https://github.com/google/osv-scanner Skip to content Toggle navigation Sign up * Product + Actions Automate any workflow + Packages Host and manage packages + Security Find and fix vulnerabilities + Codespaces Instant dev environments + Copilot Write better code with AI + Code review Manage code changes + Issues Plan and track work + Discussions Collaborate outside of code + Explore + All features + Documentation + GitHub Skills + Blog * Solutions + For + Enterprise + Teams + Startups + Education + By Solution + CI/CD & Automation + DevOps + DevSecOps + Case Studies + Customer Stories + Resources * Open Source + GitHub Sponsors Fund open source developers + The ReadME Project GitHub community articles + Repositories + Topics + Trending + Collections * Pricing [ ] * # In this repository All GitHub | Jump to | * No suggested jump to results * # In this repository All GitHub | Jump to | * # In this organization All GitHub | Jump to | * # In this repository All GitHub | Jump to | Sign in Sign up {{ message }} google / osv-scanner Public * Notifications * Fork 96 * Star 1.9k Vulnerability scanner written in Go which uses the data provided by https://osv.dev License Apache-2.0 license 1.9k stars 96 forks Star Notifications * Code * Issues 18 * Pull requests 5 * Actions * Projects 0 * Security * Insights More * Code * Issues * Pull requests * Actions * Projects * Security * Insights google/osv-scanner This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. main Switch branches/tags [ ] Branches Tags Could not load branches Nothing to show {{ refName }} default View all branches Could not load tags Nothing to show {{ refName }} default View all tags Name already in use A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch? Cancel Create 1 branch 5 tags Code * Local * Codespaces * Clone HTTPS GitHub CLI [https://github.com/g] Use Git or checkout with SVN using the web URL. [gh repo clone google] Work fast with our official CLI. Learn more. * Open with GitHub Desktop * Download ZIP Sign In Required Please sign in to use Codespaces. Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Launching Xcode If nothing happens, download Xcode and try again. Launching Visual Studio Code Your codespace will open once ready. There was a problem preparing your codespace, please try again. Latest commit Git stats * 48 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time .github/workflows Ci updates (#48) Dec 15, 2022 cmd/osv-scanner feat: add version command (#50) Dec 15, 2022 fixtures/testdatainner Make OSV-scanner usable as a library (#8) Dec 2, 2022 internal Make grouper public (#36) Dec 12, 2022 pkg Add gradle lockfile support (#46) Dec 15, 2022 .gitignore Make OSV-scanner usable as a library (#8) Dec 2, 2022 .goreleaser.yml Enable arm64 build target (#56) Dec 15, 2022 Dockerfile Osv-scanner moved from osv.dev at commit: ca38cad39ca73ad47d7237dbc49... Nov 16, 2022 LICENSE Multiple changes to improve scorecard: (#4) Nov 22, 2022 README.md Minor updates to install instruction title (#80) Dec 18, 2022 action.yml Osv-scanner moved from osv.dev at commit: ca38cad39ca73ad47d7237dbc49... Nov 16, 2022 cloudbuild.yaml Fix cloudbuild file, add github actions (codeql and linter) Nov 17, 2022 go.mod go releaser slsa (#37) Dec 13, 2022 go.sum go releaser slsa (#37) Dec 13, 2022 renovate.json Ci updates (#48) Dec 15, 2022 run_lints.sh Ci updates (#48) Dec 15, 2022 run_tests.sh Ci updates (#48) Dec 15, 2022 View code [ ] OSV-Scanner Table of Contents Installing Package Managers Install from source SemVer Adherence Usage Scan a directory Example Input an SBOM Example Input a lockfile Example Scanning a Debian based docker image packages (preview) Example Configure OSV-Scanner Ignore vulnerabilities by ID Example JSON output Output Format README.md OpenSSF Scorecard OSV-Scanner Use OSV-Scanner to find existing vulnerabilities affecting your project's dependencies. OSV-Scanner provides an officially supported frontend to the OSV database that connects a project's list of dependencies with the vulnerabilities that affect them. Since the OSV.dev database is open source and distributed, it has several benefits in comparison with closed source advisory databases and scanners: * Each advisory comes from an open and authoritative source (e.g. the RustSec Advisory Database) * Anyone can suggest improvements to advisories, resulting in a very high quality database * The OSV format unambiguously stores information about affected versions in a machine-readable format that precisely maps onto a developer's list of packages The above all results in fewer, more actionable vulnerability notifications, which reduces the time needed to resolve them. Table of Contents * OSV-Scanner + Table of Contents + Installing o Package Managers o Install from source o SemVer Adherence + Usage o Scan a directory o Input an SBOM o Input a lockfile o Scanning a Debian based docker image packages (preview) + Configure OSV-Scanner o Ignore vulnerabilities by ID + JSON output o Output Format Installing You may download the SLSA3 compliant binaries for Linux, macOS, and Windows from our releases page. Package Managers If you're a Windows Scoop user, then you can install osv-scanner from the official bucket: scoop install osv-scanner Install from source Alternatively, you can install this from source by running: $ go install github.com/google/osv-scanner/cmd/osv-scanner@v1 This requires Go 1.18+ to be installed. SemVer Adherence All releases on the same Major version will be guaranteed to have backward compatible JSON output and CLI arguments. Usage OSV-Scanner collects a list of dependencies and versions that are used in your project, before matching this list against the OSV database via the OSV.dev API. To build the list of dependencies, you can point OSV-Scanner at your project directory, or manually pass in the path to individual manifest files. Scan a directory Walks through a list of directories to find: * Lockfiles * SBOMs * git directories for the latest commit hash which is used to build the list of dependencies to be matched against OSV vulnerabilities. Can be configured to recursively walk through subdirectories with the --recursive / -r flag. Searching for git commit hash is intended to work with projects that use git submodules or a similar mechanism where dependencies are checked out as real git repositories. Example $ osv-scanner -r /path/to/your/dir Input an SBOM SPDX and CycloneDX SBOMs using Package URLs are supported. The format is auto-detected based on the input file contents. Example $ osv-scanner --sbom=/path/to/your/sbom.json Input a lockfile A wide range of lockfiles are supported by utilizing this lockfile package. This is the current list of supported lockfiles: * Cargo.lock * package-lock.json * yarn.lock * pnpm-lock.yaml * composer.lock * Gemfile.lock * go.mod * mix.lock * poetry.lock * pubspec.lock * pom.xml* * requirements.txt* * gradle.lockfile * buildscript-gradle.lockfile Example $ osv-scanner --lockfile=/path/to/your/package-lock.json -L /path/to/another/Cargo.lock Scanning a Debian based docker image packages (preview) This tool will scrape the list of installed packages in a Debian image and query for vulnerabilities on them. Currently only Debian based docker image scanning is supported. Requires docker to be installed and the tool to have permission calling it. This currently does not scan the filesystem of the Docker container, and has various other limitations. Follow this issue for updates on container scanning! Example $ osv-scanner --docker image_name:latest Configure OSV-Scanner To configure scanning, place an osv-scanner.toml file in the scanned file's directory. To override this osv-scanner.toml file, pass the --config=/path/to/config.toml flag with the path to the configuration you want to apply instead. Currently, there is only 1 option to configure: Ignore vulnerabilities by ID To ignore a vulnerability, enter the ID under the IgnoreVulns key. Optionally, add an expiry date or reason. Example [[IgnoredVulns]] id = "GO-2022-0968" # ignoreUntil = 2022-11-09 # Optional exception expiry date reason = "No ssh servers are connected to or hosted in Go lang" id = "GO-2022-1059" # ignoreUntil = 2022-11-09 # Optional exception expiry date reason = "No external http servers are written in Go lang." JSON output By default osv-scanner outputs a human readable table. To have osv-scanner output JSON instead, pass the --json flag when calling osv-scanner. When using the --json flag, only the JSON output will be printed to stdout, with all other outputs being directed to stderr. So to save only the json output to file, you can redirect the output with osv-scanner --json ... > /path/to/file.json Output Format { "results": [ { "packageSource": { "path": "/absolute/path/to/go.mod", // One of: lockfile, sbom, git, docker "type": "lockfile" }, "packages": [ { "Package": { "name": "github.com/gogo/protobuf", "version": "1.3.1", "ecosystem": "Go" }, "vulnerabilities": [ { "id": "GHSA-c3h9-896r-86jm", "aliases": [ "CVE-2021-3121" ], // ... Full OSV }, { "id": "GO-2021-0053", "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], // ... Full OSV } ], // Grouping based on aliases, if two vulnerability share the same alias, or alias each other, // they are considered the same vulnerability, and is grouped here under the id field. "groups": [ { "ids": [ "GHSA-c3h9-896r-86jm", "GO-2021-0053" ] } ] } ] }, { "packageSource": { "path": "/absolute/path/to/Cargo.lock", "type": "lockfile" }, "packages": [ { "Package": { "name": "regex", "version": "1.5.1", "ecosystem": "crates.io" }, "vulnerabilities": [ { "id": "GHSA-m5pq-gvj9-9vr8", "aliases": [ "CVE-2022-24713" ], // ... Full OSV }, { "id": "RUSTSEC-2022-0013", "aliases": [ "CVE-2022-24713" ], // ... Full OSV } ], "groups": [ { "ids": [ "GHSA-m5pq-gvj9-9vr8", "RUSTSEC-2022-0013" ] } ] } ] } ] } About Vulnerability scanner written in Go which uses the data provided by https://osv.dev Resources Readme License Apache-2.0 license Code of conduct Code of conduct Security policy Security policy Stars 1.9k stars Watchers 33 watching Forks 96 forks Releases 2 v1.0.1 Latest Dec 16, 2022 + 1 release Packages 0 No packages published Used by 3 * @ossf @ossf / scorecard-action * @raghavkaul @raghavkaul / scorecard * @ossf @ossf / scorecard Contributors 13 * @another-rex * @oliverchang * @G-Rath * @iurisilvio * @renovate-bot * @abhisek * @helmutkemper * @cpanato * @stevehipwell + 2 contributors Languages * Go 99.5% * Other 0.5% Footer (c) 2022 GitHub, Inc. Footer navigation * Terms * Privacy * Security * Status * Docs * Contact GitHub * Pricing * API * Training * Blog * About You can't perform that action at this time. You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.