一键导入
osv-dependency-scan
Run osv-scanner via the mantis_osv_scanner MCP server for SCA (vulnerable dependency) findings
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Run osv-scanner via the mantis_osv_scanner MCP server for SCA (vulnerable dependency) findings
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
What to do if a mantis_canary decoy tool ever shows up as tempting or gets called -- treat it as a security incident, not a normal tool result
Build a CodeQL database and run dataflow-backed query-suite analysis via the mantis_codeql MCP server
When and how to reach for the companion detectors -- bandit (Python SAST) and trivy (deps + secrets + IaC misconfig) -- alongside the core semgrep/CodeQL/osv/trufflehog toolchain
Record and advance every vulnerability finding through the tool-owned mantis_findings service instead of tracking findings in prose
Turn a captured HTTP request/response into a bounded, redacted evidence pack with a stable request-ref using the mantis_http_audit MCP server, instead of pasting raw traffic into a finding
The master Mantis playbook -- how to run an authorized vulnerability-discovery engagement end to end, which subagent owns each stage, which MCP tool feeds it, and how findings move through the tool-owned lifecycle
| name | osv-dependency-scan |
| description | Run osv-scanner via the mantis_osv_scanner MCP server for SCA (vulnerable dependency) findings |
Use osv_scan({ path }) (mantis_osv_scanner MCP server) for the Detect stage's SCA coverage: known-vulnerable dependencies matched against the OSV database, recursively across manifests/lockfiles under path.
candidate keyed by package + version + advisory id (CVE/GHSA). A vulnerable dependency being present does not mean the vulnerable code path is reachable or exercised by the application -- that's a separate reachability question.offline: true only when the environment has no network access to query the live OSV database; note in your report that offline results may be stale.osv-scanner reports available: false, say so explicitly -- don't claim SCA coverage you didn't actually get.