OSV-Scanner (github.com/google/osv-scanner) is an open-source vulnerability scanner developed by Google that provides a frontend to the OSV.dev database and a CLI interface to OSV-Scalibr. It scans project dependency manifests and lockfiles to identify known vulnerabilities across a wide range of language ecosystems.

The scanner supports C/C++, Dart, Elixir, Go, Java, JavaScript, PHP, Python, R, Ruby, and Rust, along with their respective package managers: npm, pip, yarn, Maven, Go modules, Cargo, gem, Composer, NuGet, and others. It can also detect vulnerabilities in operating system packages on Linux systems and scan container images for vulnerabilities in base images and installed packages.

What distinguishes OSV-Scanner from tools like Snyk or Trivy is its use of the OSV.dev database, which aggregates advisories from authoritative open sources including GitHub Security Advisories, RustSec Advisory Database, Ubuntu Security Notices, and ecosystem-specific databases. The OSV format stores affected version information in a machine-readable format that maps precisely to a developer’s package list, reducing false positives. The database is community-curated, and anyone can suggest improvements to advisories.

OSV-Scanner provides guided remediation, which recommends specific package version upgrades based on criteria including dependency depth, minimum severity, fix strategy, and return on investment. This goes beyond simple vulnerability reporting by helping teams prioritize which upgrades will have the most security impact with the least disruption.

The tool integrates with CI/CD pipelines through a GitHub Action (google/osv-scanner-action) that runs scans on pull requests and pushes, generating SARIF reports compatible with GitHub Code Scanning. It achieves SLSA Build Level 3 provenance on its own releases. With over 8,000 GitHub stars and active development by Google’s Open Source Security team, OSV-Scanner has become a widely adopted choice for open-source vulnerability detection in development workflows.