osv-scanner
OSV-Scanner is an open-source vulnerability scanner built in Go that checks project dependencies against the OSV.dev database to identify known security vulnerabilities. It supports 11+ language ecosystems, 19+ lockfile types, container images, and OS packages, with features including guided remediation and offline scanning.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | google/osv-scanner |
| Owner | |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 10.6k |
| Forks | 733 |
| Open issues | 132 |
| Latest release | v2.4.0 (2026-06-18) |
| Last updated | 2026-07-03 |
| Source | https://github.com/google/osv-scanner |
What osv-scanner is
Go-based CLI tool using OSV-Scalibr library for multi-ecosystem dependency enumeration and matching against OSV.dev's machine-readable vulnerability database. Supports source scanning, container image analysis, call-graph analysis for false-positive reduction, and experimental guided remediation for npm/Maven/Go with version upgrade recommendations.
Get the osv-scanner source
Clone the repository and explore it locally.
git clone https://github.com/google/osv-scanner.gitcd osv-scanner# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Supports 11+ language ecosystems and 19+ lockfile types; verify your specific ecosystem and lockfile format in the official documentation before deployment.
- Call-graph analysis for C/C++ and some languages can reduce false positives but requires additional configuration and may increase scan time.
- Guided remediation (fix command) is marked experimental and can trigger package manager scripts—validate against trusted sources only in production workflows.
- Offline scanning requires an initial database download and periodic updates; plan storage and refresh cadence for air-gapped or restricted-connectivity environments.
- Container scanning covers Alpine, Debian, Ubuntu distros with language-specific artifacts (Go, Java, Node, Python); non-standard base images may have limited coverage.
When to avoid it — and what to weigh
- Proprietary/closed-source vulnerability database requirement — OSV-Scanner relies entirely on OSV.dev (aggregated from GitHub Security Advisories, RustSec, Ubuntu notices, etc.). If your policy mandates vendor-specific or enterprise advisory data only, this tool will not meet that constraint.
- Real-time zero-day response at scale — OSV.dev's data quality and comprehensiveness depend on upstream advisory sources. Organizations requiring sub-hour zero-day ingestion or custom advisories should layer additional commercial threat intelligence.
- Complex custom remediation workflows — Guided remediation is experimental and limited to npm (lockfile/manifest), Maven (pom.xml), and Go; it cannot auto-remediate platform-specific constraints (version conflicts, transitive pinning) across all ecosystems.
- Offline-first or air-gapped environments without prep — While offline mode exists, initial database download requires internet access. Preparation and manual database provisioning are necessary for fully air-gapped deployments.
License & commercial use
Apache License 2.0 (Apache-2.0). Permissive OSI-approved license permitting commercial use, modification, and distribution under the same license with liability disclaimers. No restriction on commercial deployment.
Commercial use is explicitly permitted under Apache-2.0. No licensing fees or commercial seat restrictions apply to the tool itself. However, OSV.dev data is aggregated from multiple upstream sources (GitHub, RustSec, Ubuntu, etc.) with their own terms; review upstream advisory licenses if embedding advisories in commercial products. OSV-Scanner itself poses no commercial use barrier.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
Project has OpenSSF Scorecard badge, SLSA 3 supply-chain assurance, and codecov integration indicating quality practices. Apache-2.0 license and open development model enable code review. No claims made about the tool's resistance to supply-chain attacks or vulnerability in the tool itself; standard open-source audit practices apply. Guided remediation feature warning: can trigger package manager script execution—require human review of generated fixes before automation. Offline mode mitigates network-based interception but requires initial trusted database source.
Alternatives to consider
OWASP Dependency-Check
Multi-language dependency scanner using NVD and other sources; Java-based; mature project with broader commercial tool ecosystem but less sophisticated call-graph analysis and no native container scanning.
Snyk CLI / Snyk Open Source
Commercial-first SaaS platform with strong CLI capabilities, real-time remediation, and proprietary vulnerability intelligence; hosted or self-hosted; higher cost and vendor lock-in but more enterprise integrations.
Trivy (Aqua Security)
Lightweight, fast image and filesystem scanner; strong container focus; covers vulnerabilities, secrets, misconfigurations; active development; less sophisticated dependency conflict resolution than osv-scanner's guided remediation.
Build on osv-scanner with DEV.co software developers
Download OSV-Scanner, integrate into your CI/CD pipeline, and scan 11+ language ecosystems against the comprehensive OSV.dev vulnerability database—no licensing fees required.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
osv-scanner FAQ
Does OSV-Scanner require internet access?
Can OSV-Scanner remediate vulnerabilities automatically?
What is the accuracy of vulnerability detection?
How often is the vulnerability database updated?
Custom software development services
DEV.co helps companies turn open-source tools like osv-scanner into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.
Start securing your dependencies today
Download OSV-Scanner, integrate into your CI/CD pipeline, and scan 11+ language ecosystems against the comprehensive OSV.dev vulnerability database—no licensing fees required.