Summary
GStack has dependency lockfiles (bun.lock, lib/diagram-render/bun.lock) and a growing Actions surface, but no scheduled OSV-Scanner workflow. That means newly disclosed vulnerabilities in the existing dependency graph are not surfaced on a recurring cadence unless they happen to be touched by a PR or found manually.
This is separate from the focused PR-time Dependency Review request in #1987 . Dependency Review catches vulnerable dependency changes in pull requests. A scheduled OSV-Scanner run catches vulnerabilities disclosed after dependencies are already on main.
Repo-local evidence
origin/main tracks dependency lockfiles:
bun.locklib/diagram-render/bun.lock
origin/main:package.json includes runtime dependencies such as @ngrok/ngrok, diff, playwright, and puppeteer-core, plus @anthropic-ai/sdk as a dev dependency.The repo has multiple CI workflows under .github/workflows/, including evals, image publishing, Windows gates, and document gates.
Repo grep found no OSV scheduled scan wiring:
git grep -n -E 'osv-scanner|OSV-Scanner|google/osv|vulnerability scan|dependency-review|semgrep|scorecard|attest-build-provenance|attestation' origin/main -- .github package.json bun.lock lib/diagram-render/bun.lock README.md CONTRIBUTING.md docsOnly unrelated docs/designs/v2_PLAN.md text matched scorecard; no OSV workflow or vulnerability scan exists.
Existing adjacent issues cover different layers:
External baseline
The official google/osv-scanner-action README says the action supports two modes:
Pull-request scanning that reports newly introduced vulnerabilities.
Full vulnerability scanning that can run on pushes, releases, or a regular schedule, with results reported to GitHub Code Scanning.
That second mode is the missing baseline here.
Expected impact
Surfaces vulnerabilities disclosed after a dependency is already merged, not just vulnerabilities introduced by new PRs.
Gives maintainers a recurring Code Scanning signal for the current dependency graph.
Complements Add Dependency Review Action to block vulnerable dependency changes #1987
Suggested fix
Add a focused workflow such as .github/workflows/osv-scanner.yml:
Duplicate check performed
Inspected 200 open issues:
gh issue list --repo garrytan/gstack --state open --limit 200 --json number,title,body,labels,url,updatedAt
Inspected 200 open PRs:
gh pr list --repo garrytan/gstack --state open --limit 200 --json number,title,body,labels,url,updatedAt,headRefName,baseRefName,isDraft
Searched the inspected issue/PR title+body set for:
osv scheduledscheduled vulnerabilityvulnerability scanfull vulnerability scanosv-scanner actiongoogle/osv-scanner-actioncode scanning vulnerability
Ran targeted GitHub searches:
"scheduled vulnerability" repo:garrytan/gstack"vulnerability scan" repo:garrytan/gstack"full vulnerability scan" repo:garrytan/gstack"osv-scanner action" repo:garrytan/gstack"google/osv-scanner-action" repo:garrytan/gstack
No exact covering issue or PR found. Adjacent non-duplicates: CI hardening: provider API keys exposed on pull_request (evals.yml) + third-party actions pinned to mutable tags #1948 Add Dependency Review Action to block vulnerable dependency changes #1987 Add OpenSSF Scorecard workflow for recurring OSS security posture #1997 Add artifact attestations for GHCR CI images #2003 ci: pin actions to SHA in 8 broken workflows #2009
Commands/files inspected
README.mdCONTRIBUTING.mddocs/ADDING_A_HOST.mddocs/OPENCLAW.mddocs/skills.md.github/workflows/skill-docs.yml.github/workflows/evals.yml.github/workflows/evals-periodic.yml.github/workflows/ci-image.yml.github/workflows/actionlint.ymlpackage.jsongit fetch origin main --prunegit ls-tree -r --name-only origin/main .githubgit ls-tree -r --name-only origin/main | egrep '(^|/)(bun.lock|package-lock.json|pnpm-lock.yaml|yarn.lock|deno.lock|go.sum|Cargo.lock)$'git grep -n -E 'osv-scanner|OSV-Scanner|google/osv|vulnerability scan|dependency-review|semgrep|scorecard|attest-build-provenance|attestation' origin/main -- .github package.json bun.lock lib/diagram-render/bun.lock README.md CONTRIBUTING.md docsgh repo view google/osv-scanner-action --json nameWithOwner,url,descriptiongh api repos/google/osv-scanner-action/readme --jq .download_url | xargs curl -fsSLRecent merged PRs inspected by title/files: v1.58.1.0 feat: hermetic local E2E + Conductor prose AskUserQuestion #2004 v1.58.0.0 feat: diagram + multi-format document engine (mermaid, excalidraw, single-file HTML, DOCX) #1990 v1.57.10.0 feat: Codex review default-on across review/ship/plan/docs #1966 v1.57.9.0 feat: source-clean gbrain render (dev-setup --out-dir + machine-wide gbrain-refresh) #1951 v1.57.8.0 feat: browse js/eval --out render-to-file (canonical Chromium for offline rendering) #1929 v1.57.7.0 feat: GSTACK REVIEW REPORT always declares unresolved decisions #1916 v1.57.4.0 refactor(ethos): rename Boil the Lake principle to Boil the Ocean #1912 v1.57.6.0 fix wave: 8 community bugs (4 security guards failing open) #1911 v1.57.5.0 feat: cross-session decision memory + gbrain dream-stage call graph #1910 v1.57.3.0 fix(ship): always-loaded PR-title-version rule + fork-PR title-sync backstop #1909 v1.57.2.0 feat: AskUserQuestion prose fallback when the tool fails at runtime #1908 v1.57.0.0 feat: carve-guard system + carve cso/document-release/design-consultation #1907
Summary
GStack has dependency lockfiles (
bun.lock,lib/diagram-render/bun.lock) and a growing Actions surface, but no scheduled OSV-Scanner workflow. That means newly disclosed vulnerabilities in the existing dependency graph are not surfaced on a recurring cadence unless they happen to be touched by a PR or found manually.This is separate from the focused PR-time Dependency Review request in #1987. Dependency Review catches vulnerable dependency changes in pull requests. A scheduled OSV-Scanner run catches vulnerabilities disclosed after dependencies are already on
main.Repo-local evidence
origin/maintracks dependency lockfiles:bun.locklib/diagram-render/bun.lockorigin/main:package.jsonincludes runtime dependencies such as@ngrok/ngrok,diff,playwright, andpuppeteer-core, plus@anthropic-ai/sdkas a dev dependency..github/workflows/, including evals, image publishing, Windows gates, and document gates.git grep -n -E 'osv-scanner|OSV-Scanner|google/osv|vulnerability scan|dependency-review|semgrep|scorecard|attest-build-provenance|attestation' origin/main -- .github package.json bun.lock lib/diagram-render/bun.lock README.md CONTRIBUTING.md docsdocs/designs/v2_PLAN.mdtext matchedscorecard; no OSV workflow or vulnerability scan exists.None of those add a scheduled full dependency vulnerability scan.
External baseline
The official
google/osv-scanner-actionREADME says the action supports two modes:That second mode is the missing baseline here.
Expected impact
Suggested fix
Add a focused workflow such as
.github/workflows/osv-scanner.yml:scheduleandworkflow_dispatch.contents: readsecurity-events: writeif uploading SARIF to Code Scanning.google/osv-scanner-actionpinned to a full commit SHA, not a mutable tag, to stay aligned with CI hardening: provider API keys exposed on pull_request (evals.yml) + third-party actions pinned to mutable tags #1948 / ci: pin actions to SHA in 8 broken workflows #2009.bun.lockandlib/diagram-render/bun.lock.Duplicate check performed
gh issue list --repo garrytan/gstack --state open --limit 200 --json number,title,body,labels,url,updatedAtgh pr list --repo garrytan/gstack --state open --limit 200 --json number,title,body,labels,url,updatedAt,headRefName,baseRefName,isDraftosv scheduledscheduled vulnerabilityvulnerability scanfull vulnerability scanosv-scanner actiongoogle/osv-scanner-actioncode scanning vulnerability"scheduled vulnerability" repo:garrytan/gstack"vulnerability scan" repo:garrytan/gstack"full vulnerability scan" repo:garrytan/gstack"osv-scanner action" repo:garrytan/gstack"google/osv-scanner-action" repo:garrytan/gstackCommands/files inspected
README.mdCONTRIBUTING.mddocs/ADDING_A_HOST.mddocs/OPENCLAW.mddocs/skills.md.github/workflows/skill-docs.yml.github/workflows/evals.yml.github/workflows/evals-periodic.yml.github/workflows/ci-image.yml.github/workflows/actionlint.ymlpackage.jsongit fetch origin main --prunegit ls-tree -r --name-only origin/main .githubgit ls-tree -r --name-only origin/main | egrep '(^|/)(bun.lock|package-lock.json|pnpm-lock.yaml|yarn.lock|deno.lock|go.sum|Cargo.lock)$'git grep -n -E 'osv-scanner|OSV-Scanner|google/osv|vulnerability scan|dependency-review|semgrep|scorecard|attest-build-provenance|attestation' origin/main -- .github package.json bun.lock lib/diagram-render/bun.lock README.md CONTRIBUTING.md docsgh repo view google/osv-scanner-action --json nameWithOwner,url,descriptiongh api repos/google/osv-scanner-action/readme --jq .download_url | xargs curl -fsSL