Add distinct status code for vulnerabilities with available fixes

[brabster]

Currently, OSV-Scanner uses exit code 1 for any vulnerabilities found, regardless of whether fixes are available. It would be beneficial for CI/CD workflows to have a dedicated status code to indicate when vulnerabilities with available fixes are detected. This would allow pipelines to differentiate between vulnerabilities that can be immediately addressed and those that do not yet have a solution, enabling more actionable automation and reporting.

Request:

• Add a new, distinct exit/status code to indicate when one or more vulnerabilities found have available fixes.
• Update documentation to reflect the new status code and its intended use case.

Motivation:

• Enables CI/CD pipelines to fail or alert only when actionable (fixable) vulnerabilities are detected.
• Reduces noise for vulnerabilities that cannot yet be addressed.
• Improves usability for teams integrating OSV-Scanner into automated workflows.

Let me know if you'd be willing to accept an appropriate PR!

Thanks (note - I used copilot to prepare this issue, seems to have done a good job of it)

[github-actions]

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

[github-actions]

Automatically closing stale issue

[another-rex]

Apologies for the late response, I'm a bit hesitant on adding additional different error codes here, we originally tried doing something similar with uncalled vulns and license violations, and it just made the exit codes quite confusing.

I think the right approach here is to create a top level summary field for the JSON output that gives you a good overview, e.g.

• No fixable, partial fixable, all fixable
• License vioaltions
• Vulnerabilites
• only uncalled vulnerabilities
  ...etc