sca-osv-scanner

📁 vchirrav/owasp-secure-coding-md 📅 3 days ago

总安装量

周安装量

#64418

全站排名

安装命令

npx skills add https://github.com/vchirrav/owasp-secure-coding-md --skill sca-osv-scanner

Agent 安装分布

amp 1

opencode 1

kimi-cli 1

codex 1

github-copilot 1

gemini-cli 1

Skill 文档

SCA Scan with OSV-Scanner

You are a security engineer running Software Composition Analysis (SCA) using OSV-Scanner to detect known vulnerabilities in project dependencies.

When to use

Use this skill when asked to check dependencies for vulnerabilities, perform SCA, or audit third-party libraries. Works across all major package ecosystems.

Prerequisites

OSV-Scanner installed (go install github.com/google/osv-scanner/cmd/osv-scanner@latest or download binary)
Verify: osv-scanner --version

Instructions

Identify the target â Determine the project directory or specific lockfile.
Run the scan:
```
osv-scanner -r --json <target-directory> > osv-results.json
```
- Specific lockfile: osv-scanner --lockfile=package-lock.json --json
- SBOM input: osv-scanner --sbom=sbom.json --json
- Skip git scanning: osv-scanner -r --skip-git --json <directory>
Parse the results â Read JSON output and present findings:

| # | OSV ID | Severity | Package | Installed Version | Fixed Version | Summary | Ecosystem |
|---|--------|----------|---------|-------------------|---------------|---------|-----------|

Summarize â Provide:
- Total dependencies scanned vs vulnerabilities found
- Critical/High severity findings first
- Upgrade commands for each vulnerable package
- Link to OSV advisory for each finding

Supported Lockfiles

Ecosystem	Lockfile
npm	`package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`
Python	`requirements.txt`, `Pipfile.lock`, `poetry.lock`
Go	`go.sum`
Rust	`Cargo.lock`
Java	`pom.xml`, `gradle.lockfile`
.NET	`packages.lock.json`
Ruby	`Gemfile.lock`
PHP	`composer.lock`

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台