PickYourTechPickYourTech home
OSV-Scanner logo

OSV-Scanner

Comprehensive vulnerability scanner for code, containers, and licenses

Application Security Testing (SAST/DAST/SCA)

OSV-Scanner scans source code, container images, and OS packages across 20+ ecosystems, offering offline mode, license checks, and guided remediation to quickly identify and fix known vulnerabilities.

OSV-Scanner banner

Overview

Overview

OSV-Scanner is a fast, Go‑based CLI tool designed for developers, security engineers, and CI/CD pipelines that need reliable vulnerability data across a wide range of languages, package managers, and operating systems. It leverages the open OSV.dev database, ensuring advisories come from authoritative sources such as GitHub Security Advisories and Ubuntu notices.

Capabilities

The scanner can recursively analyze source directories, detect vulnerable functions through call‑analysis, and scan container images with layer‑aware detection of OS and language artifacts. It also provides license compliance reports via deps.dev data and an experimental guided remediation engine that suggests version upgrades based on depth, severity, and ROI. Offline scanning is supported after an initial database download, making it suitable for air‑gapped environments. Integration is straightforward: a single binary or go install command adds powerful SCA functionality to any build workflow.

Highlights

Supports 20+ language ecosystems and 19+ lockfile types
Layer‑aware container image scanning for OS and language packages
Guided remediation suggests version upgrades based on severity and ROI
Offline mode enables scanning without network after initial DB download

Pros

  • Broad language and package manager coverage
  • Accurate, open OSV.dev data from authoritative sources
  • Call‑analysis reduces false positives
  • Lightweight Go binary integrates easily into CI pipelines

Considerations

  • Guided remediation is still experimental
  • Initial database download required for offline use
  • Complex configuration may overwhelm beginners
  • Container scanning limited to listed distros and languages

Managed products teams compare with

When teams consider OSV-Scanner, these hosted platforms usually appear on the same shortlist.

Acunetix logo

Acunetix

Web vulnerability scanner for automated security testing of websites and web apps

AppCheck logo

AppCheck

Automated web application and infrastructure vulnerability scanning platform

Burp Suite logo

Burp Suite

Web application security testing platform

Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.

Fit guide

Great for

  • Dev teams needing continuous vulnerability checks across code and containers
  • Security engineers requiring open, auditable advisory data
  • CI/CD pipelines that can run a lightweight Go binary
  • Projects that must verify license compliance

Not ideal when

  • Environments without internet access and no pre‑downloaded database
  • Teams that need full SAST code analysis beyond dependency checks
  • Organizations requiring commercial support guarantees
  • Projects using unsupported or niche package managers

How teams use it

CI pipeline integration

Automatically fail builds when high‑severity vulnerabilities are detected in dependencies.

Container image hardening

Identify OS and language package risks in base images before publishing to registries.

License compliance audit

Generate SPDX‑compatible reports of all licenses used in a codebase.

Offline security review

Scan air‑gapped repositories using a cached OSV database without network connectivity.

Tech snapshot

Go93%
Python3%
JavaScript1%
CSS1%
Java1%
PHP1%

Tags

scannervulnerability-scannersecurity-toolssecurity-audit

Frequently asked questions

How does OSV-Scanner obtain vulnerability data?

It queries the OSV.dev database, which aggregates advisories from open sources like GitHub Security Advisories, RustSec, and Ubuntu security notices.

Can I run scans without an internet connection?

Yes. After downloading the OSV database once, you can use the `--offline` flag to scan locally.

What languages and package managers are supported?

Supported languages include C/C++, Dart, Elixir, Go, Java, JavaScript, PHP, Python, R, Ruby, Rust, and more. Package managers such as npm, pip, Maven, Cargo, Gem, Composer, NuGet, and others are covered.

How does guided remediation work?

The feature analyzes vulnerable dependencies and suggests version upgrades based on criteria like dependency depth, minimum severity, fix strategy, and return on investment.

Is OSV-Scanner suitable for CI/CD environments?

Yes. It runs as a single binary, can be scripted in pipelines, and supports both online and offline modes.

Project at a glance

Active
Visit siteView repo
Stars
8,366
Watchers
8,366
Forks
516
LicenseApache-2.0
Repo age3 years old
Last commit12 hours ago
Primary languageGo

Last synced 12 hours ago