Osv Scanner

Features

Dependency Vulnerability Scanning - Matches project dependencies against known advisory databases to identify security vulnerabilities.
Software Composition Analysis Tools - Identifies known security vulnerabilities and license issues in project dependencies via an advisory database.
Dependency Lockfiles - Parses manifest and lock files to build a complete graph of direct and transitive dependencies.
Constraint Regeneration - Recomputes the dependency graph from the manifest to allow newer package versions to resolve vulnerabilities.
In-Place Fixes - Replaces vulnerable package versions in a lockfile while respecting existing dependency constraints.
Transitive Dependency Resolution - Computes the full dependency graph from manifest files to ensure both direct and indirect dependencies are scanned.
Image Layer Analyzers - Deconstructs container images into individual layers to attribute vulnerabilities to specific image stages.
Vulnerability Auto-Remediation - Automatically updates package manifests and lockfiles to resolve identified security vulnerabilities.
Interactive Remediation Interfaces - Provides an interactive terminal user interface for selecting and applying vulnerability patches.
Dependency Vulnerability Scanners - Analyzes project dependencies and container images against the Open Source Vulnerabilities database.
Automated Security Remediation - Executes vulnerability fixes in non-interactive mode for automated patching within CI/CD pipelines.
Interactive Interfaces - Provides a terminal user interface to navigate discovered vulnerabilities and apply remediation patches step-by-step.
Reachability Analysis - Uses call analysis to determine if a vulnerable function is actually invoked to reduce false positives.
Container Image Vulnerability Scanners - Analyzes container image layers to detect known OS and application-layer vulnerabilities.
Reachability Analyzers - Analyzes function call paths to determine if vulnerable code is actually reachable, reducing false positives.
Local Data Caches - Downloads and stores vulnerability data locally to enable offline scanning and reduce network latency.
Command Line Interfaces - Provides a terminal-based command line interface to run vulnerability scanning and management.
Commit-Based Version Matching - Identifies vulnerabilities in C/C++ dependencies by matching specific git commit hashes against advisory data.
Dependency Constraints - Restricts automatic dependency updates to specific semantic version levels to avoid breaking changes.
Pre-commit Hooks - Integrates vulnerability scans into the version control commit process via pre-commit hooks.
Programmable Scan Interfaces - Exposes scanning logic as a programmable interface for integration into external applications and internal processes.
Version Constraint Mapping - Calculates safe package upgrades by comparing vulnerability ranges against semantic versioning rules.
Go Library Integrations - Provides a Go library that allows scanning logic to be embedded directly into custom Go applications.
Security Scanning Integrations - Integrates vulnerability scanning into CI/CD pipelines and git hooks to catch insecure dependencies.
Version Overrides - Forces a specific dependency version in a manifest to resolve vulnerabilities when automatic updates fail.
License Compliance Tools - Audits project dependencies against an allow-list of licenses to identify legal compliance risks.
Programmable Security Libraries - Provides a programmable Go package for integrating vulnerability scanning logic directly into custom applications.
C/C++ Vendored Dependencies - Detects vulnerabilities in vendored or submoduled C/C++ dependencies using commit-level version data.
Remediation Filtering - Limits the scope of proposed fixes based on dependency depth, severity scores, or specific vulnerability identifiers.
Vulnerability Report Generation - Generates summarized tables and detailed HTML reports that categorize vulnerabilities and fix availability.
Layer Tracing - Attributes discovered vulnerabilities to the specific container layer where the affected package was first introduced.
Offline Vulnerability Analysis - Provides a local vulnerability database to enable scanning in air-gapped or offline environments.
License Validation Engines - Validates dependency licenses against a predefined allow-list to ensure open source compliance.
Vulnerability Scanners - Vulnerability scanner using the OSV database.

Open-source alternatives to Osv Scanner

Similar open-source projects, ranked by how many features they share with Osv Scanner.

snyk/cli
snyk/cli
5,428View on GitHub
The Snyk CLI is a command-line security scanner that detects known vulnerabilities across open-source dependencies, proprietary application code, container images, and infrastructure-as-code configuration files. It also serves as a platform management tool, allowing users to configure organizations, users, SSO, and reporting from the terminal rather than the web dashboard. The CLI integrates directly into development workflows, enabling scanning within IDEs, build pipelines, and version control systems. It implements static analysis with interfile data flow analysis to find complex security f
TypeScriptmonitorsecuritysnyk
View on GitHub5,428
aboutcode-org/scancode-toolkit
aboutcode-org/scancode-toolkit
2,567View on GitHub
ScanCode Toolkit is a software composition analysis tool and scanning framework designed to identify open-source licenses and copyright statements in source code and binary files. It functions as an open-source license detector, a dependency vulnerability scanner, and a generator for standardized software bills of materials in SPDX and CycloneDX formats. The project is built as a plugin-based scanning framework, allowing the integration of custom detection logic, specialized analyzers, and modified scanning behaviors at runtime. It distinguishes itself through the ability to produce formal le
Pythoncopyrightcopyright-scancyclonedx
View on GitHub2,567
bridgecrewio/checkov
bridgecrewio/checkov
8,798View on GitHub
Checkov is a static analysis tool and security scanner designed to identify misconfigurations in infrastructure as code, container images, and Kubernetes configurations. It functions as a cloud security posture tool, an SCA vulnerability scanner, and a secret scanning utility to prevent security breaches and version control leaks. The project distinguishes itself through deep graph analysis and variable resolution, allowing it to map relationships between interconnected resources and evaluate the final state of infrastructure attributes. It provides extensibility for defining custom security
Python
View on GitHub8,798
npm/cli
npm/cli
9,846View on GitHub
This project is a command line interface for managing, installing, and publishing JavaScript packages to a remote registry. It serves as a dependency resolution tool, a software registry publishing client, and a security auditor for Node.js development workflows. The tool distinguishes itself by providing integrated monorepo workspace management and a comprehensive registry authentication client that supports multi-factor authentication. It enables detailed control over the software supply chain through provenance attestations, package signature verification, and the generation of a Software
JavaScriptjavascriptnodejsnpm
View on GitHub9,846

See all 30 alternatives to Osv Scanner

googleosv-scanner

Features

Open-source alternatives to Osv Scanner

snyk/cli

aboutcode-org/scancode-toolkit

bridgecrewio/checkov

npm/cli

Star history

Open-source alternatives to Osv Scanner

snyk/cli

aboutcode-org/scancode-toolkit

bridgecrewio/checkov

npm/cli