Comprehensive documentation is available here.
An instance of OSV's web UI is deployed at https://osv.dev.
We provide a Go based tool that will scan your dependencies, and check them against the OSV database for known vulnerabilities via the OSV API.
Currently it is able to scan various lockfiles, debian docker containers, SPDX and CycloneDB SBOMs, and git repositories.
The scanner is located in it's own repository.
This repository contains all the code for running https://osv.dev on GCP. This consists of:
- API server (
gcp/api) - Web interface (
gcp/appengine) - Workers for bisection and impact analysis (
docker/worker)
You'll need to check out submodules as well for many local building steps to work:
git submodule update --init --recursiveContributions are welcome!
Learn more about code and data contributions. We also have a mailing list.
Do you have a question or a suggestion? Please open an issue.
There are also community tools that use OSV. Note that these are community built tools and unsupported by the core OSV maintainers.
- Betterscan.io: Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners with One Report (Code, IaC)
- bomber
- Cortex XSOAR
- Dependency-Track
- dep-scan
- EZE-CLI: The one stop shop for security testing in modern development
- Golang support for the schema
- G-Rath/osv-detector: A scanner that uses the OSV database.
- it-depends
- .NET client library and support for the schema
- OSS Review Toolkit
- Packj
- pip-audit
- Renovate
- Rust client library
- Skjold: Security audit python project dependencies against several security advisory databases
- Trivy
Feel free to send a PR to add your project here.