GitHub - google/osv-scanner: Vulnerability scanner written in Go which uses the data provided by https://osv.dev
5 hours ago
- #Open Source Security
- #Vulnerability Scanner
- #Dependency Management
- OSV-Scanner is a CLI tool that scans project dependencies to find known vulnerabilities using the OSV database.
- It supports a wide range of languages (e.g., C/C++, Go, Java, Python, Rust), package managers (e.g., npm, pip, maven), operating systems, and container images.
- The tool offers features like call analysis to reduce false positives, guided remediation for version upgrades, and offline scanning with a local database.
- OSV-Scanner queries external services such as api.osv.dev for vulnerabilities and deps.dev for package information, with options for offline use.
- Guided remediation is experimental, supports npm and Maven ecosystems, and carries risks like executing scripts from untrusted projects.
- Users can install via prebuilt binaries or build from source, with detailed documentation available for usage and contribution.