Skip to content

Commit 29a6e50

Browse files
capachinocapachino
committed
chore(README): include docs about OSV Scanner and dependency scanning
1 parent f7f778d commit 29a6e50

File tree

1 file changed

+20
-0
lines changed

1 file changed

+20
-0
lines changed

README.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ The Security extension is an open-source Gemini CLI extension, built to enhance
1111
- **Open source**: The extension is open source and distributed under the Apache 2.0 license.
1212
- **Integrated with Gemini CLI**: As a Google-developed extension, it integrates seamlessly into the Gemini CLI environment, making security an accessible part of your workflow.
1313
- **Expandable scope**: The extension is designed with an extensible architecture, allowing for future expansion of detected security risks and more advanced analysis techniques.
14+
- **Dependency scans**: Identifies known vulnerabilities affecting your project's dependencies using [OSV-Scanner](https://github.com/google/osv-scanner).
1415

1516
## Installation
1617

@@ -37,6 +38,25 @@ By default, the `/security:analyze` command determines the scope of the analysis
3738

3839
![Customize analysis command](./assets/customize_command.gif)
3940

41+
### Scan for vulnerable dependencies
42+
43+
Modern software is built on open-source dependencies, but this can introduce security risks if a dependency contains vulnerabilities.
44+
45+
Regularly running a dependency scan is a critical step in securing your software supply chain and protecting your project from well-known attack vectors.
46+
47+
The `/scan-deps` command automates this process by integrating [OSV-Scanner](https://github.com/google/osv-scanner), a tool that cross-references your project's dependencies with
48+
[OSV.dev](https://osv.dev/)
49+
50+
To run a scan, use the following command:
51+
```bash
52+
/scan-deps
53+
```
54+
55+
After running the command, you will receive a report listing:
56+
- **Which dependencies are vulnerable.**
57+
- **Details about the specific vulnerabilities**, including their severity and identifiers (like CVEs).
58+
- **Guidance on how to remediate the issues**, such as which version to upgrade to.
59+
4060
## GitHub Integration
4161

4262
### I already use [run-gemini-cli](https://github.com/google-github-actions/run-gemini-cli) workflows in my repository:

0 commit comments

Comments
 (0)