Skip to content
All features

OSV-Scanner

Open Source Vulnerability database scanner from Google.

OSV-Scanner is the third leg of HarborGuard's CVE coverage tripod (alongside Trivy and Grype). It uses the OSV.dev advisory feed which aggregates GHSA, PyPA, RustSec, and many ecosystem-specific databases, plus ports CVEs to language-package coordinates with stronger version-range correctness than NVD-only scanners.

What it scans

  • Lockfiles for npm, PyPI, RubyGems, crates.io, NuGet, Maven, Hex, Go modules, Pub, Composer
  • OS packages with OSV-canonicalized advisories
  • Git-pinned dependencies (when commit SHAs are present)

When to use it

  • Catches advisories Trivy misses for newer ecosystems.
  • Strong on lockfile-based scanning (npm, pip, cargo).
  • Required for some SLSA Level 3 attestation paths.

How HarborGuard runs OSV-Scanner

01

Deduplicated against Trivy and Grype — same CVE ID merges into one finding.

02

OSV reachability metadata preserved in the finding's sources entry.

Output formats

JSON, Table, SARIF

Upstream

google/osv-scanner