OSV-Scanner: Google’s Open Source Vulnerability Scanner
OSV-Scanner is Google’s officially supported frontend to the OSV database that connects your project’s dependencies with the vulnerabilities that affect them. Built on the extensible OSV-Scalibr library, it provides comprehensive vulnerability detection across languages, package managers, containers, and operating systems.
Why OSV-Scanner?
Traditional vulnerability scanners rely on closed-source advisory databases with ambiguous version ranges. OSV-Scanner takes a different approach by leveraging the OSV.dev database, which provides:
- Comprehensive coverage across most open source language and OS ecosystems
- Open and authoritative sources including GitHub Security Advisories, RustSec, and Ubuntu security notices
- Machine-readable format that precisely maps affected versions to your packages
- Community-driven quality where anyone can suggest improvements to advisories
The result is accurate, actionable vulnerability notifications that reduce the time needed to resolve them.
Key Features
Multi-Language Dependency Scanning
OSV-Scanner supports a wide range of ecosystems:
- Languages: C/C++, Dart, Elixir, Go, Java, JavaScript, PHP, Python, R, Ruby, Rust
- Package Managers: npm, pip, yarn, Maven, Go modules, Cargo, Gem, Composer, NuGet, and more
- Lockfiles: 19+ lockfile types supported out of the box
Source Directory Scanning
osv-scanner scan source -r /path/to/your/dir
This recursively scans the specified directory for any supported package files (package.json, go.mod, pom.xml, etc.) and reports discovered vulnerabilities. OSV-Scanner also supports call analysis to determine if a vulnerable function is actually used in your project, reducing false positives.
Container Image Scanning
osv-scanner scan image my-image-name:tag
OSV-Scanner provides comprehensive, layer-aware scanning for container images, detecting vulnerabilities in OS packages (Alpine, Debian, Ubuntu) and language-specific dependencies (Go, Java, Node, Python).
License Compliance
osv-scanner --licenses path/to/repository
osv-scanner --licenses="MIT,Apache-2.0" path/to/directory
Check your dependencies’ licenses using deps.dev data. Verify compliance against an allowed license list in SPDX format.
Offline Mode
osv-scanner --offline --download-offline-databases ./path/to/your/dir
Scan your project against a local OSV database with no network connection required after the initial download.
Scanning Workflow
The scanning process follows a clear pipeline:
- Start Scan - Point OSV-Scanner at your source directory, container image, or lockfiles
- Detect Package Managers - Automatically identifies which package managers and ecosystems are in use
- Extract Dependencies - Parses lockfiles and manifests to build a complete dependency graph
- Call Analysis (Optional) - Determines if vulnerable functions are actually called in your codebase
- Query OSV.dev Database - Matches your dependencies against the comprehensive vulnerability database
- Match Vulnerabilities - Identifies which vulnerabilities actually affect your project
- Generate Reports - Output in SARIF, table, or HTML format
- Guided Remediation - Get actionable upgrade recommendations
Guided Remediation
OSV-Scanner’s guided remediation feature suggests package version upgrades based on:
- Dependency depth (
--max-depth) - Control how deep in the dependency tree to remediate - Minimum severity (
--min-severity) - Focus on the most critical vulnerabilities first - Fix strategy - Choose between in-place lockfile fixes, relock manifest updates, or version overrides
Currently supported remediation strategies:
| Ecosystem | File Format | Strategy |
|---|---|---|
| npm | package-lock.json (lockfile) | In-place |
| npm | package.json (manifest) | Relock |
| Maven | pom.xml (manifest) | Override |
Interactive mode provides a guided experience for selecting which patches to apply:
osv-scanner fix -M path/to/package.json -L path/to/package-lock.json
Data Sources and Privacy
OSV-Scanner communicates with two primary external services:
- OSV.dev API - The primary vulnerability data source. Sends package names, versions, ecosystems, and file hashes. Use
--offlinemode to disable network requests entirely. - deps.dev API - Used for dependency resolution, container scanning metadata, license information, and package deprecation checks. Sends package names, versions, and ecosystems. No source code is transmitted.
Getting Started
Install OSV-Scanner from the releases page or build from source:
go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest
Then scan your project:
osv-scanner scan source -r /path/to/your/project
Links
- GitHub: google/osv-scanner
- Documentation: google.github.io/osv-scanner
- OSV Database: osv.dev
- OSV-Scalibr: google/osv-scalibr
OSV-Scanner is developed by Google and licensed under the Apache License 2.0. The OSV database is a community-driven open vulnerability database. Enjoyed this post? Never miss out on future posts by following us 
