Skip to content
/ osv-scanner Public
forked from google/osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev

License

Apache-2.0 license
0 stars 380 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

dooreemii/osv-scanner

BranchesTags
 
 

Repository files navigation

OSV-Scanner

OpenSSF Scorecard

Use OSV-Scanner to find existing vulnerabilities affecting your project's dependencies.

OSV-Scanner provides an officially supported frontend to the OSV database that connects a project’s list of dependencies with the vulnerabilities that affect them. Since the OSV.dev database is open source and distributed, it has several benefits in comparison with closed source advisory databases and scanners:

  • Each advisory comes from an open and authoritative source (e.g. the RustSec Advisory Database)
  • Anyone can suggest improvements to advisories, resulting in a very high quality database
  • The OSV format unambiguously stores information about affected versions in a machine-readable format that precisely maps onto a developer’s list of packages

The above all results in fewer, more actionable vulnerability notifications, which reduces the time needed to resolve them. Check out our announcement blog post for more details!

Table of Contents

Installing

You may download the SLSA3 compliant binaries for Linux, macOS, and Windows from our releases page.

Package Managers

Packaging status

If you're a Windows Scoop user, then you can install osv-scanner from the official bucket:

scoop install osv-scanner

If you're a Homebrew user, you can install osv-scanner via:

brew install osv-scanner

If you're a Arch Linux User, you can install osv-scanner from the official repo:

pacman -S osv-scanner

Install from source

Alternatively, you can install this from source by running:

go install github.com/google/osv-scanner/cmd/osv-scanner@v1

This requires Go 1.18+ to be installed.

Build from source

See CONTRIBUTING.md file.

SemVer Adherence

All releases on the same Major version will be guaranteed to have backward compatible JSON output and CLI arguments.

Usage

OSV-Scanner parses lockfiles, SBOMs, and git directories to determine your project's open source dependencies. These dependencies are matched against the OSV database via the OSV.dev API and known vulnerabilities are returned to you in the output.

See the current stable release README.md for details on how to use and configure OSV-Scanner, and what output to expect. To see latest main branch usage, see USAGE.md.

Contribute

Report Problems

If you have what looks like a bug, please use the Github issue tracking system. Before you file an issue, please search existing issues to see if your issue is already covered.

Contributing code to osv-scanner

See CONTRIBUTING.md for documentation on how to contribute code.

Stargazers over time

Stargazers over time

About

Vulnerability scanner written in Go which uses the data provided by https://osv.dev

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Go 92.9%
  • Python 2.4%
  • Java 2.0%
  • PHP 1.3%
  • Ruby 0.7%
  • Dockerfile 0.6%
  • Shell 0.1%