DEV.co
Open-Source Security · google

osv.dev

osv.dev is Google's open-source vulnerability database and triage service that aggregates security vulnerability data from multiple sources (NVD, PyPI, Alpine, Debian, etc.). It provides a REST API, web UI, and Go-based scanner tool to help teams identify and manage known vulnerabilities in their dependencies.

Source: GitHub — github.com/google/osv.dev
2.8k
GitHub stars
337
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorygoogle/osv.dev
Ownergoogle
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars2.8k
Forks337
Open issues184
Latest releasev0.1.3 (2026-04-22)
Last updated2026-07-08
Sourcehttps://github.com/google/osv.dev

What osv.dev is

Built in Go with Python components, osv.dev runs on GCP using Terraform, Cloud Build, and Cloud Functions. It indexes vulnerabilities across multiple ecosystems, offers protocol-buffer APIs, supports SBOM scanning (SPDX, CycloneDX), and includes workers for bisection and impact analysis. Data is available via public GCS dumps and a live API endpoint.

Quickstart

Get the osv.dev source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/google/osv.dev.gitcd osv.dev# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Continuous Vulnerability Scanning in CI/CD

Integrate osv-scanner into build pipelines to automatically check lockfiles (npm, pip, go.mod, Cargo.lock, etc.) and container images against the OSV database before deployment.

Centralized Vulnerability Intelligence Platform

Use the OSV API and data dumps as a backend for internal security dashboards, policy enforcement, and vulnerability triage workflows across multiple teams.

Supply Chain Risk Management

Scan SBOM artifacts (SPDX, CycloneDX) and Git repositories to map transitive dependencies and identify vulnerable upstream components in software supply chains.

Implementation considerations

  • Requires Git submodule checkout and multi-language environment setup (Go, Python, Node.js for frontend); Docker-based CI tooling provided but local dev setup is non-trivial.
  • API and database schema are versioned via protobuf; plan for schema migration if deploying locally or extending the data model.
  • Scanner tool (osv-scanner) lives in a separate repository; keep both repos in sync if relying on latest features or bug fixes.
  • Data freshness depends on upstream feed update frequency (NVD, PyPI, distro repositories); not guaranteed real-time, verify acceptable latency for your risk model.
  • GCP deployment uses Terraform; on-premise or multi-cloud deployment requires translating infrastructure-as-code to your platform (Kubernetes, other clouds).

When to avoid it — and what to weigh

  • Proprietary/Closed-Source Vulnerability Feeds Required — osv.dev aggregates public sources only. If your organization requires commercial threat intelligence or zero-day vulnerability feeds, this will not replace those services.
  • Real-Time Vulnerability Detection at Millisecond Scale — osv.dev is a periodic triage service, not a real-time intrusion detection system. It will not detect novel or in-the-wild exploits faster than specialized SIEM/IDS platforms.
  • No Tolerance for GCP Dependency — The reference deployment runs on Google Cloud Platform. Self-hosting requires significant infrastructure knowledge and ongoing operational burden to mirror data and scale services.
  • Need for Managed, SLA-Backed Support — osv.dev is community-supported. No commercial support contract, guaranteed response times, or SLA availability. Requires internal resources for production maintenance.

License & commercial use

Apache License 2.0 (Apache-2.0). This is a permissive OSI-approved open-source license allowing commercial use, modification, and distribution under stated terms (retain license, copyright, and include a NOTICE file). No patent clause; no warranty provided.

Apache-2.0 permits commercial use without royalties or licensing fees. Organizations may use osv.dev in commercial products and services. However, Google provides no warranty or liability protection. Verify compliance with internal IP and data governance policies, especially regarding upstream vulnerability data sources and data export restrictions.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityHigh
DEV.co fitGood
Assessment confidenceHigh
Security considerations

osv.dev aggregates and serves vulnerability metadata; treat data integrity and API availability as critical. OpenSSF Scorecard badge indicates static security assessment. No public security audit or threat model documented. Data sources (NVD, PyPI, distro repos) are public; assume adversarial or outdated data possible. Self-hosted deployments must secure API endpoints, control data access, and monitor for injection attacks in user-supplied scan inputs (lockfiles, SBOMs, git repos). No mention of rate limiting, authentication, or input sanitization in README; verify security posture in deployment docs.

Alternatives to consider

Trivy (Aqua Security)

Go-based vulnerability scanner with offline DB; integrates with registries, filesystems, and Kubernetes. Easier local deployment, though DB is proprietary/Aqua-managed. No upstream contribution model like OSV.

Snyk

Commercial SaaS with broader language support, real-time vulnerability feeds, and managed threat intelligence. No self-hosting; higher cost but includes support and faster vulnerability disclosure.

Dependency-Track

Open-source (Apache-2.0) SBOM and component analysis platform with policy enforcement. Lighter-weight self-hosting; less vulnerability data intelligence than OSV but stronger for inventory and compliance tracking.

Software development agency

Build on osv.dev with DEV.co software developers

osv.dev is a mature, actively maintained open-source vulnerability aggregator ideal for teams needing free, transparent vulnerability data. Start by testing the public API against your dependencies, then assess self-hosting costs for production use. Consult deployment docs and security architecture for enterprise scale.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

osv.dev FAQ

Can I use osv.dev without Google Cloud Platform?
Yes, the public API and web UI at https://osv.dev are free to query. For self-hosted deployment, osv.dev is tightly coupled to GCP services; migrating to on-premise or another cloud is non-trivial and unsupported by maintainers. Community efforts exist but are not documented in this repository.
How often is the vulnerability database updated?
Update frequency depends on upstream sources (NVD, PyPI, Debian, Alpine, etc.). Not specified in README. Check documentation or API metadata for SLA and lag estimates.
What lockfile formats does osv-scanner support?
README states support for various lockfiles, Debian containers, SPDX and CycloneDX SBOMs, and Git repositories. Exact list not detailed here; refer to osv-scanner repository.
Is there a Go SDK or language bindings?
Go language bindings are provided in the `bindings/` directory. Python, Java, Node.js, and other languages must be generated from OpenAPI/Swagger specs or implemented by users; not included in core repo.

Work with a software development agency

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If osv.dev is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.

Evaluate osv.dev for Your Vulnerability Management Pipeline

osv.dev is a mature, actively maintained open-source vulnerability aggregator ideal for teams needing free, transparent vulnerability data. Start by testing the public API against your dependencies, then assess self-hosting costs for production use. Consult deployment docs and security architecture for enterprise scale.