Skip to main content
hc
Submit
statuslinesSource-backedReview first Safety Privacy

OSV Dependency Risk Statusline

Claude Code statusline that reads OSV-Scanner JSON results and prints a compact dependency vulnerability count for review sessions.

by MkDev11·added 2026-06-04·
Claude Code
HarnessClaude Code
Language:bash
Review first review before installing

Open the source and read safety notes before installing.

Safety notes

  • Prefer reading a precomputed report; scanning dependencies during every statusline refresh can be slow.
  • Vulnerability counts need human triage for reachability, exploitability, and acceptable remediation timing.
  • Do not let a zero count replace lockfile review, provenance checks, or package-manager audit policy.

Privacy notes

  • OSV reports can reveal package names, versions, ecosystems, and repository structure.
  • The statusline prints only the count, but the local JSON report may contain detailed dependency metadata.
  • If scans run against private package manifests, review where the scanner sends package coordinates.

Prerequisites

  • OSV-Scanner JSON report at `osv-report.json`, or OSV_STATUSLINE_JSON set to another report path.
  • jq available for reading the report.
  • Optional OSV-Scanner CLI installed if OSV_STATUSLINE_SCAN is set to 1.

Schema details

Install type
config
Troubleshooting
No
Source repository stats
Scope
Source repo
Runtime and command metadata
Script language
bash
Script body
#!/usr/bin/env bash
set -u

main() {
report="${OSV_STATUSLINE_JSON:-osv-report.json}"

if [ "${OSV_STATUSLINE_SCAN:-0}" = "1" ] && command -v osv-scanner >/dev/null 2>&1; then
  osv-scanner --format json . > "$report" 2>/dev/null || true
fi

if [ ! -f "$report" ]; then
  echo "deps: osv report missing"
  exit 0
fi
if ! command -v jq >/dev/null 2>&1; then
  echo "deps: jq missing"
  exit 0
fi

count=$(jq '[.. | objects | .vulnerabilities? // empty | .[]] | length' "$report" 2>/dev/null || echo 0)
if [ "$count" -gt 0 ]; then
  state="review"
else
  state="ok"
fi

printf 'deps: vulns %s | %s\n' "$count" "$state"
}

case $- in
  *n*) ;;
  *) main "$@" ;;
esac
Full copyable content
{
  "statusLine": {
    "type": "command",
    "command": "$CLAUDE_PROJECT_DIR/.claude/statuslines/osv-dependency-risk-statusline.sh"
  }
}

About this resource

Source notes

  • OSV-Scanner documentation describes scanning dependency manifests and emitting JSON output for automation.
  • This statusline reads a report by default so teams can run scans on their own cadence and keep Claude Code refreshes fast.

Duplicate check

Checked existing statuslines, live HeyClaude statuslines, open pull requests, and repository content for osv-dependency-risk-statusline, OSV-Scanner, dependency risk, vulnerability count, and dependency statuslines. No statusline entry or open PR with this slug or OSV source was found.

Disclosure

Editorial statusline recipe. No paid placement or affiliate link is used.

#dependencies#security#osv#claude-code

Source citations

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.