osv.dev
osv.dev is Google's open-source vulnerability database and triage service that aggregates security vulnerability data from multiple sources (NVD, PyPI, Alpine, Debian, etc.). It provides a REST API, web UI, and Go-based scanner tool to help teams identify and manage known vulnerabilities in their dependencies.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | google/osv.dev |
| Owner | |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 2.8k |
| Forks | 337 |
| Open issues | 184 |
| Latest release | v0.1.3 (2026-04-22) |
| Last updated | 2026-07-08 |
| Source | https://github.com/google/osv.dev |
What osv.dev is
Built in Go with Python components, osv.dev runs on GCP using Terraform, Cloud Build, and Cloud Functions. It indexes vulnerabilities across multiple ecosystems, offers protocol-buffer APIs, supports SBOM scanning (SPDX, CycloneDX), and includes workers for bisection and impact analysis. Data is available via public GCS dumps and a live API endpoint.
Get the osv.dev source
Clone the repository and explore it locally.
git clone https://github.com/google/osv.dev.gitcd osv.dev# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Git submodule checkout and multi-language environment setup (Go, Python, Node.js for frontend); Docker-based CI tooling provided but local dev setup is non-trivial.
- API and database schema are versioned via protobuf; plan for schema migration if deploying locally or extending the data model.
- Scanner tool (osv-scanner) lives in a separate repository; keep both repos in sync if relying on latest features or bug fixes.
- Data freshness depends on upstream feed update frequency (NVD, PyPI, distro repositories); not guaranteed real-time, verify acceptable latency for your risk model.
- GCP deployment uses Terraform; on-premise or multi-cloud deployment requires translating infrastructure-as-code to your platform (Kubernetes, other clouds).
When to avoid it — and what to weigh
- Proprietary/Closed-Source Vulnerability Feeds Required — osv.dev aggregates public sources only. If your organization requires commercial threat intelligence or zero-day vulnerability feeds, this will not replace those services.
- Real-Time Vulnerability Detection at Millisecond Scale — osv.dev is a periodic triage service, not a real-time intrusion detection system. It will not detect novel or in-the-wild exploits faster than specialized SIEM/IDS platforms.
- No Tolerance for GCP Dependency — The reference deployment runs on Google Cloud Platform. Self-hosting requires significant infrastructure knowledge and ongoing operational burden to mirror data and scale services.
- Need for Managed, SLA-Backed Support — osv.dev is community-supported. No commercial support contract, guaranteed response times, or SLA availability. Requires internal resources for production maintenance.
License & commercial use
Apache License 2.0 (Apache-2.0). This is a permissive OSI-approved open-source license allowing commercial use, modification, and distribution under stated terms (retain license, copyright, and include a NOTICE file). No patent clause; no warranty provided.
Apache-2.0 permits commercial use without royalties or licensing fees. Organizations may use osv.dev in commercial products and services. However, Google provides no warranty or liability protection. Verify compliance with internal IP and data governance policies, especially regarding upstream vulnerability data sources and data export restrictions.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | High |
| DEV.co fit | Good |
| Assessment confidence | High |
osv.dev aggregates and serves vulnerability metadata; treat data integrity and API availability as critical. OpenSSF Scorecard badge indicates static security assessment. No public security audit or threat model documented. Data sources (NVD, PyPI, distro repos) are public; assume adversarial or outdated data possible. Self-hosted deployments must secure API endpoints, control data access, and monitor for injection attacks in user-supplied scan inputs (lockfiles, SBOMs, git repos). No mention of rate limiting, authentication, or input sanitization in README; verify security posture in deployment docs.
Alternatives to consider
Trivy (Aqua Security)
Go-based vulnerability scanner with offline DB; integrates with registries, filesystems, and Kubernetes. Easier local deployment, though DB is proprietary/Aqua-managed. No upstream contribution model like OSV.
Snyk
Commercial SaaS with broader language support, real-time vulnerability feeds, and managed threat intelligence. No self-hosting; higher cost but includes support and faster vulnerability disclosure.
Dependency-Track
Open-source (Apache-2.0) SBOM and component analysis platform with policy enforcement. Lighter-weight self-hosting; less vulnerability data intelligence than OSV but stronger for inventory and compliance tracking.
Build on osv.dev with DEV.co software developers
osv.dev is a mature, actively maintained open-source vulnerability aggregator ideal for teams needing free, transparent vulnerability data. Start by testing the public API against your dependencies, then assess self-hosting costs for production use. Consult deployment docs and security architecture for enterprise scale.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
osv.dev FAQ
Can I use osv.dev without Google Cloud Platform?
How often is the vulnerability database updated?
What lockfile formats does osv-scanner support?
Is there a Go SDK or language bindings?
Work with a software development agency
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If osv.dev is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.
Evaluate osv.dev for Your Vulnerability Management Pipeline
osv.dev is a mature, actively maintained open-source vulnerability aggregator ideal for teams needing free, transparent vulnerability data. Start by testing the public API against your dependencies, then assess self-hosting costs for production use. Consult deployment docs and security architecture for enterprise scale.