Acunetix
Web vulnerability scanner for automated security testing of websites and web apps
Open-Source Projects
Discover top open-source software, updated regularly with real-world adoption signals.
Discover top open-source software, updated regularly with real-world adoption signals.
Comprehensive vulnerability scanner for code, containers, and licenses
OSV-Scanner scans source code, container images, and OS packages across 20+ ecosystems, offering offline mode, license checks, and guided remediation to quickly identify and fix known vulnerabilities.
OSV-Scanner is a fast, Go‑based CLI tool designed for developers, security engineers, and CI/CD pipelines that need reliable vulnerability data across a wide range of languages, package managers, and operating systems. It leverages the open OSV.dev database, ensuring advisories come from authoritative sources such as GitHub Security Advisories and Ubuntu notices.
The scanner can recursively analyze source directories, detect vulnerable functions through call‑analysis, and scan container images with layer‑aware detection of OS and language artifacts. It also provides license compliance reports via deps.dev data and an experimental guided remediation engine that suggests version upgrades based on depth, severity, and ROI. Offline scanning is supported after an initial database download, making it suitable for air‑gapped environments. Integration is straightforward: a single binary or go install command adds powerful SCA functionality to any build workflow.
When teams consider OSV-Scanner, these hosted platforms usually appear on the same shortlist.
Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.
CI pipeline integration
Automatically fail builds when high‑severity vulnerabilities are detected in dependencies.
Container image hardening
Identify OS and language package risks in base images before publishing to registries.
License compliance audit
Generate SPDX‑compatible reports of all licenses used in a codebase.
Offline security review
Scan air‑gapped repositories using a cached OSV database without network connectivity.
It queries the OSV.dev database, which aggregates advisories from open sources like GitHub Security Advisories, RustSec, and Ubuntu security notices.
Yes. After downloading the OSV database once, you can use the `--offline` flag to scan locally.
Supported languages include C/C++, Dart, Elixir, Go, Java, JavaScript, PHP, Python, R, Ruby, Rust, and more. Package managers such as npm, pip, Maven, Cargo, Gem, Composer, NuGet, and others are covered.
The feature analyzes vulnerable dependencies and suggests version upgrades based on criteria like dependency depth, minimum severity, fix strategy, and return on investment.
Yes. It runs as a single binary, can be scripted in pipelines, and supports both online and offline modes.
Project at a glance
ActiveLast synced 4 days ago
