osv-scanner
by google
OSV-Scanner is a Go-based vulnerability scanner that identifies security issues in project dependencies using the comprehensive OSV.dev database.
Vulnerability scanner written in Go which uses the data provided by https://osv.dev
Primary Use Case
Developers and security teams use OSV-Scanner to automatically detect known vulnerabilities in their project's dependencies across multiple languages and package managers, enabling proactive vulnerability management. It is especially useful in DevSecOps pipelines to ensure continuous security monitoring and guided remediation of vulnerable packages.
- Supports multiple programming languages including C/C++, Dart, Elixir, Go, Java, JavaScript, PHP, Python, R, Ruby, and Rust
- Compatible with various package managers such as npm, pip, yarn, maven, go modules, cargo, gem, composer, and nuget
- Detects vulnerabilities in Linux OS packages and container images
- Provides guided remediation recommendations for package upgrades based on severity and fix strategy
- Uses the open and authoritative OSV.dev vulnerability database
- Integrates with OSV-Scalibr library for extensible scanning capabilities
- Offers CLI interface and official frontend to OSV.dev
- Open source with community-driven advisory improvements
Installation
- Download a prebuilt binary for your platform from the GitHub releases page: https://github.com/google/osv-scanner/releases
- Alternatively, build from source using Go: go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest
Usage
>_ osv-scannerRuns the OSV-Scanner CLI to scan a project’s dependencies for known vulnerabilities
>_ go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latestInstalls the latest version of OSV-Scanner from source using Go
- Integrate OSV-Scanner into CI/CD pipelines for continuous vulnerability detection and early remediation.
- Use OSV-Scanner's guided remediation to prioritize patching based on severity and dependency impact.
- Combine OSV-Scanner results with threat intelligence feeds to enhance vulnerability context during purple team exercises.
- Leverage OSV-Scanner's multi-language support to secure polyglot applications and container images comprehensively.
- Automate vulnerability reporting workflows by integrating OSV-Scanner outputs with ticketing and incident response platforms.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about osv-scanner. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
3 free chats per tool • Instant responses • No credit card
Related Tools
trivy
aquasecurity/trivy
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
nuclei
projectdiscovery/nuclei
Nuclei is a fast, customizable vulnerability scanner powered by the global security community and built on a simple YAML-based DSL, enabling collaboration to tackle trending vulnerabilities on the internet. It helps you find vulnerabilities in your applications, APIs, networks, DNS, and cloud configurations.
lynis
CISOfy/lynis
Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
vuls
future-architect/vuls
Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
oss-fuzz
google/oss-fuzz
OSS-Fuzz - continuous fuzzing for open source software.
nuclei-templates
projectdiscovery/nuclei-templates
Community curated list of templates for the nuclei engine to find security vulnerabilities.