Scan Results

Learn how to read, interpret, and act on the results of an Ossprey scan. Every scan produces a set of verdicts for the packages in your dependency tree.
﻿
Reading a scan verdictClick on any asset in the Scan Results page to see its detailed scan output. The scan details include a project header showing the asset name and overall security status, the scan date, and a full component list of all packages (dependencies) found.
Each component shows the package name, version, package type (npm, PyPI), and its verdict:
Safe — no security issues detected; the package is clear based on current threat intelligence
Malicious — the package has been identified as potentially containing intentionally harmful code (data exfiltration, backdoors, typosquatting, etc.)
﻿
Scan results for a packageScan results for a package
﻿
Acting on resultsWhen a malicious or suspicious package is found:
Identify the package — note the name, version, and which projects use it
Assess the impact — review the verdict and whether the threat is exploitable in your context
Implement a security response — depending on where you found the package it might have been in your system for a while. You might need to assess the potential impact the package has had
Check for updates — often the fix is to upgrade to a newer, safe version
Consider alternatives — if no safe version exists, look for alternative packages
Update your project — upgrade or replace the affected dependency
Re-scan — run a new scan to confirm the issue is resolved
﻿
Remediation Flow ChartRemediation Flow Chart
﻿
Deleting scansIf you need to remove a scan, navigate to the asset details and click the delete button (trash icon). This removes the scan history from Ossprey but doesn't affect your actual project.
﻿