OSV-Scanner: Comprehensive Vulnerability Scanning for Your Projects

Introduction

OSV-Scanner is an open-source vulnerability scanner developed by Google, written in Go. It serves as an officially supported frontend to the OSV database (https://osv.dev/) and OSV-Scalibr, connecting your project's list of dependencies with known vulnerabilities that affect them.

This tool offers extensive support for a wide array of project types, package managers, and features, including:

Languages: C/C++, Dart, Elixir, Go, Java, Javascript, PHP, Python, R, Ruby, Rust.
Package Managers: npm, pip, yarn, maven, go modules, cargo, gem, composer, nuget, and others.
Operating Systems: Detects vulnerabilities in OS packages on Linux systems.
Containers: Scans container images for vulnerabilities in their base images and included packages.
Guided Remediation: Provides recommendations for package version upgrades to fix vulnerabilities.

The underlying OSV.dev database is comprehensive, drawing advisories from open and authoritative sources like GitHub Security Advisories and RustSec Advisory Database. This ensures high-quality, accurate, and actionable vulnerability notifications, helping reduce the time needed for resolution.

Installation

To get started with OSV-Scanner, the recommended method is to download a prebuilt binary for your platform from the official GitHub releases page.

Alternatively, if you have Go installed, you can build it from source using the following command:

go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest

For detailed installation instructions and system requirements, please refer to the official documentation.

Examples

OSV-Scanner provides a straightforward command-line interface for various scanning tasks.

Scanning a Source Directory

Recursively scan a directory for supported package files (e.g., package.json, go.mod, pom.xml) and report discovered vulnerabilities. OSV-Scanner can also use call analysis to reduce false positives.

osv-scanner scan source -r /path/to/your/dir

Container Scanning

Perform comprehensive, layer-aware scanning for container images to detect vulnerabilities in operating system packages and language-specific dependencies.

osv-scanner scan image my-image-name:tag

License Scanning

Check your project's dependencies for their licenses using data from deps.dev. You can get a summary or check against an allowed list.

osv-scanner --licenses path/to/repository

To check against a specific list of SPDX licenses:

osv-scanner --licenses="MIT,Apache-2.0" path/to/directory

Offline Scanning

Scan your project against a local OSV database, eliminating the need for a network connection after the initial database download.

osv-scanner --offline --download-offline-databases ./path/to/your/dir

Guided Remediation (Experimental)

This experimental feature suggests package version upgrades based on criteria like dependency depth, severity, and fix strategy. It's available as a headless CLI command or in an interactive mode.

osv-scanner fix \
    --max-depth=3 \
    --min-severity=5 \
    --ignore-dev  \
    --strategy=in-place \
    -L path/to/package-lock.json

Why Use OSV-Scanner?

OSV-Scanner stands out as a robust security tool for several reasons:

Comprehensive Coverage: It supports a vast ecosystem of languages, package managers, operating systems, and container images, making it versatile for diverse projects.
Accurate and Actionable Data: Leveraging the open and authoritative OSV.dev database, it provides high-quality vulnerability advisories that are machine-readable and easy to act upon.
Reduced False Positives: Features like call analysis help identify if a vulnerable function is actually being used, leading to more relevant alerts.
Advanced Capabilities: From container and license scanning to offline mode and experimental guided remediation, it offers powerful features for thorough security audits.
Open Source and Community Driven: Being open source and backed by Google, it benefits from community contributions and transparency.