osv-scanner

osv-scanner command [options] [targets]

osv-scanner scans project dependencies for known vulnerabilities by querying the OSV.dev database, which aggregates vulnerability data from multiple sources including GitHub Advisory Database, PyPI, RubyGems, and crates.io.The tool automatically detects and parses lockfiles from most major package ecosystems including npm, pip, Go modules, Cargo, Maven, NuGet, and more. It can also scan SBOM files in SPDX or CycloneDX formats and Docker container images.The fix subcommand provides guided remediation by suggesting version upgrades that resolve detected vulnerabilities while minimizing breaking changes.Call graph analysis (supported for Go and Rust) can reduce false positives by determining whether vulnerable code paths are actually reachable from the project.

scan

Scan dependencies for vulnerabilities.

Generate guided remediation suggestions.

Scan directory recursively for lockfiles and manifests.

Scan a specific lockfile (auto-detects ecosystem).

Scan an SBOM file (supports SPDX and CycloneDX).

Scan a Docker image for vulnerabilities.

Output format: table (default), json, markdown, sarif.

Path to osv-scanner.toml configuration file.

Enable call graph analysis to filter unreachable vulnerabilities (Go, Rust).

Do not respect ignore entries in the config file.

Set verbosity level: error, warn, info, verbose.

Display help information.

Requires network access to query the OSV.dev database. Vulnerability coverage depends on data submitted to OSV by various ecosystems. Call graph analysis is only available for Go and Rust projects.

osv-scanner was released by Google in December 2022 as a frontend for the OSV.dev vulnerability database. It was designed to provide a free, open-source alternative for dependency scanning. The fix subcommand for guided remediation was added in 2024.

npm-audit(1), trivy(1), grype(1), snyk(1)