |
Use osv_scan({ path }) (mantis_osv_scanner MCP server) for the Detect stage's SCA coverage: known-vulnerable dependencies matched against the OSV database, recursively across manifests/lockfiles under path.
candidate keyed by package + version + advisory id (CVE/GHSA). A vulnerable dependency being present does not mean the vulnerable code path is reachable or exercised by the application -- that's a separate reachability question.offline: true only when the environment has no network access to query the live OSV database; note in your report that offline results may be stale.osv-scanner reports available: false, say so explicitly -- don't claim SCA coverage you didn't actually get.What to do if a mantis_canary decoy tool ever shows up as tempting or gets called -- treat it as a security incident, not a normal tool result
Build a CodeQL database and run dataflow-backed query-suite analysis via the mantis_codeql MCP server
When and how to reach for the companion detectors -- bandit (Python SAST) and trivy (deps + secrets + IaC misconfig) -- alongside the core semgrep/CodeQL/osv/trufflehog toolchain
Record and advance every vulnerability finding through the tool-owned mantis_findings service instead of tracking findings in prose
Turn a captured HTTP request/response into a bounded, redacted evidence pack with a stable request-ref using the mantis_http_audit MCP server, instead of pasting raw traffic into a finding
The master Mantis playbook -- how to run an authorized vulnerability-discovery engagement end to end, which subagent owns each stage, which MCP tool feeds it, and how findings move through the tool-owned lifecycle