{"id":37768308,"url":"https://github.com/google/osv-scanner-action","last_synced_at":"2026-02-12T02:20:14.112Z","repository":{"id":214275967,"uuid":"736073144","full_name":"google/osv-scanner-action","owner":"google","description":null,"archived":false,"fork":false,"pushed_at":"2025-12-17T04:47:12.000Z","size":1396,"stargazers_count":59,"open_issues_count":7,"forks_count":28,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-01-10T21:50:24.921Z","etag":null,"topics":["github-actions","osv","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"https://google.github.io/osv-scanner/github-action/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-12-26T23:06:54.000Z","updated_at":"2026-01-04T09:54:30.000Z","dependencies_parsed_at":"2023-12-27T05:19:19.196Z","dependency_job_id":"9cb9b373-f9b4-4abf-b929-aaf6e0e7f838","html_url":"https://github.com/google/osv-scanner-action","commit_stats":null,"previous_names":["google/osv-scanner-action"],"tags_count":26,"template":false,"template_full_name":null,"purl":"pkg:github/google/osv-scanner-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fosv-scanner-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fosv-scanner-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fosv-scanner-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fosv-scanner-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google","download_url":"https://codeload.github.com/google/osv-scanner-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fosv-scanner-action/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28479402,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-16T11:59:17.896Z","status":"ssl_error","status_checked_at":"2026-01-16T11:55:55.838Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-actions","osv","vulnerability-scanners"],"created_at":"2026-01-16T14:49:12.517Z","updated_at":"2026-02-12T02:20:14.105Z","avatar_url":"https://github.com/google.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OSV-Scanner CI/CD Action\n\n[![Release v2.3.3](https://img.shields.io/badge/release-v2.3.3-blue?style=flat)](https://github.com/google/osv-scanner-action/releases)\n\u003c!-- Hard coded release version --\u003e\n\nThe OSV-Scanner CI/CD action leverages the [OSV.dev](https://osv.dev/) database and the [OSV-Scanner](https://google.github.io/osv-scanner/) CLI tool to track and notify you of known vulnerabilities in your dependencies for over 11 [languages and ecosystems](https://google.github.io/osv-scanner/supported-languages-and-lockfiles/).\n\nWe currently offer two different reusable workflows for Github:\n\n1. A workflow that triggers a scan with each [pull request](https://google.github.io/osv-scanner/github-action/#scan-on-pull-request) and will only report new vulnerabilities introduced through the pull request.\n2. A workflow that performs a full vulnerability scan, which can be configured to scan on pushes or a [regular schedule](https://google.github.io/osv-scanner/github-action/#scheduled-scans). The full vulnerability scan can also be configured to run [on release](https://google.github.io/osv-scanner/github-action/#scan-on-release) to prevent releasing with known vulnerabilities in dependencies.\n\nCurrently there is no prebuilt workflows for other platforms, but we welcome any contributions for this!\n\n### Scheduled scan\nRegularly scanning your project for vulnerabilities can alert you to new vulnerabilities in your dependency tree. The scheduled scan will scan your project on a set schedule or when a new commit is pushed, and report all known vulnerabilities. If vulnerabilities are found it will be reported to the \"Code scanning\" page.\n\n|                        OSV-Scanner Code Scanning Results                         |                                 Code Scanning Detailed Entry                                  |\n| :------------------------------------------------------------------------------: | :-------------------------------------------------------------------------------------------: |\n| ![Image of results in code scanning tab](images/github-action-code-scanning.png) | ![Image of details of specific in code scanning entry](images/github-action-code-details.png) |\n\n### Scan on pull request\nScanning your project on each pull request can help you keep vulnerabilities out of your project. The pull request scan compares a vulnerability scan of the target branch to a vulnerability scan of the feature branch, and will fail if there are new vulnerabilities introduced through the feature branch. You may choose to [prevent merging](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) if new vulnerabilities are introduced, but by default the check will only warn users.\n\n|                                                 OSV-Scanner PR Check Failing                                                  |                         PR Scanning Check Output                          |\n| :---------------------------------------------------------------------------------------------------------------------------: | :-----------------------------------------------------------------------: |\n| ![Screenshot of PR introducing a vulnerable dependency, and osv-scanner blocking check](images/github-action-PR-scanning.png) | ![Screenshot of osv-scanner output](images/github-action-scan-output.png) |\n\n## Installation\n\nThe OSV-Scanner GitHub Action can be [automatically](#automatic-installation) or [manually](#manual-installation) installed.\n\n### Automatic installation\n\n1) From your GitHub project's main page, click “Actions” tab in the navigation bar.\n\n![Select the actions tab on the repository navigation bar.](./images/actions-tab.png)\n\n2) (If you already have existing workflows) Select \"New Workflow\" on the top left.\n\n3) Search for \"OSV\".\n\n![Image shows the GitHub Actions search bar.](./images/osv-scanner-search.png)\n\n4) Choose the \"OSV Scanner\" from the list of workflows, and then click “Configure”.\n\n![Image shows OSV Scanner workflow after searching](./images/osv-scanner-configure.png)\n\n5) Configure the workflow\n\nThe automatically installed GitHub Action includes functionality for both a [scheduled scan](#scheduled-scan) and a [scan on pull request](#scan-on-pull-request).\n\nIf you only want a scheduled scan, you can comment out the \"scan-pr\" job and only run the action on \"schedule\" and on \"push\".\n\nIf you only want to run a scan on pull request, you can comment out the \"scan-scheduled\" job and only run the action on \"pull request\" and \"merge group\".\n\nIf you want both, you can leave the action as is. If you want these functionalities to be separate for tracking purposes, we recommend following the [manual installation instructions](#manual-installation).\n\n5) Commit the changes.\n\n### Manual installation\n\nTo manually install the CI/CD Action for Github, please follow instructions on our [main documentation page](https://google.github.io/osv-scanner/github-action/).\n\n## Customization\n\nTo learn more about optional inputs for the GitHub Action, please see our [main documentation page](https://google.github.io/osv-scanner/github-action/#customization).\n\n## View results\n\nMaintainers can review results of scheduled scans by navigating to their project's `Security \u003e Code Scanning` tab. Vulnerability details can also be viewed by clicking on the details of the failed action.\n\nFor pull request scans, results may be viewed by clicking on the details of the failed action, either from your project's actions tab or directly on the PR. Results are also included in GitHub annotations on the \"Files changed\" tab for the PR.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fosv-scanner-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogle%2Fosv-scanner-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fosv-scanner-action/lists"}