OSV-Scanner is an open-source vulnerability scanning tool developed by Google that uses the OSV.dev database — the most comprehensive open vulnerability database available. Unlike commercial scanners that maintain proprietary vulnerability databases with varying coverage, OSV aggregates data from dozens of sources including the National Vulnerability Database, GitHub Security Advisories, and ecosystem-specific databases for npm, PyPI, crates.io, Go, Maven, and more. This gives OSV-Scanner exceptionally broad coverage across all major programming language ecosystems.
The scanner analyzes lockfiles, SBOMs (Software Bills of Materials), and container images to identify known vulnerabilities in your dependencies. It supports package managers across the entire developer spectrum: npm and yarn for JavaScript, pip and Poetry for Python, Maven and Gradle for Java, Cargo for Rust, Go modules, NuGet for .NET, and many more. Results include severity ratings, affected version ranges, and remediation guidance with the minimum version upgrade needed to resolve each vulnerability. The guided remediation feature intelligently suggests the least disruptive upgrade path across your dependency tree.
With over 8,600 GitHub stars and Apache-2.0 licensing, OSV-Scanner integrates into CI/CD pipelines through GitHub Actions, GitLab CI, and direct CLI invocation. It can scan entire monorepos, individual packages, or container images, and supports both offline and online modes. For development teams implementing supply chain security practices — increasingly critical after high-profile incidents like the Log4j vulnerability and the recent axios compromise — OSV-Scanner provides a Google-backed, production-ready scanning foundation with no usage limits or commercial restrictions.