aicoolies logo
osv-scanner logo

osv-scanner

Google's vulnerability scanner using the OSV database

Share
open-sourceOpen Source
Visit Website →

OSV-Scanner is Google's official open-source vulnerability scanner that checks your project's dependencies against the OSV.dev database — the largest open vulnerability database covering all major ecosystems. Written in Go, it supports lockfiles from npm, pip, Maven, Cargo, Go modules, and more, providing actionable remediation guidance and CI/CD integration for automated security scanning.

OSV-Scanner is an open-source vulnerability scanning tool developed by Google that uses the OSV.dev database — the most comprehensive open vulnerability database available. Unlike commercial scanners that maintain proprietary vulnerability databases with varying coverage, OSV aggregates data from dozens of sources including the National Vulnerability Database, GitHub Security Advisories, and ecosystem-specific databases for npm, PyPI, crates.io, Go, Maven, and more. This gives OSV-Scanner exceptionally broad coverage across all major programming language ecosystems.

The scanner analyzes lockfiles, SBOMs (Software Bills of Materials), and container images to identify known vulnerabilities in your dependencies. It supports package managers across the entire developer spectrum: npm and yarn for JavaScript, pip and Poetry for Python, Maven and Gradle for Java, Cargo for Rust, Go modules, NuGet for .NET, and many more. Results include severity ratings, affected version ranges, and remediation guidance with the minimum version upgrade needed to resolve each vulnerability. The guided remediation feature intelligently suggests the least disruptive upgrade path across your dependency tree.

With over 8,600 GitHub stars and Apache-2.0 licensing, OSV-Scanner integrates into CI/CD pipelines through GitHub Actions, GitLab CI, and direct CLI invocation. It can scan entire monorepos, individual packages, or container images, and supports both offline and online modes. For development teams implementing supply chain security practices — increasingly critical after high-profile incidents like the Log4j vulnerability and the recent axios compromise — OSV-Scanner provides a Google-backed, production-ready scanning foundation with no usage limits or commercial restrictions.

Pricing

Free and open source (Apache-2.0). No usage limits. Uses the free OSV.dev database.

Platforms

CLI tool for macOS, Linux, Windows. Docker image available. CI/CD integrations for GitHub Actions and GitLab.

Categories

Tags

Use Cases

Alternatives

Snyk logo

Snyk

Developer-first security platform

Snyk is the leading developer security platform providing continuous scanning for vulnerabilities in code (SAST), open-source dependencies (SCA), container images, and infrastructure as code. Integrates directly into IDEs, Git repositories, CI/CD pipelines, and container registries. Features AI-powered fix suggestions, license compliance checking, and real-time vulnerability database. Free for individual developers with paid plans for teams. Supports 30+ programming languages.

freemium
garak logo

garak

NVIDIA's LLM vulnerability scanner and red-teaming tool

garak is NVIDIA's open-source LLM vulnerability scanner for red-teaming AI models and applications. Probes for prompt injection, data leakage, hallucination, toxicity, encoding-based attacks, and dozens of other vulnerability categories. Runs automated attack sequences against any LLM endpoint and generates detailed vulnerability reports. Features a modular probe/detector architecture that is extensible with custom attack patterns. Named after the Star Trek character known for deception.

open-sourceOpen Source

Shannon

Autonomous AI pentester for web apps and APIs

Shannon is an autonomous white-box AI pentesting tool for web applications and APIs. It analyzes authorized source code, identifies attack vectors, attempts proof-by-exploitation, and produces remediation-ready reports. Shannon Lite is AGPL-3.0 for local use, while Shannon Pro is the commercial Keygraph platform for continuous security testing.

freemiumOpen Source

Related Tools

Safari MCP Server

Apple's Safari-native MCP server for web debugging agents

Safari MCP Server is Apple's safaridriver-based MCP server in Safari Technology Preview, giving compatible coding agents local access to Safari page content, console logs, network requests, screenshots, JavaScript evaluation, interactions, viewport controls, and accessibility/performance checks.

freeTelemetry
Agent Governance Toolkit logo

Agent Governance Toolkit

Microsoft’s public-preview runtime governance toolkit for policy, identity, sandboxing, audit, and MCP security around AI agents.

Agent Governance Toolkit is Microsoft’s MIT-licensed public-preview toolkit for governing AI agent runtimes. It adds policy enforcement, zero-trust identity, execution sandboxing, audit, reliability, and MCP security-gateway patterns around tool calls and autonomous actions, helping platform teams move beyond prompt-only guardrails while preserving architecture review requirements.

open-sourceOpen SourceTelemetry
Baz logo

Baz

Telemetry-aware AI code reviewer that checks how pull requests may affect real services.

Baz is an AI code-review platform focused on production-aware pull requests. Instead of only reading the diff, Baz connects code changes to application telemetry so reviewers can understand what endpoints, services, and runtime behavior may be affected. That makes it a useful complement to existing AI PR bots when the question is not just whether a change looks correct, but whether it could break a live system.

freemiumTelemetry
rampart

Rampart

Microsoft’s pytest-native red teaming framework for turning AI agent safety findings into CI tests.

RAMPART is an open-source Microsoft framework for safety and security testing of agentic AI applications. It brings red-team findings into a pytest-native workflow so teams can turn prompt injection, unsafe tool use, and behavioral boundary failures into repeatable regression tests. The strongest aicoolies angle is developer workflow: RAMPART makes agent safety part of CI/CD instead of a one-off security review.

open-sourceOpen Source
Statewright logo

Statewright

State-machine guardrails for controlling which tools AI coding agents can use at each phase.

Statewright is a guardrail layer for AI coding agents that uses explicit state machines to control what an agent can do at each stage of a workflow. Instead of relying only on prompt instructions, teams can model phases such as plan, implement, test, and review, then constrain tool access for clients like Claude Code, Codex, Cursor, opencode, and related MCP workflows.

open-sourceOpen Source
Requestly logo

Requestly

One tool for intercepting, mocking, and replaying HTTP — acquired by BrowserStack

Requestly is a BrowserStack-backed API client, HTTP interceptor, mock server, and session replay tool for frontend and QA teams. Its current product is commercial/API-client led, while the legacy interceptor/open-source code is AGPLv3. The free plan covers individual workflows, and Pro lists at $12/user/month monthly or $9/user/month annually for collaborative QA and frontend debugging teams.

freemium

Used in Stacks