osv-scanner

Scan a Docker image

$ osv-scanner -D [docker_image_name]

$ osv-scanner -L [path/to/lockfile]

$ osv-scanner -S [path/to/sbom_file]

$ osv-scanner -r [directory1 directory2 ...]

$ osv-scanner --skip-git [-r|-D] [target]

$ osv-scanner --json [-D|-L|-S|-r] [target]

osv-scanner [options] [path...]
osv-scanner [options] --lock-file <file>
osv-scanner [options] --sbom <file>
osv-scanner [options] --docker <image_name>

-D, --directory <path>
    Recursively scan all supported files within the specified directory path.

-L, --lock-file <file>
    Scan a specific package manager lock file or manifest.

--sbom <file>
    Scan a Software Bill of Materials (SBOM) file in SPDX or CycloneDX format.

--docker <image_name>
    Scan a Docker image for vulnerabilities in its installed packages.

-o, --output <file>
    Write the scan results to the specified file instead of standard output.

--format <format>
    Specify the output format for the scan results (e.g., table, json, sarif, markdown, gh-annotations).

--config <file>
    Provide a path to a configuration file for osv-scanner settings.

--call-graph <file>
    Analyze call graph information generated by tools like go call-graph to improve vulnerability analysis.

--experimental-call-analysis
    Enable experimental call graph analysis for more precise vulnerability detection.

--json-input
    Indicates that the input is a JSON file, typically from go mod graph -json.

--ghsa-id <ID>
    Fetch and display information for a specific GHSA (GitHub Security Advisory) ID.

--osv-id <ID>
    Fetch and display information for a specific OSV (Open Source Vulnerability) ID.

-V, --version
    Display the version of osv-scanner and exit.

-h, --help
    Show the help message and exit.

osv-scanner is a powerful and versatile command-line tool designed to identify known vulnerabilities in your project's dependencies. It leverages the comprehensive OSV (Open Source Vulnerabilities) database, which aggregates vulnerability information from various open-source ecosystems. The scanner supports a wide range of manifest and lock files, including those from popular package managers like npm (package-lock.json), Go (go.mod, go.sum), Python (requirements.txt, Pipfile.lock), Rust (Cargo.lock), Java (pom.xml, build.gradle), and many more.

Beyond simple lock file scanning, osv-scanner can also process Software Bill of Materials (SBOMs) in SPDX and CycloneDX formats, offering a standardized way to consume vulnerability data. It can scan directories, specific files, or even standard input. Its primary goal is to help developers and security teams proactively detect and mitigate security risks introduced by vulnerable open-source components in their applications, integrating seamlessly into CI/CD pipelines.

While powerful, osv-scanner's accuracy is dependent on the completeness and timeliness of the OSV database. It requires internet access to query the database. The experimental call analysis features, while promising, may not always yield perfect results and should be used with caution. Like any vulnerability scanner, it may produce false positives or false negatives, and its ability to detect vulnerabilities is limited to known issues recorded in the OSV database, not zero-day exploits or logic bugs.

osv-scanner supports a wide array of package manager lock files and manifest files, including but not limited to:

• Go: go.mod, go.sum
• JavaScript/TypeScript: package-lock.json, yarn.lock, pnpm-lock.yaml
• Python: requirements.txt, Pipfile.lock, poetry.lock
• Rust: Cargo.lock
• Java: pom.xml, build.gradle, gradle.lockfile
• Ruby: Gemfile.lock
• PHP: composer.lock
• .NET: packages.lock.json
• C/C++: conan.lock

The osv-scanner queries the OSV (Open Source Vulnerabilities) database, a distributed, open, and standardized database for vulnerabilities in open-source projects. Each vulnerability in OSV is identified by an OSV ID and provides detailed information including affected versions, commit ranges, severity, and links to advisories. This centralized database allows for consistent and up-to-date vulnerability information across various ecosystems.

Developed by Google, osv-scanner is an integral part of the Open Source Vulnerabilities (OSV) project, launched to provide a unified, open-source tool for consuming and acting on vulnerability data. It aims to leverage the distributed, open OSV database, which aggregates vulnerability information from various ecosystems. Its development focuses on enhancing accuracy, expanding coverage across different programming languages and package managers, and enabling seamless integration into automated CI/CD pipelines to bolster open-source supply chain security.

trivy(1), grype(1), npm(1), go(1)