Skip to content

chore(README): include docs about OSV Scanner and dependency scanning #126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
capachino merged 1 commit into from
Jan 12, 2026
Merged

chore(README): include docs about OSV Scanner and dependency scanning #126

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ The Security extension is an open-source Gemini CLI extension, built to enhance
- **Open source**: The extension is open source and distributed under the Apache 2.0 license.
- **Integrated with Gemini CLI**: As a Google-developed extension, it integrates seamlessly into the Gemini CLI environment, making security an accessible part of your workflow.
- **Expandable scope**: The extension is designed with an extensible architecture, allowing for future expansion of detected security risks and more advanced analysis techniques.
- **Dependency scans**: Identifies known vulnerabilities affecting your project's dependencies using [OSV-Scanner](https://github.com/google/osv-scanner).

## Installation

Expand All @@ -37,6 +38,24 @@ By default, the `/security:analyze` command determines the scope of the analysis

![Customize analysis command](./assets/customize_command.gif)

### Scan for vulnerable dependencies

Modern software is built on open-source dependencies, but this can introduce security risks if a dependency contains vulnerabilities.

Regularly running a dependency scan is a critical step in securing your software supply chain and protecting your project from well-known attack vectors.

The `/security:scan-deps` command automates this process by integrating [OSV-Scanner](https://github.com/google/osv-scanner), a tool that cross-references your project's dependencies with [OSV.dev](https://osv.dev/), a Google-maintained, open-source vulnerability database. OSV.dev provides precise vulnerability data by aggregating information from a wide range of open-source ecosystems, ensuring comprehensive and reliable security advisories.

To run a dependency scan, use the following command:
```bash
/security:scan-deps
```

After running the command, you will receive a report listing:
- **Which dependencies are vulnerable.**
- **Details about the specific vulnerabilities**, including their severity and identifiers.
- **Guidance on how to remediate the issues**, such as which version to upgrade to.

## GitHub Integration

Comment on lines +58 to 60
Copy link

@github-actions github-actions bot Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟢 For consistency with other lists in documentation, it's often better to use sentence case without trailing periods for list items.
Suggested change
## GitHub Integration
- **Which dependencies are vulnerable.**
- **Details about the specific vulnerabilities**, including their severity and identifiers.
- **Guidance on how to remediate the issues**, such as which version to upgrade to.

### I already use [run-gemini-cli](https://github.com/google-github-actions/run-gemini-cli) workflows in my repository:
Expand Down
Loading