osv-scanner

OSV-Scanner is a free, open source tool from Google that checks your software project for known security vulnerabilities in its dependencies. When you build a software project, you rely on dozens or hundreds of external packages written by others. Any of those packages might have a known security flaw. OSV-Scanner scans your project's dependency files and cross-references them against a public database of vulnerabilities called OSV.dev.

The tool supports a wide range of programming languages including Python, JavaScript, Go, Java, Ruby, Rust, PHP, and others. It reads common dependency files like package.json, go.mod, and pom.xml automatically when you point it at a directory. Beyond code, it can also scan Linux operating system packages and container images, checking each layer of a container for vulnerable packages.

A few features stand out. Guided remediation suggests specific package version upgrades that would fix the most vulnerabilities with the least disruption. License scanning checks whether your dependencies use licenses that are compatible with your project's rules. Offline mode lets you scan without an internet connection after downloading a local copy of the vulnerability database. There is also call analysis, which checks whether your code actually calls the vulnerable function in a package, reducing alerts that would not affect you in practice.

The underlying OSV.dev database is open and draws from authoritative sources including GitHub Security Advisories and ecosystem-specific advisory databases. Anyone can propose corrections, which keeps the data quality high.

Installation involves downloading a prebuilt binary from the releases page or building from source with Go. Running a scan is a single command pointing at your project directory.