Background
CodeLens has zero dependency vulnerability scanning. A project can be free of code-level bugs but ship with a dependency that has a known CVE — and CodeLens won't catch it. This is a clear gap for any CI security gate.
Strix uses trivy fs for this. A cleaner approach for CodeLens is to query the OSV.dev API directly — pure Python, zero binary dependency, no extra install required.
Goal
New command: codelens deps-audit <path>
codelens deps-audit .
codelens deps-audit . --format json
codelens deps-audit . --severity high,critical
codelens deps-audit . --ecosystem PyPI
How it works
Input parsing (support all three, auto-detect):
requirements.txt → PyPI ecosystem
package.json (+ package-lock.json / yarn.lock) → npm ecosystem
Cargo.toml (+ Cargo.lock) → crates.io ecosystem
OSV API query (batch endpoint, no auth required):
POST https://api.osv.dev/v1/querybatch
{
"queries": [
{"package": {"name": "requests", "ecosystem": "PyPI"}, "version": "2.27.0"},
...
]
}
Output:
- Per-vulnerability: package name, installed version, CVE ID(s), CVSS score, fixed version, OSV URL
- Stored in SQLite graph as
dependency_vuln nodes linked to the lock file
- Counts by severity in
stats block
Definition of Done
Source of Truth
- OSV API docs: https://google.github.io/osv.dev/api/
- OSV batch endpoint spec:
POST /v1/querybatch — accepts up to 1000 queries per request
- Existing command pattern to follow:
scripts/commands/secrets.py (similar structure: scan → findings → stats → recommendations)
- SQLite graph schema:
scripts/graph_schema.py — add dependency_vuln node type
Example output
{
"status": "ok",
"stats": {"total": 3, "critical": 1, "high": 1, "medium": 1},
"findings": [
{
"package": "requests",
"version": "2.27.0",
"vuln_id": "GHSA-j8r2-6x86-q33q",
"severity": "high",
"fixed_in": "2.31.0",
"summary": "Unintended leak of Proxy-Authorization header",
"osv_url": "https://osv.dev/vulnerability/GHSA-j8r2-6x86-q33q"
}
]
}
Background
CodeLens has zero dependency vulnerability scanning. A project can be free of code-level bugs but ship with a dependency that has a known CVE — and CodeLens won't catch it. This is a clear gap for any CI security gate.
Strix uses
trivy fsfor this. A cleaner approach for CodeLens is to query the OSV.dev API directly — pure Python, zero binary dependency, no extra install required.Goal
New command:
codelens deps-audit <path>How it works
Input parsing (support all three, auto-detect):
requirements.txt→ PyPI ecosystempackage.json(+package-lock.json/yarn.lock) → npm ecosystemCargo.toml(+Cargo.lock) → crates.io ecosystemOSV API query (batch endpoint, no auth required):
Output:
dependency_vulnnodes linked to the lock filestatsblockDefinition of Done
deps-auditcommand registered inscripts/codelens.pydispatch tablerequirements.txt,package.json,Cargo.toml(and their lock files for pinned versions)api.osv.dev/v1/querybatch), handles pagination and rate limitsdependency_vulnnode type--severityfilter:low,medium,high,critical--ecosystemfilter to limit to one package manager--formatsupport:json,compact,markdownurlliborhttpxsync_command_count.py --applyrun after adding command (count: 71)SKILL.md/SKILL-QUICK.md/README.mdupdated with new commandSource of Truth
POST /v1/querybatch— accepts up to 1000 queries per requestscripts/commands/secrets.py(similar structure: scan → findings → stats → recommendations)scripts/graph_schema.py— adddependency_vulnnode typeExample output
{ "status": "ok", "stats": {"total": 3, "critical": 1, "high": 1, "medium": 1}, "findings": [ { "package": "requests", "version": "2.27.0", "vuln_id": "GHSA-j8r2-6x86-q33q", "severity": "high", "fixed_in": "2.31.0", "summary": "Unintended leak of Proxy-Authorization header", "osv_url": "https://osv.dev/vulnerability/GHSA-j8r2-6x86-q33q" } ] }