Trust & signals
Security scan
A security scan checks a repository's declared dependencies against known-vulnerability databases; a clean result is not proof a project is secure.
A security scan here means an automated lookup of a repo's declared dependencies against a public advisory database (such as OSV). It flags known CVEs in packages the project depends on.
This is intentionally narrow: it reviews declared dependencies, not application code, runtime behavior, or private packages. "No criticals found" is a dated snapshot, not a guarantee.
In GraphCanon
When enabled for a tool, GraphCanon runs OSV-based scans over supported lockfiles and reports findings with severities and dates. What it never claims is spelled out in the trust methodology.
See also
Related terms
Last reviewed 2026-07-09