osv-scanner

finds vulnerabilities in dependencies

Scan directory

$ osv-scanner -r [directory]

Scan lockfile

$ osv-scanner --lockfile=[package-lock.json]

Scan SBOM

$ osv-scanner --sbom=[sbom.json]

Output as JSON

$ osv-scanner -r [directory] --json

Scan specific ecosystem

$ osv-scanner --lockfile=requirements.txt

osv-scanner [options] [targets]

osv-scanner finds vulnerabilities in dependencies. Uses OSV database.
The tool scans lockfiles and SBOMs. Open source vulnerability detection.

-r DIR

Scan directory recursively.

--lockfile FILE

Scan specific lockfile.

--sbom FILE

Scan SBOM file.

--json

JSON output.

--config FILE

Configuration file.

--help

Display help information.

Requires network access. Database coverage varies. Google maintained.

osv-scanner was created by Google for scanning dependencies against OSV database.