OSV-Scanner for Fast Dependency Risk Checks

Dependency risk never sits still. A clean build this morning can become a liability by the afternoon when a new advisory lands. That is why OSV-Scanner is worth a look right now. It is trending on GitHub, actively maintained by Google, and built around the open OSV.dev vulnerability database that many platform and security teams already trust.

What is OSV-Scanner?

OSV-Scanner is an open-source vulnerability scanner for application dependencies, Linux packages, and container images. It maps what your project actually uses to known advisories from authoritative upstream sources. The project supports a wide range of ecosystems including npm, Python, Go, Java, Rust, PHP, Ruby, and Linux OS packages.

For SRE and platform teams, the appeal is simple: one CLI can scan a source tree, a lockfile set, or a container image without forcing you into a heavy commercial workflow.

Key Features

• Wide ecosystem coverage for common language package managers and Linux OS packages
• Container image scanning for base image and packaged dependency exposure
• Offline mode for environments that restrict outbound network access
• Guided remediation that can suggest safer upgrade paths for supported manifests and lockfiles
• CI-friendly CLI that works well in GitHub Actions, GitLab CI, and other pipelines

Installation

The official docs recommend downloading a prebuilt binary for your platform. If you want to build from source, you can use Go:

go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest

You can also pull a release artifact from the OSV-Scanner releases page.

Usage

Scan a repository recursively for supported dependency files:

osv-scanner scan source -r .

Scan a container image before promotion:

osv-scanner scan image ghcr.io/example/app:latest

Run in offline mode after downloading the local databases:

osv-scanner --offline --download-offline-databases .

Operational Tips

Use OSV-Scanner early in CI, before deployment or image publication. That keeps vulnerable dependencies from moving deeper into the pipeline. For production-bound containers, pair image scanning with a policy gate so critical findings fail the build. In restricted environments, prepare the offline database on a connected runner and reuse it inside isolated networks.

If you test guided remediation, do it only on trusted projects. The official documentation notes that remediation can trigger package manager behavior and external registry access.

Conclusion

OSV-Scanner is a strong fit for teams that want open, scriptable dependency checks without a lot of platform overhead. It covers the basics well, scales into container and offline use cases, and produces results that are easier to act on than generic vulnerability noise.

Looking for an AI-powered platform to help your SRE team automate operations? Akmatori helps teams streamline incident response and infrastructure management. Backed by Gcore, we are building the future of intelligent operations.