---
title: "Security scan"
type: "glossary-term"
category: "Trust & signals"
canonical_url: "https://www.graphcanon.com/glossary/trust-and-signals/security-scan"
updated: "2026-07-09"
---

# Security scan

**A security scan checks a repository's declared dependencies against known-vulnerability databases; a clean result is not proof a project is secure.**

A **security scan** here means an automated lookup of a repo's declared dependencies against a public advisory database (such as OSV). It flags known CVEs in packages the project depends on.

This is intentionally narrow: it reviews declared dependencies, not application code, runtime behavior, or private packages. "No criticals found" is a dated snapshot, not a guarantee.

## In GraphCanon

When enabled for a tool, GraphCanon runs OSV-based scans over supported lockfiles and reports findings with severities and dates. What it never claims is spelled out in the trust methodology.

## See also

- [How trust signals work](/trust-methodology)

## Related terms

- [Trust signal](/glossary/trust-and-signals/trust-signal.md)
- [Provenance](/glossary/knowledge-graph/provenance.md)

[Trust & signals](/glossary/trust-and-signals.md) · [All glossary terms](/glossary.md)

---

**Machine-readable endpoints**

- JSON: [`/api/graphcanon`](/api/graphcanon)
- LLM index: [/llms.txt](/llms.txt)
- Full corpus: [/llms-full.txt](/llms-full.txt)

_GraphCanon - The knowledge graph for AI development. https://www.graphcanon.com/_
