google

osv-scanner

Security#Vulnerability Scanning#Dependency Management#DevSecOps#Container Security

// summary

OSV-Scanner is a command-line tool that connects project dependencies to known vulnerabilities using the comprehensive OSV.dev database. It supports a wide range of languages, package managers, and container images to provide accurate and actionable security insights. The tool also features guided remediation and license scanning to help developers efficiently manage and secure their software projects.

// technical analysis

OSV-Scanner is a security tool designed to identify vulnerabilities in project dependencies by acting as an official frontend for the OSV.dev database and the OSV-Scalibr library. It addresses the challenge of managing open-source security by mapping a project's dependency list against authoritative, machine-readable vulnerability data across numerous languages and ecosystems. The project prioritizes accuracy and actionable insights, offering features like call analysis to reduce false positives and guided remediation to streamline the patching process.

// key highlights

Supports a vast array of languages and package managers, including C/C++, Go, Java, Python, and Rust, to ensure comprehensive coverage across modern development stacks.

Provides layer-aware container image scanning to detect vulnerabilities within both base images and installed OS-level or language-specific packages.

Includes a call analysis feature that determines if vulnerable code is actually being executed, significantly reducing false positives and developer alert fatigue.

Offers guided remediation capabilities that suggest specific version upgrades based on severity, dependency depth, and fix strategy to simplify security maintenance.

Enables license scanning against custom allow-lists to help teams maintain compliance with project-specific legal requirements.

Supports an offline scanning mode that allows security checks against a local database, ensuring functionality in air-gapped or restricted network environments.

// use cases

Recursive scanning of source directories to identify vulnerable dependencies

Comprehensive container image scanning for OS packages and language artifacts

Guided remediation to suggest and apply package version upgrades

// getting started

To begin using OSV-Scanner, download the prebuilt binary for your platform from the official GitHub releases page or install it from source using 'go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest'. Once installed, you can perform a recursive scan of your project directory by running 'osv-scanner scan source -r /path/to/your/dir' to identify existing vulnerabilities.