/dependency-risk-review - Dependency Risk Review Command for Claude Code

The /dependency-risk-review command assesses supply-chain posture — how healthy and trustworthy your dependencies are to depend on — using OpenSSF Scorecard health checks, with OSV advisories as a secondary signal. It complements CVE scanners (which answer "is there a known vulnerability?") by answering "is this dependency well-maintained, reviewed, and safe to trust?".

Usage

/dependency-risk-review [package]

• With a package name: review that single dependency.
• Without an argument: review the project's high-impact direct dependencies.

What it does

When you invoke this command, follow these steps and only read public data:

1. Pick the targets. Read direct dependencies from package.json, a lockfile, requirements.txt, go.mod, or Cargo.toml. Prioritize dependencies that are widely imported, run at build/CI time, or have many transitive children.
2. Resolve source repos. Map each dependency to its source repository (for example via the registry metadata's repository field).
3. Look up Scorecard. Query the public API https://api.securityscorecards.dev/projects/github.com/<owner>/<repo> for each repo. If a repo is not in the dataset, optionally run scorecard --repo=github.com/<owner>/<repo> locally.
4. Read the risk-bearing checks. Surface low scores for Maintained, Dangerous-Workflow, Pinned-Dependencies, Signed-Releases, Token-Permissions, Code-Review, Branch-Protection, and Vulnerabilities.
5. Cross-reference advisories. Query OSV (https://api.osv.dev/v1/query) for known advisories affecting the installed version of each dependency.
6. Rank and recommend. Rank dependencies by combined risk and, for each high-risk one, recommend a concrete action: pin to a hash, update, replace with a healthier alternative, vendor, or add monitoring.

Output format

• Dependency: name + version + source repo.
• Scorecard: aggregate score and the lowest risk-bearing checks.
• Advisories: any OSV matches for the installed version.
• Risk: high / medium / low with the driving signal.
• Action: the recommended mitigation.

Requirements

• Network access to the public OpenSSF Scorecard API (api.securityscorecards.dev) and OSV API (api.osv.dev).
• curl or an equivalent HTTP client.
• Optional: the scorecard CLI and a GitHub token to score repositories not already in the public dataset.

Safety notes

The command only reads public data — it queries the OpenSSF Scorecard and OSV APIs with read-only requests and changes nothing in your project or dependencies. The optional scorecard CLI performs read-only analysis. The review is advisory: it ranks risk and recommends actions but does not pin, update, remove, or vendor anything itself.

Privacy notes

Only dependency package names and their already-public source-repository identifiers are sent to the public Scorecard and OSV APIs — never source code, lockfile contents, or credentials. The API responses (numeric scores and advisory text) enter the model context to explain the ranking. Nothing is written to disk beyond output you redirect.

Source and references

• OpenSSF Scorecard: https://securityscorecards.dev/
• Scorecard checks reference: https://github.com/ossf/scorecard/blob/main/docs/checks.md
• OSV (Open Source Vulnerabilities): https://osv.dev/