DEV.co
Open-Source Security · google

osv-scanner

OSV-Scanner is an open-source vulnerability scanner built in Go that checks project dependencies against the OSV.dev database to identify known security vulnerabilities. It supports 11+ language ecosystems, 19+ lockfile types, container images, and OS packages, with features including guided remediation and offline scanning.

Source: GitHub — github.com/google/osv-scanner
10.6k
GitHub stars
733
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorygoogle/osv-scanner
Ownergoogle
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars10.6k
Forks733
Open issues132
Latest releasev2.4.0 (2026-06-18)
Last updated2026-07-03
Sourcehttps://github.com/google/osv-scanner

What osv-scanner is

Go-based CLI tool using OSV-Scalibr library for multi-ecosystem dependency enumeration and matching against OSV.dev's machine-readable vulnerability database. Supports source scanning, container image analysis, call-graph analysis for false-positive reduction, and experimental guided remediation for npm/Maven/Go with version upgrade recommendations.

Quickstart

Get the osv-scanner source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/google/osv-scanner.gitcd osv-scanner# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Multi-language monorepo vulnerability audits

Organizations with polyglot codebases (Python, Node, Go, Java, Rust, etc.) can scan all dependencies in a single pass without configuring separate tools per language or package manager.

CI/CD security gates and container supply chain scanning

Integrate into deployment pipelines to block releases with unresolved vulnerabilities; layer-aware container scanning detects issues in base images and vendored dependencies across Alpine, Debian, Ubuntu distros.

Guided remediation and dependency upgrade planning

Development teams can use the experimental fix command (npm, Maven support) to generate and review version upgrade recommendations filtered by severity, dependency depth, and ROI, reducing manual triage overhead.

Implementation considerations

  • Supports 11+ language ecosystems and 19+ lockfile types; verify your specific ecosystem and lockfile format in the official documentation before deployment.
  • Call-graph analysis for C/C++ and some languages can reduce false positives but requires additional configuration and may increase scan time.
  • Guided remediation (fix command) is marked experimental and can trigger package manager scripts—validate against trusted sources only in production workflows.
  • Offline scanning requires an initial database download and periodic updates; plan storage and refresh cadence for air-gapped or restricted-connectivity environments.
  • Container scanning covers Alpine, Debian, Ubuntu distros with language-specific artifacts (Go, Java, Node, Python); non-standard base images may have limited coverage.

When to avoid it — and what to weigh

  • Proprietary/closed-source vulnerability database requirement — OSV-Scanner relies entirely on OSV.dev (aggregated from GitHub Security Advisories, RustSec, Ubuntu notices, etc.). If your policy mandates vendor-specific or enterprise advisory data only, this tool will not meet that constraint.
  • Real-time zero-day response at scale — OSV.dev's data quality and comprehensiveness depend on upstream advisory sources. Organizations requiring sub-hour zero-day ingestion or custom advisories should layer additional commercial threat intelligence.
  • Complex custom remediation workflows — Guided remediation is experimental and limited to npm (lockfile/manifest), Maven (pom.xml), and Go; it cannot auto-remediate platform-specific constraints (version conflicts, transitive pinning) across all ecosystems.
  • Offline-first or air-gapped environments without prep — While offline mode exists, initial database download requires internet access. Preparation and manual database provisioning are necessary for fully air-gapped deployments.

License & commercial use

Apache License 2.0 (Apache-2.0). Permissive OSI-approved license permitting commercial use, modification, and distribution under the same license with liability disclaimers. No restriction on commercial deployment.

Commercial use is explicitly permitted under Apache-2.0. No licensing fees or commercial seat restrictions apply to the tool itself. However, OSV.dev data is aggregated from multiple upstream sources (GitHub, RustSec, Ubuntu, etc.) with their own terms; review upstream advisory licenses if embedding advisories in commercial products. OSV-Scanner itself poses no commercial use barrier.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Project has OpenSSF Scorecard badge, SLSA 3 supply-chain assurance, and codecov integration indicating quality practices. Apache-2.0 license and open development model enable code review. No claims made about the tool's resistance to supply-chain attacks or vulnerability in the tool itself; standard open-source audit practices apply. Guided remediation feature warning: can trigger package manager script execution—require human review of generated fixes before automation. Offline mode mitigates network-based interception but requires initial trusted database source.

Alternatives to consider

OWASP Dependency-Check

Multi-language dependency scanner using NVD and other sources; Java-based; mature project with broader commercial tool ecosystem but less sophisticated call-graph analysis and no native container scanning.

Snyk CLI / Snyk Open Source

Commercial-first SaaS platform with strong CLI capabilities, real-time remediation, and proprietary vulnerability intelligence; hosted or self-hosted; higher cost and vendor lock-in but more enterprise integrations.

Trivy (Aqua Security)

Lightweight, fast image and filesystem scanner; strong container focus; covers vulnerabilities, secrets, misconfigurations; active development; less sophisticated dependency conflict resolution than osv-scanner's guided remediation.

Software development agency

Build on osv-scanner with DEV.co software developers

Download OSV-Scanner, integrate into your CI/CD pipeline, and scan 11+ language ecosystems against the comprehensive OSV.dev vulnerability database—no licensing fees required.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

osv-scanner FAQ

Does OSV-Scanner require internet access?
By default, yes—it queries OSV.dev API. Offline mode (`--offline --download-offline-databases`) is available; it requires initial internet download but then operates without network access.
Can OSV-Scanner remediate vulnerabilities automatically?
Partially. Guided remediation (experimental) supports npm (lockfile/manifest in-place and relock strategies) and Maven (pom.xml override strategy). Other ecosystems require manual remediation based on scanner recommendations.
What is the accuracy of vulnerability detection?
Depends on OSV.dev data quality and ecosystem coverage. Call-graph analysis (for some languages) reduces false positives by confirming vulnerable function usage. Manual review of scan output is recommended before remediation.
How often is the vulnerability database updated?
Not specified in documentation. OSV.dev aggregates advisories from GitHub Security Advisories, RustSec, Ubuntu, and other sources; update frequency depends on upstream sources. Offline database refresh cadence requires user management.

Custom software development services

DEV.co helps companies turn open-source tools like osv-scanner into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.

Start securing your dependencies today

Download OSV-Scanner, integrate into your CI/CD pipeline, and scan 11+ language ecosystems against the comprehensive OSV.dev vulnerability database—no licensing fees required.