How Google’s OSV-Scanner Helps Secure Your Open‑Source Dependencies

Google has released OSV‑Scanner, an open‑source tool that serves as a front‑end interface to the OSV vulnerability database.

The OSV database stores security and vulnerability information in a distributed, OSV‑format JSON schema covering 16 ecosystems, including major programming languages, Linux distributions (Debian, Alpine), Android, the Linux kernel, and OSS‑Fuzz.

OSV‑Scanner can analyze a project's dependency list, software bill of materials (SBOM), or commit hashes to identify used dependencies, query the OSV database, and present relevant vulnerabilities in a table or optional JSON‑formatted OSV report.

The OSV format provides a machine‑readable JSON model that enforces version specifications consistent with the naming and packaging of open‑source components. Google engineers Oliver Chang and Russ Cox note that this approach can describe vulnerabilities across any open‑source ecosystem without requiring ecosystem‑specific logic.

Typical usage includes scanning a directory recursively: osv-scanner -r /path/to/your/dir The -r flag enables recursive scanning. OSV‑Scanner supports SPDX and CycloneDX SBOMs containing URLs, and many lock files such as yarn.lock, composer.lock, go.mod, and Gemfile.lock.

It can also scan installed packages in a Debian image: $ osv-scanner --docker image_name:latest Docker must be installed; the tool does not scan the container’s filesystem. Additional details are available in the GitHub issue tracker.

OSV‑Scanner allows configuring ignored vulnerabilities by ID, with optional expiration dates and reasons, using an IgnoredVulns section in the configuration file:

[[IgnoredVulns]]
id = "GO-2022-0968"
# ignoreUntil = 2022-11-09
reason = "No ssh servers are connected to or hosted in Go lang"

The scanner is integrated into the OpenSSF Scorecard for automated security checks of open‑source projects.

Future enhancements, shared by Google engineer Rex Pan, aim to add a standalone CI action for deeper workflow integration and improve C/C++ support by adding precise commit‑level metadata to CVE entries.

OSV‑Scanner is available on GitHub under the Apache License 2.0.