Trust & signals

Security scan

A security scan checks a repository's declared dependencies against known-vulnerability databases; a clean result is not proof a project is secure.

A security scan here means an automated lookup of a repo's declared dependencies against a public advisory database (such as OSV). It flags known CVEs in packages the project depends on.

This is intentionally narrow: it reviews declared dependencies, not application code, runtime behavior, or private packages. "No criticals found" is a dated snapshot, not a guarantee.

In GraphCanon

When enabled for a tool, GraphCanon runs OSV-based scans over supported lockfiles and reports findings with severities and dates. What it never claims is spelled out in the trust methodology.

See also

Related terms

Last reviewed 2026-07-09

Command menu

Search tools or jump to a page