{"id":13461326,"url":"https://github.com/google/osv-scanner","last_synced_at":"2026-04-02T12:40:47.149Z","repository":{"id":63272000,"uuid":"565629124","full_name":"google/osv-scanner","owner":"google","description":"Vulnerability scanner written in Go which uses the data provided by https://osv.dev","archived":false,"fork":false,"pushed_at":"2025-05-01T07:19:58.000Z","size":14825,"stargazers_count":7376,"open_issues_count":135,"forks_count":420,"subscribers_count":65,"default_branch":"main","last_synced_at":"2025-05-06T18:40:10.328Z","etag":null,"topics":["scanner","security-audit","security-tools","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"https://google.github.io/osv-scanner/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":"docs/supported_languages_and_lockfiles.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-11-14T01:05:20.000Z","updated_at":"2025-05-06T07:07:46.000Z","dependencies_parsed_at":"2023-09-29T05:43:51.589Z","dependency_job_id":"4b3606ee-533f-403e-9e4e-a41a10b22ceb","html_url":"https://github.com/google/osv-scanner","commit_stats":{"total_commits":835,"total_committers":66,"mean_commits":"12.651515151515152","dds":0.7652694610778443,"last_synced_commit":"1856adda556e99a5aec08d99c9ae9b028ddc8b6d"},"previous_names":[],"tags_count":46,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fosv-scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fosv-scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fosv-scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fosv-scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google","download_url":"https://codeload.github.com/google/osv-scanner/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254020473,"owners_count":22000750,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["scanner","security-audit","security-tools","vulnerability-scanner"],"created_at":"2024-07-31T11:00:34.517Z","updated_at":"2026-02-12T02:17:26.658Z","avatar_url":"https://github.com/google.png","language":"Go","readme":"\u003cpicture\u003e\n    \u003csource srcset=\"/docs/images/osv-scanner-full-logo-darkmode.svg\"  media=\"(prefers-color-scheme: dark)\"\u003e\n    \u003c!-- markdown-link-check-disable-next-line --\u003e\n    \u003cimg src=\"/docs/images/osv-scanner-full-logo-lightmode.svg\"\u003e\n\u003c/picture\u003e\n\n---\n\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/google/osv-scanner/badge)](https://scorecard.dev/viewer/?uri=github.com/google/osv-scanner)\n[![Go Report Card](https://goreportcard.com/badge/github.com/google/osv-scanner)](https://goreportcard.com/report/github.com/google/osv-scanner)\n[![codecov](https://codecov.io/gh/google/osv-scanner/graph/badge.svg?token=C8IDVX9LP5)](https://codecov.io/gh/google/osv-scanner)\n[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev)\n[![GitHub Release](https://img.shields.io/github/v/release/google/osv-scanner)](https://github.com/google/osv-scanner/releases)\n\nUse OSV-Scanner to find existing vulnerabilities affecting your project's dependencies.\nOSV-Scanner provides an officially supported frontend to the [OSV database](https://osv.dev/) and CLI interface to [OSV-Scalibr](https://github.com/google/osv-scalibr) that connects a project’s list of dependencies with the vulnerabilities that affect them.\n\nOSV-Scanner supports a wide range of project types, package managers and features, including but not limited to:\n\n- **Languages:** C/C++, Dart, Elixir, Go, Java, Javascript, PHP, Python, R, Ruby, Rust.\n- **Package Managers:** npm, pip, yarn, maven, go modules, cargo, gem, composer, nuget and others.\n- **Operating Systems:** Detects vulnerabilities in OS packages on Linux systems.\n- **Containers:** Scans container images for vulnerabilities in their base images and included packages.\n- **Guided Remediation:** Provides recommendations for package version upgrades based on criteria such as dependency depth, minimum severity, fix strategy, and return on investment.\n\nOSV-Scanner uses the extensible [OSV-Scalibr](https://github.com/google/osv-scalibr) library under the hood to provide this functionality. If a language or package manager is not supported currently, please file a [feature request.](https://github.com/google/osv-scanner/issues)\n\n#### Underlying database\n\nThe underlying database, [OSV.dev](https://osv.dev/) has several benefits in comparison with closed source advisory databases and scanners:\n\n- Covering most open source language and OS ecosystems (including [Git](https://osv.dev/list?q=\u0026ecosystem=GIT)), it’s comprehensive.\n- Each advisory comes from an open and authoritative source (e.g. [GitHub Security Advisories](https://github.com/github/advisory-database), [RustSec Advisory Database](https://github.com/rustsec/advisory-db), [Ubuntu security notices](https://github.com/canonical/ubuntu-security-notices/tree/main/osv))\n- Anyone can suggest improvements to advisories, resulting in a very high quality database.\n- The OSV format unambiguously stores information about affected versions in a machine-readable format that precisely maps onto a developer’s list of packages\n\nThe above all results in accurate and actionable vulnerability notifications, which reduces the time needed to resolve them. Check out [OSV.dev](https://osv.dev/) for more details!\n\n## Basic installation\n\nTo install OSV-Scanner, please refer to the [installation section](https://google.github.io/osv-scanner/installation) of our documentation. OSV-Scanner releases can be found on the [releases page](https://github.com/google/osv-scanner/releases) of the GitHub repository. The recommended method is to download a prebuilt binary for your platform. Alternatively, you can use\n`go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest` to build it from source.\n\n## Key Features\n\nFor more information, please read our [detailed documentation](https://google.github.io/osv-scanner) to learn how to use OSV-Scanner. For detailed information about each feature, click their titles in this README.\n\nPlease note: These are the instructions for the latest OSV-Scanner V2 beta. If you are using V1, checkout the V1 [README](https://github.com/google/osv-scanner-v1) and [documentation](https://google.github.io/osv-scanner-v1/) instead.\n\n### [Scanning a source directory](https://google.github.io/osv-scanner/usage)\n\n```bash\n$ osv-scanner scan source -r /path/to/your/dir\n```\n\nThis command will recursively scan the specified directory for any supported package files, such as `package.json`, `go.mod`, `pom.xml`, etc. and output any discovered vulnerabilities.\n\nOSV-Scanner has the option of using call analysis to determine if a vulnerable function is actually being used in the project, resulting in fewer false positives, and actionable alerts.\n\nOSV-Scanner can also detect vendored C/C++ code for vulnerability scanning. See [here](https://google.github.io/osv-scanner/usage/#cc-scanning) for details.\n\n#### Supported Lockfiles\n\nOSV-Scanner supports 11+ language ecosystems and 19+ lockfile types. To check if your ecosystem is covered, please check out our [detailed documentation](https://google.github.io/osv-scanner/supported-languages-and-lockfiles/#supported-lockfiles).\n\n### [Container Scanning](https://google.github.io/osv-scanner/usage/scan-image)\n\nOSV-Scanner also supports comprehensive, layer-aware scanning for container images to detect vulnerabilities the following operating system packages and language-specific dependencies.\n\n| Distro Support | Language Artifacts Support |\n| -------------- | -------------------------- |\n| Alpine OS      | Go                         |\n| Debian         | Java                       |\n| Ubuntu         | Node                       |\n|                | Python                     |\n\nSee the [full documentation](https://google.github.io/osv-scanner/supported-languages-and-lockfiles/#supported-artifacts) for details on support.\n\n**Usage**:\n\n```bash\n$ osv-scanner scan image my-image-name:tag\n```\n\n![screencast of html output of container scanning](https://github.com/user-attachments/assets/8bb95366-27ec-45d1-86ed-e42890f2fb46)\n\n### [License Scanning](https://google.github.io/osv-scanner/usage/license-scanning/)\n\nCheck your dependencies' licenses using deps.dev data. For a summary:\n\n```bash\nosv-scanner --licenses path/to/repository\n```\n\nTo check against an allowed license list (SPDX format):\n\n```bash\nosv-scanner --licenses=\"MIT,Apache-2.0\" path/to/directory\n```\n\n### [Offline Scanning](https://google.github.io/osv-scanner/usage/offline-mode/)\n\nScan your project against a local OSV database. No network connection is required after the initial database download. The database can also be manually downloaded.\n\n```bash\nosv-scanner --offline --download-offline-databases ./path/to/your/dir\n```\n\n### [Guided Remediation](https://google.github.io/osv-scanner/experimental/guided-remediation/) (Experimental)\n\nOSV-Scanner provides guided remediation, a feature that suggests package version upgrades based on criteria such as dependency depth, minimum severity, fix strategy, and return on investment.\nWe currently support remediating vulnerabilities in the following files:\n\n| Ecosystem | File Format (Type)             | Supported Remediation Strategies                                                                                  |\n| :-------- | :----------------------------- | :---------------------------------------------------------------------------------------------------------------- |\n| npm       | `package-lock.json` (lockfile) | [`in-place`](https://google.github.io/osv-scanner/experimental/guided-remediation/#in-place-lockfile-remediation) |\n| npm       | `package.json` (manifest)      | [`relock`](https://google.github.io/osv-scanner/experimental/guided-remediation/#in-place-lockfile-remediation)   |\n| Maven     | `pom.xml` (manifest)           | [`override`](https://google.github.io/osv-scanner/experimental/guided-remediation/#override-dependency-versions)  |\n\nThis is available as a headless CLI command, as well as an interactive mode.\n\n#### Example (for npm)\n\n```bash\n$ osv-scanner fix \\\n    --max-depth=3 \\\n    --min-severity=5 \\\n    --ignore-dev  \\\n    --strategy=in-place \\\n    -L path/to/package-lock.json\n```\n\n#### Interactive mode (for npm)\n\n```bash\n$ osv-scanner fix \\\n    -M path/to/package.json \\\n    -L path/to/package-lock.json\n```\n\n\u003cimg src=\"https://google.github.io/osv-scanner/images/guided-remediation-relock-patches.png\" alt=\"Screenshot of the interactive relock results screen with some relaxation patches selected\"\u003e\n\n## Data Sources and Privacy\n\nOSV-Scanner communicates with the following external services during operation:\n\n### [OSV.dev API](https://osv.dev/)\n\nThe primary data source for vulnerability information. OSV-Scanner queries this API to check packages for known vulnerabilities and to identify vendored C/C++ dependencies. Data sent includes package names, versions, ecosystems, and file hashes. Use [`--offline` mode](https://google.github.io/osv-scanner/usage/offline-mode/) to disable network requests and scan against a local database instead.\n\n### [deps.dev API](https://docs.deps.dev/api/)\n\nUsed for supplementary package information:\n\n- **Dependency resolution**: Resolves dependency graphs for vulnerability scanning and remediation\n- **Container image scanning**: Queries container image metadata for vulnerability detection\n- **License scanning** (`--licenses` flag): Retrieves license information for packages\n- **Package deprecation**: Checks if packages are deprecated\n\nData sent includes package names, versions, and ecosystems. No source code is transmitted.\n\n### Package Registries\n\nWhen using native registry for dependency resolution (instead of deps.dev), OSV-Scanner may query:\n\n| Registry      | URL                            | Used For                             |\n| ------------- | ------------------------------ | ------------------------------------ |\n| Maven Central | `repo.maven.apache.org/maven2` | Maven package metadata and POM files |\n| npm Registry  | `registry.npmjs.org`           | npm package metadata                 |\n| PyPI          | `pypi.org`                     | Python package metadata              |\n\n## Contribute\n\n### Report Problems\n\nIf you have what looks like a bug, please use the [GitHub issue tracking system](https://github.com/google/osv-scanner/issues). Before you file an issue, please search existing issues to see if your issue is already covered.\n\n### Contributing code to `osv-scanner`\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for documentation on how to contribute code.\n\n## Star History\n\n[![Star History Chart](https://api.star-history.com/svg?repos=google/osv-scanner\u0026type=Date)](https://www.star-history.com/#google/osv-scanner\u0026Date)\n","funding_links":[],"categories":["Go",":man_technologist: Hacking \u0026 Forensics Tools","Dependency intelligence","Software Composition Analysis","Application Security","📋 Table of Contents","vulnerability-scanner","Official projects","Weapons","漏洞扫描","Software Composition Analysis (SCA)"],"sub_categories":["System Utility","Vulnerability information exchange","SCA","Open Source SCA Tools","Repositories","Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fosv-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogle%2Fosv-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fosv-scanner/lists"}