# google/osv-scanner

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/google-osv-scanner).**

10,565 stars · 729 forks · Go · Apache-2.0

## Links

- GitHub: https://github.com/google/osv-scanner
- Homepage: https://google.github.io/osv-scanner/
- awesome-repositories: https://awesome-repositories.com/repository/google-osv-scanner.md

## Topics

`scanner` `security-audit` `security-tools` `vulnerability-scanner`

## Description

osv-scanner is a software composition analysis tool and vulnerability scanner that checks project dependencies and container images against the Open Source Vulnerabilities database. It functions as a dependency remediation tool and can be integrated into custom Go applications as a programmable security library.

The project distinguishes itself through a remediation workflow that includes an interactive terminal user interface and automated scripting for upgrading vulnerable packages in lockfiles and manifests. It employs call-graph reachability analysis to determine if vulnerable code is actually invoked and utilizes layer-aware scanning to attribute vulnerabilities to specific stages of a container image.

Broad capabilities cover the identification of known security vulnerabilities, open source license compliance auditing, and the resolution of transitive dependencies. The system supports offline scanning via local database synchronization and integrates into development pipelines through pre-commit hooks and CI/CD security checks.

The scanner can be executed as a standalone command line interface or run from a Docker container.

## Tags

### Security & Cryptography

- [Dependency Vulnerability Scanning](https://awesome-repositories.com/f/security-cryptography/security-auditing/dependency-vulnerability-scanning.md) — Matches project dependencies against known advisory databases to identify security vulnerabilities. ([source](https://google.github.io/osv-scanner/usage/))
- [Software Composition Analysis Tools](https://awesome-repositories.com/f/security-cryptography/software-composition-analysis-tools.md) — Identifies known security vulnerabilities and license issues in project dependencies via an advisory database.
- [Dependency Vulnerability Scanners](https://awesome-repositories.com/f/security-cryptography/dependency-vulnerability-scanners.md) — Analyzes project dependencies and container images against the Open Source Vulnerabilities database.
- [Automated Security Remediation](https://awesome-repositories.com/f/security-cryptography/security-finding-management/automated-security-remediation.md) — Executes vulnerability fixes in non-interactive mode for automated patching within CI/CD pipelines. ([source](https://google.github.io/osv-scanner/experimental/guided-remediation/))
- [Interactive Interfaces](https://awesome-repositories.com/f/security-cryptography/security-finding-management/automated-security-remediation/interactive-interfaces.md) — Provides a terminal user interface to navigate discovered vulnerabilities and apply remediation patches step-by-step. ([source](https://google.github.io/osv-scanner/experimental/guided-remediation/))
- [Reachability Analysis](https://awesome-repositories.com/f/security-cryptography/vulnerability-assessment-testing/vulnerability-reporting/contextual-vulnerability-analysis/reachability-analysis.md) — Uses call analysis to determine if a vulnerable function is actually invoked to reduce false positives. ([source](https://cdn.jsdelivr.net/gh/google/osv-scanner@main/README.md))
- [Container Image Vulnerability Scanners](https://awesome-repositories.com/f/security-cryptography/vulnerability-scanning/container-image-vulnerability-scanners.md) — Analyzes container image layers to detect known OS and application-layer vulnerabilities. ([source](https://google.github.io/osv-scanner/supported-languages-and-lockfiles/))
- [License Compliance Tools](https://awesome-repositories.com/f/security-cryptography/license-compliance-tools.md) — Audits project dependencies against an allow-list of licenses to identify legal compliance risks.
- [Programmable Security Libraries](https://awesome-repositories.com/f/security-cryptography/programmable-security-libraries.md) — Provides a programmable Go package for integrating vulnerability scanning logic directly into custom applications.
- [C/C++ Vendored Dependencies](https://awesome-repositories.com/f/security-cryptography/security-auditing/dependency-vulnerability-scanning/swift-and-objective-c-dependencies/c-c-vendored-dependencies.md) — Detects vulnerabilities in vendored or submoduled C/C++ dependencies using commit-level version data. ([source](https://google.github.io/osv-scanner/supported-languages-and-lockfiles/))
- [Remediation Filtering](https://awesome-repositories.com/f/security-cryptography/security-finding-management/automated-security-remediation/remediation-filtering.md) — Limits the scope of proposed fixes based on dependency depth, severity scores, or specific vulnerability identifiers. ([source](https://google.github.io/osv-scanner/experimental/guided-remediation/))
- [Vulnerability Report Generation](https://awesome-repositories.com/f/security-cryptography/vulnerability-report-generation.md) — Generates summarized tables and detailed HTML reports that categorize vulnerabilities and fix availability. ([source](https://google.github.io/osv-scanner/usage/scan-image))
- [Layer Tracing](https://awesome-repositories.com/f/security-cryptography/vulnerability-scanning/container-image-vulnerability-scanners/layer-tracing.md) — Attributes discovered vulnerabilities to the specific container layer where the affected package was first introduced. ([source](https://google.github.io/osv-scanner/usage/scan-image))
- [Offline Vulnerability Analysis](https://awesome-repositories.com/f/security-cryptography/vulnerability-scanning/offline-vulnerability-analysis.md) — Provides a local vulnerability database to enable scanning in air-gapped or offline environments. ([source](https://google.github.io/osv-scanner/usage/offline-mode/))

### Development Tools & Productivity

- [Dependency Lockfiles](https://awesome-repositories.com/f/development-tools-productivity/dependency-lockfiles.md) — Parses manifest and lock files to build a complete graph of direct and transitive dependencies.
- [Constraint Regeneration](https://awesome-repositories.com/f/development-tools-productivity/dependency-lockfiles/constraint-regeneration.md) — Recomputes the dependency graph from the manifest to allow newer package versions to resolve vulnerabilities. ([source](https://google.github.io/osv-scanner/experimental/guided-remediation/))
- [In-Place Fixes](https://awesome-repositories.com/f/development-tools-productivity/dependency-lockfiles/lockfile-reconciliation/in-place-fixes.md) — Replaces vulnerable package versions in a lockfile while respecting existing dependency constraints. ([source](https://google.github.io/osv-scanner/experimental/guided-remediation/))
- [Transitive Dependency Resolution](https://awesome-repositories.com/f/development-tools-productivity/package-dependency-managers/automated-dependency-updaters/transitive-dependency-updates/transitive-dependency-resolution.md) — Computes the full dependency graph from manifest files to ensure both direct and indirect dependencies are scanned. ([source](https://google.github.io/osv-scanner/supported-languages-and-lockfiles/))
- [Command Line Interfaces](https://awesome-repositories.com/f/development-tools-productivity/command-line-interfaces.md) — Provides a terminal-based command line interface to run vulnerability scanning and management. ([source](https://google.github.io/osv-scanner/))
- [Commit-Based Version Matching](https://awesome-repositories.com/f/development-tools-productivity/commit-tracking/commit-based-version-matching.md) — Identifies vulnerabilities in C/C++ dependencies by matching specific git commit hashes against advisory data.
- [Dependency Constraints](https://awesome-repositories.com/f/development-tools-productivity/dependency-constraints.md) — Restricts automatic dependency updates to specific semantic version levels to avoid breaking changes. ([source](https://google.github.io/osv-scanner/experimental/guided-remediation/))
- [Pre-commit Hooks](https://awesome-repositories.com/f/development-tools-productivity/pre-commit-hooks.md) — Integrates vulnerability scans into the version control commit process via pre-commit hooks. ([source](https://google.github.io/osv-scanner/usage/))
- [Programmable Scan Interfaces](https://awesome-repositories.com/f/development-tools-productivity/scan-configurations/workflow-scanning/programmable-scan-interfaces.md) — Exposes scanning logic as a programmable interface for integration into external applications and internal processes.
- [Version Constraint Mapping](https://awesome-repositories.com/f/development-tools-productivity/version-constraints/version-constraint-mapping.md) — Calculates safe package upgrades by comparing vulnerability ranges against semantic versioning rules.

### DevOps & Infrastructure

- [Image Layer Analyzers](https://awesome-repositories.com/f/devops-infrastructure/container-orchestration/image-management-tools/image-layer-analyzers.md) — Deconstructs container images into individual layers to attribute vulnerabilities to specific image stages.
- [Vulnerability Auto-Remediation](https://awesome-repositories.com/f/devops-infrastructure/service-mesh-control-planes/manifest-generators/manifest-patching/security-auto-remediation/vulnerability-auto-remediation.md) — Automatically updates package manifests and lockfiles to resolve identified security vulnerabilities.
- [Interactive Remediation Interfaces](https://awesome-repositories.com/f/devops-infrastructure/service-mesh-control-planes/manifest-generators/manifest-patching/security-auto-remediation/vulnerability-auto-remediation/interactive-remediation-interfaces.md) — Provides an interactive terminal user interface for selecting and applying vulnerability patches.
- [Go Library Integrations](https://awesome-repositories.com/f/devops-infrastructure/backend-as-a-service-integrations/go-library-integrations.md) — Provides a Go library that allows scanning logic to be embedded directly into custom Go applications. ([source](https://google.github.io/osv-scanner/))
- [Security Scanning Integrations](https://awesome-repositories.com/f/devops-infrastructure/ci-cd-pipeline-integrations/security-scanning-integrations.md) — Integrates vulnerability scanning into CI/CD pipelines and git hooks to catch insecure dependencies.
- [Version Overrides](https://awesome-repositories.com/f/devops-infrastructure/version-upgrades/dependency-versioning/version-overrides.md) — Forces a specific dependency version in a manifest to resolve vulnerabilities when automatic updates fail. ([source](https://google.github.io/osv-scanner/experimental/guided-remediation/))

### Software Engineering & Architecture

- [Reachability Analyzers](https://awesome-repositories.com/f/software-engineering-architecture/code-analysis-tools/reachability-analyzers.md) — Analyzes function call paths to determine if vulnerable code is actually reachable, reducing false positives.
- [License Validation Engines](https://awesome-repositories.com/f/software-engineering-architecture/licensing-information/dependency-license-extractors/license-validation-engines.md) — Validates dependency licenses against a predefined allow-list to ensure open source compliance. ([source](https://cdn.jsdelivr.net/gh/google/osv-scanner@main/README.md))

### Data & Databases

- [Local Data Caches](https://awesome-repositories.com/f/data-databases/data-caching/local-data-caches.md) — Downloads and stores vulnerability data locally to enable offline scanning and reduce network latency.

### Part of an Awesome List

- [Static Analysis](https://awesome-repositories.com/f/awesome-lists/devtools/static-analysis.md) — Vulnerability scanner for project dependencies.
- [Vulnerability Scanners](https://awesome-repositories.com/f/awesome-lists/devtools/vulnerability-scanners.md) — Vulnerability scanner using the OSV database.
