> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coderabbit.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# OSV-Scanner

> Guide to using the OSV-Scanner tool with CodeRabbit's AI code reviews.

[OSV-Scanner](https://github.com/google/osv-scanner) is Google's vulnerability scanner that identifies vulnerabilities in your project's dependencies using the [OSV.dev](https://osv.dev) database.

## Files

OSV-Scanner scans the following manifest and lock files:

* `bun.lock`, `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`
* `requirements.txt`, `Pipfile.lock`, `poetry.lock`, `pdm.lock`, `pylock.toml`, `uv.lock`
* `go.mod`
* `pom.xml`, `buildscript-gradle.lockfile`, `gradle.lockfile`, `gradle/verification-metadata.xml`
* `Gemfile.lock`, `gems.locked`
* `composer.lock`
* `Cargo.lock`
* `pubspec.lock`
* `mix.lock`
* `renv.lock`
* `cabal.project.freeze`, `stack.yaml.lock`
* `conan.lock`
* `deps.json`
* `packages.lock.json`, `packages.config`

## Configuration

You can customize OSV-Scanner by adding an optional `osv-scanner.toml` configuration file to your repository.

<Note>
  OSV-Scanner runs without a config file. If your repository contains an `osv-scanner.toml` file, CodeRabbit uses it when running OSV-Scanner.
</Note>

## Notes

* OSV-Scanner scans dependency manifest and lock files to identify known vulnerabilities.
* Findings include vulnerability severity scores and details from the OSV.dev database.

## Profile behavior

* In **Chill** mode, CodeRabbit keeps only `high` and `critical` findings.
* In **Assertive** mode, CodeRabbit reports findings across all severities.

## Links

* [OSV-Scanner GitHub Repository](https://github.com/google/osv-scanner)
* [OSV-Scanner Documentation](https://google.github.io/osv-scanner/)
* [OSV.dev Database](https://osv.dev)