Skip to content

chore(README): include docs about OSV Scanner and dependency scanning #114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
capachino wants to merge 2 commits into from
Closed

chore(README): include docs about OSV Scanner and dependency scanning #114

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
29a6e50
chore(README): include docs about OSV Scanner and dependency scanning
capachino Dec 17, 2025
658614c
Update README with detailed /scan-deps command info
capachino Dec 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ The Security extension is an open-source Gemini CLI extension, built to enhance
- **Open source**: The extension is open source and distributed under the Apache 2.0 license.
- **Integrated with Gemini CLI**: As a Google-developed extension, it integrates seamlessly into the Gemini CLI environment, making security an accessible part of your workflow.
- **Expandable scope**: The extension is designed with an extensible architecture, allowing for future expansion of detected security risks and more advanced analysis techniques.
- **Dependency scans**: Identifies known vulnerabilities affecting your project's dependencies using [OSV-Scanner](https://github.com/google/osv-scanner).

## Installation

Expand All @@ -37,6 +38,24 @@ By default, the `/security:analyze` command determines the scope of the analysis

![Customize analysis command](./assets/customize_command.gif)

### Scan for vulnerable dependencies

Modern software is built on open-source dependencies, but this can introduce security risks if a dependency contains vulnerabilities.

Regularly running a dependency scan is a critical step in securing your software supply chain and protecting your project from well-known attack vectors.

The `/scan-deps` command automates this process by integrating [OSV-Scanner](https://github.com/google/osv-scanner), a tool that cross-references your project's dependencies with [OSV.dev](https://osv.dev/), a Google-maintained, open-source vulnerability database. OSV.dev provides precise vulnerability data by aggregating information from a wide range of open-source ecosystems, ensuring comprehensive and reliable security advisories.

To run a dependency scan, use the following command:
```bash
/scan-deps
```

After running the command, you will receive a report listing:
- **Which dependencies are vulnerable.**
- **Details about the specific vulnerabilities**, including their severity and identifiers (like CVEs).
- **Guidance on how to remediate the issues**, such as which version to upgrade to.

## GitHub Integration

### I already use [run-gemini-cli](https://github.com/google-github-actions/run-gemini-cli) workflows in my repository:
Expand Down
Loading