[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-5058":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":23,"hasPages":25,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":31,"readmeContent":32,"aiSummary":33,"trendingCount":16,"starSnapshotCount":16,"syncStatus":34,"lastSyncTime":35,"discoverSource":36},5058,"osv-scanner","google\u002Fosv-scanner","google","Vulnerability scanner written in Go which uses the data provided by https:\u002F\u002Fosv.dev","https:\u002F\u002Fgoogle.github.io\u002Fosv-scanner\u002F",null,"Go",10489,718,72,94,0,7,53,353,44,112.57,"Apache License 2.0",false,"main",true,[27,28,29,30],"scanner","security-audit","security-tools","vulnerability-scanner","2026-06-12 04:00:24","\u003Cpicture>\n    \u003Csource srcset=\"\u002Fdocs\u002Fimages\u002Fosv-scanner-full-logo-darkmode.svg\"  media=\"(prefers-color-scheme: dark)\">\n    \u003C!-- markdown-link-check-disable-next-line -->\n    \u003Cimg src=\"\u002Fdocs\u002Fimages\u002Fosv-scanner-full-logo-lightmode.svg\">\n\u003C\u002Fpicture>\n\n---\n\n[![OpenSSF Scorecard](https:\u002F\u002Fapi.securityscorecards.dev\u002Fprojects\u002Fgithub.com\u002Fgoogle\u002Fosv-scanner\u002Fbadge)](https:\u002F\u002Fscorecard.dev\u002Fviewer\u002F?uri=github.com\u002Fgoogle\u002Fosv-scanner)\n[![Go Report Card](https:\u002F\u002Fgoreportcard.com\u002Fbadge\u002Fgithub.com\u002Fgoogle\u002Fosv-scanner)](https:\u002F\u002Fgoreportcard.com\u002Freport\u002Fgithub.com\u002Fgoogle\u002Fosv-scanner)\n[![codecov](https:\u002F\u002Fcodecov.io\u002Fgh\u002Fgoogle\u002Fosv-scanner\u002Fgraph\u002Fbadge.svg?token=C8IDVX9LP5)](https:\u002F\u002Fcodecov.io\u002Fgh\u002Fgoogle\u002Fosv-scanner)\n[![SLSA 3](https:\u002F\u002Fslsa.dev\u002Fimages\u002Fgh-badge-level3.svg)](https:\u002F\u002Fslsa.dev)\n[![GitHub Release](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fv\u002Frelease\u002Fgoogle\u002Fosv-scanner)](https:\u002F\u002Fgithub.com\u002Fgoogle\u002Fosv-scanner\u002Freleases)\n\nUse OSV-Scanner to find existing vulnerabilities affecting your project's dependencies.\nOSV-Scanner provides an officially supported frontend to the [OSV database](https:\u002F\u002Fosv.dev\u002F) and CLI interface to [OSV-Scalibr](https:\u002F\u002Fgithub.com\u002Fgoogle\u002Fosv-scalibr) that connects a project’s list of dependencies with the vulnerabilities that affect them.\n\nOSV-Scanner supports a wide range of project types, package managers and features, including but not limited to:\n\n- **Languages:** C\u002FC++, Dart, Elixir, Go, Java, Javascript, PHP, Python, R, Ruby, Rust.\n- **Package Managers:** npm, pip, yarn, maven, go modules, cargo, gem, composer, nuget and others.\n- **Operating Systems:** Detects vulnerabilities in OS packages on Linux systems.\n- **Containers:** Scans container images for vulnerabilities in their base images and included packages.\n- **Guided Remediation:** Provides recommendations for package version upgrades based on criteria such as dependency depth, minimum severity, fix strategy, and return on investment.\n\nOSV-Scanner uses the extensible [OSV-Scalibr](https:\u002F\u002Fgithub.com\u002Fgoogle\u002Fosv-scalibr) library under the hood to provide this functionality. If a language or package manager is not supported currently, please file a [feature request.](https:\u002F\u002Fgithub.com\u002Fgoogle\u002Fosv-scanner\u002Fissues)\n\n#### Underlying database\n\nThe underlying database, [OSV.dev](https:\u002F\u002Fosv.dev\u002F) has several benefits in comparison with closed source advisory databases and scanners:\n\n- Covering most open source language and OS ecosystems (including [Git](https:\u002F\u002Fosv.dev\u002Flist?q=&ecosystem=GIT)), it’s comprehensive.\n- Each advisory comes from an open and authoritative source (e.g. [GitHub Security Advisories](https:\u002F\u002Fgithub.com\u002Fgithub\u002Fadvisory-database), [RustSec Advisory Database](https:\u002F\u002Fgithub.com\u002Frustsec\u002Fadvisory-db), [Ubuntu security notices](https:\u002F\u002Fgithub.com\u002Fcanonical\u002Fubuntu-security-notices\u002Ftree\u002Fmain\u002Fosv))\n- Anyone can suggest improvements to advisories, resulting in a very high quality database.\n- The OSV format unambiguously stores information about affected versions in a machine-readable format that precisely maps onto a developer’s list of packages\n\nThe above all results in accurate and actionable vulnerability notifications, which reduces the time needed to resolve them. Check out [OSV.dev](https:\u002F\u002Fosv.dev\u002F) for more details!\n\n## Basic installation\n\nTo install OSV-Scanner, please refer to the [installation section](https:\u002F\u002Fgoogle.github.io\u002Fosv-scanner\u002Finstallation) of our documentation. OSV-Scanner releases can be found on the [releases page](https:\u002F\u002Fgithub.com\u002Fgoogle\u002Fosv-scanner\u002Freleases) of the GitHub repository. The recommended method is to download a prebuilt binary for your platform. Alternatively, you can use\n`go install github.com\u002Fgoogle\u002Fosv-scanner\u002Fv2\u002Fcmd\u002Fosv-scanner@latest` to build it from source.\n\n## Key Features\n\nFor more information, please read our [detailed documentation](https:\u002F\u002Fgoogle.github.io\u002Fosv-scanner) to learn how to use OSV-Scanner. For detailed information about each feature, click their titles in this README.\n\nPlease note: These are the instructions for the latest OSV-Scanner V2 beta. If you are using V1, checkout the V1 [README](https:\u002F\u002Fgithub.com\u002Fgoogle\u002Fosv-scanner-v1) and [documentation](https:\u002F\u002Fgoogle.github.io\u002Fosv-scanner-v1\u002F) instead.\n\n### [Scanning a source directory](https:\u002F\u002Fgoogle.github.io\u002Fosv-scanner\u002Fusage)\n\n```bash\n$ osv-scanner scan source -r \u002Fpath\u002Fto\u002Fyour\u002Fdir\n```\n\nThis command will recursively scan the specified directory for any supported package files, such as `package.json`, `go.mod`, `pom.xml`, etc. and output any discovered vulnerabilities.\n\nOSV-Scanner has the option of using call analysis to determine if a vulnerable function is actually being used in the project, resulting in fewer false positives, and actionable alerts.\n\nOSV-Scanner can also detect vendored C\u002FC++ code for vulnerability scanning. See [here](https:\u002F\u002Fgoogle.github.io\u002Fosv-scanner\u002Fusage\u002F#cc-scanning) for details.\n\n#### Supported Lockfiles\n\nOSV-Scanner supports 11+ language ecosystems and 19+ lockfile types. To check if your ecosystem is covered, please check out our [detailed documentation](https:\u002F\u002Fgoogle.github.io\u002Fosv-scanner\u002Fsupported-languages-and-lockfiles\u002F#supported-lockfiles).\n\n### [Container Scanning](https:\u002F\u002Fgoogle.github.io\u002Fosv-scanner\u002Fusage\u002Fscan-image)\n\nOSV-Scanner also supports comprehensive, layer-aware scanning for container images to detect vulnerabilities in the following operating system packages and language-specific dependencies.\n\n| Distro Support | Language Artifacts Support |\n| -------------- | -------------------------- |\n| Alpine OS      | Go                         |\n| Debian         | Java                       |\n| Ubuntu         | Node                       |\n|                | Python                     |\n\nSee the [full documentation](https:\u002F\u002Fgoogle.github.io\u002Fosv-scanner\u002Fsupported-languages-and-lockfiles\u002F#supported-artifacts) for details on support.\n\n**Usage**:\n\n```bash\n$ osv-scanner scan image my-image-name:tag\n```\n\n![screencast of html output of container scanning](https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002F8bb95366-27ec-45d1-86ed-e42890f2fb46)\n\n### [License Scanning](https:\u002F\u002Fgoogle.github.io\u002Fosv-scanner\u002Fusage\u002Flicense-scanning\u002F)\n\nCheck your dependencies' licenses using deps.dev data. For a summary:\n\n```bash\nosv-scanner --licenses path\u002Fto\u002Frepository\n```\n\nTo check against an allowed license list (SPDX format):\n\n```bash\nosv-scanner --licenses=\"MIT,Apache-2.0\" path\u002Fto\u002Fdirectory\n```\n\n### [Offline Scanning](https:\u002F\u002Fgoogle.github.io\u002Fosv-scanner\u002Fusage\u002Foffline-mode\u002F)\n\nScan your project against a local OSV database. No network connection is required after the initial database download. The database can also be manually downloaded.\n\n```bash\nosv-scanner --offline --download-offline-databases .\u002Fpath\u002Fto\u002Fyour\u002Fdir\n```\n\n### [Guided Remediation](https:\u002F\u002Fgoogle.github.io\u002Fosv-scanner\u002Fexperimental\u002Fguided-remediation\u002F) (Experimental)\n\n> [!WARNING]\n> Guided remediation (the `fix` command) can be risky when run on untrusted projects. It may trigger the package manager to execute scripts or follow external registries specified in the project. Please ensure you trust the source code and artifacts before proceeding.\n\nOSV-Scanner provides guided remediation, a feature that suggests package version upgrades based on criteria such as dependency depth, minimum severity, fix strategy, and return on investment.\nWe currently support remediating vulnerabilities in the following files:\n\n| Ecosystem | File Format (Type)             | Supported Remediation Strategies                                                                                       |\n| :-------- | :----------------------------- | :--------------------------------------------------------------------------------------------------------------------- |\n| npm       | `package-lock.json` (lockfile) | [`in-place`](https:\u002F\u002Fgoogle.github.io\u002Fosv-scanner\u002Fexperimental\u002Fguided-remediation\u002F#in-place-lockfile-changes)          |\n| npm       | `package.json` (manifest)      | [`relock`](https:\u002F\u002Fgoogle.github.io\u002Fosv-scanner\u002Fexperimental\u002Fguided-remediation\u002F#relock-and-relax-direct-dependencies) |\n| Maven     | `pom.xml` (manifest)           | [`override`](https:\u002F\u002Fgoogle.github.io\u002Fosv-scanner\u002Fexperimental\u002Fguided-remediation\u002F#override-dependency-versions)       |\n\nThis is available as a headless CLI command, as well as an interactive mode.\n\n#### Example (for npm)\n\n```bash\n$ osv-scanner fix \\\n    --max-depth=3 \\\n    --min-severity=5 \\\n    --ignore-dev  \\\n    --strategy=in-place \\\n    -L path\u002Fto\u002Fpackage-lock.json\n```\n\n#### Interactive mode (for npm)\n\n```bash\n$ osv-scanner fix \\\n    -M path\u002Fto\u002Fpackage.json \\\n    -L path\u002Fto\u002Fpackage-lock.json\n```\n\n\u003Cimg src=\"https:\u002F\u002Fgoogle.github.io\u002Fosv-scanner\u002Fimages\u002Fguided-remediation-relock-patches.png\" alt=\"Screenshot of the interactive relock results screen with some relaxation patches selected\">\n\n## Data Sources and Privacy\n\nOSV-Scanner communicates with the following external services during operation:\n\n### [OSV.dev API](https:\u002F\u002Fosv.dev\u002F)\n\nThe primary data source for vulnerability information. OSV-Scanner queries this API to check packages for known vulnerabilities and to identify vendored C\u002FC++ dependencies. Data sent includes package names, versions, ecosystems, and file hashes. Use [`--offline` mode](https:\u002F\u002Fgoogle.github.io\u002Fosv-scanner\u002Fusage\u002Foffline-mode\u002F) to disable network requests and scan against a local database instead.\n\n### [deps.dev API](https:\u002F\u002Fdocs.deps.dev\u002Fapi\u002F)\n\nUsed for supplementary package information:\n\n- **Dependency resolution**: Resolves dependency graphs for vulnerability scanning and remediation\n- **Container image scanning**: Queries container image metadata for vulnerability detection\n- **License scanning** (`--licenses` flag): Retrieves license information for packages\n- **Package deprecation**: Checks if packages are deprecated\n\nData sent includes package names, versions, and ecosystems. No source code is transmitted.\n\n### Package Registries\n\nWhen using native registry for dependency resolution (instead of deps.dev), OSV-Scanner may query:\n\n| Registry      | URL                            | Used For                             |\n| ------------- | ------------------------------ | ------------------------------------ |\n| Maven Central | `repo.maven.apache.org\u002Fmaven2` | Maven package metadata and POM files |\n| npm Registry  | `registry.npmjs.org`           | npm package metadata                 |\n| PyPI          | `pypi.org`                     | Python package metadata              |\n\n## Contribute\n\n### Report Problems\n\nIf you have what looks like a bug, please use the [GitHub issue tracking system](https:\u002F\u002Fgithub.com\u002Fgoogle\u002Fosv-scanner\u002Fissues). Before you file an issue, please search existing issues to see if your issue is already covered.\n\n### Contributing code to `osv-scanner`\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for documentation on how to contribute code.\n\n## Star History\n\n[![Star History Chart](https:\u002F\u002Fapi.star-history.com\u002Fsvg?repos=google\u002Fosv-scanner&type=Date)](https:\u002F\u002Fwww.star-history.com\u002F#google\u002Fosv-scanner&Date)\n","google\u002Fosv-scanner 是一个用 Go 语言编写的漏洞扫描工具，利用 osv.dev 提供的数据来检测项目依赖中的已知安全漏洞。它支持多种编程语言（如 C\u002FC++、Go、Java 等）和包管理器（如 npm、pip、maven 等），并且能够扫描 Linux 系统上的操作系统包以及容器镜像内的漏洞。此外，该工具还提供基于依赖深度、最低严重性等标准的修复建议。osv-scanner 适合用于软件开发过程中的安全审计阶段，帮助开发者及时发现并解决潜在的安全风险。",2,"2026-06-11 03:02:17","top_language"]