OSV-Scanner

OSV-Scanner is a command line vulnerability scanner that connects a project's dependencies to the advisories that affect them. It is the official frontend to OSV.dev, an open, distributed database whose advisories come from authoritative sources like GitHub Security Advisories, RustSec, and Ubuntu security notices.

It recursively scans source directories across a wide range of languages and lockfiles, scans container images layer by layer, and detects vulnerabilities in Linux OS packages. Guided remediation recommends version upgrades weighed by dependency depth, severity, fix strategy, and return on investment. It can also run license scanning and detect vendored C/C++ code.

Written in Go and built on the OSV-Scalibr library, it ships prebuilt binaries and installs with go install. An offline mode scans against a local copy of the database without querying OSV.dev or deps.dev.