Automic VaultAutomic Vault

brew

Install osv-scanner with Homebrew, apk, Nix, pacman, scoop, winget, zypper

Vulnerability scanner which uses the OSV database. Version 2.4.0 via Homebrew; verified 2026-06-18.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install osv-scanner

local Homebrew formula metadata

Linux

Alpine Linux apkverified · 92%
sudo apk add osv-scanner

Alpine Linux edge package indexes · osv-scanner · source: dl-cdn.alpinelinux.org

Nixverified · 92%
nix profile install nixpkgs#osv-scanner

nixpkgs package indexes · pkgs/by-name/os/osv-scanner/package.nix · source: api.github.com

Arch Linux pacmanverified · 92%
sudo pacman -S osv-scanner

Arch Linux sync databases · osv-scanner · source: geo.mirror.pkgbuild.com

openSUSE zypperverified · 92%
sudo zypper install osv-scanner

openSUSE Tumbleweed package metadata · osv-scanner · source: download.opensuse.org

Windows

Scoopverified · 92%
scoop install main/osv-scanner

Scoop official bucket manifest trees · bucket/osv-scanner.json · source: api.github.com

Windows Package Managerverified · 92%
winget install --id Google.OSVScanner -e

Windows Package Manager source index · Google.OSVScanner · source: cdn.winget.microsoft.com

overview

Package summary

Vulnerability scanner which uses the OSV database

Commands and aliases

  • osv-scanner

history

Project history and usage

OSV-Scanner is Google's command-line vulnerability scanner for matching project dependencies, source trees, SBOMs, and container contents against the OSV.dev vulnerability database. It is significant because it turns the OSV schema and distributed advisory corpus into a developer-facing tool that package maintainers, security teams, and CI systems can run without buying into a proprietary advisory database.

Project history

Google's GitHub repository records `google/osv-scanner` as created on 2022-11-14, and the Google Online Security Blog announced OSV-Scanner on 2022-12-13 as a free tool from the Google Open Source Security Team. The announcement framed it as an access layer for OSV vulnerability information: it would scan manifests, lockfiles, SBOMs, and git directories, then report known vulnerabilities affecting the discovered packages.

The project later moved beyond a thin OSV lookup client. Its README describes OSV-Scanner as both the officially supported frontend to the OSV database and a CLI interface to OSV-Scalibr, Google's extraction/scanning library. The V2 line added broader package extraction, OS package detection, container image scanning, license scanning through deps.dev data, offline database downloads, and guided remediation workflows for selected ecosystems.

Adoption history

OSV-Scanner's adoption path is closely tied to OSV.dev itself. OSV.dev presents OSV as an open, precise, distributed vulnerability database and publishes GitHub workflows that run OSV-Scanner in CI/CD. That made the scanner useful not just as a local audit command, but also as a reusable supply-chain check for pull requests and scheduled repository scans.

Package-manager availability widened the audience beyond Go developers: the input metadata records packages for Homebrew, Alpine, Nix, Arch, Scoop, winget, and zypper. Homebrew packaging is especially important for a CLI security tool because it lets macOS developers add the scanner to local and CI environments with the same command style they use for other developer tools.

How it is used

Developers use OSV-Scanner to recursively scan a source directory, point it at lockfiles and manifests, scan SBOMs, or inspect container images. Its documented `scan source` and `scan image` modes cover the common package-nerd cases: checking npm, Go, Maven, PyPI, Cargo, RubyGems, Composer, NuGet, and other ecosystem metadata against advisories.

Security teams use it in automation because the output is tied to machine-readable OSV records and because it can run without a custom service. The README also documents offline scanning after downloading local OSV databases, which matters for reproducible audits and restricted build environments.

Why package nerds care

OSV-Scanner is package-nerd infrastructure: it operationalizes lockfile parsing, package URL/ecosystem mapping, advisory matching, and remediation suggestions. Its significance is not just that it scans dependencies, but that it exposes how much package metadata quality determines vulnerability precision.

The tool also sits at the intersection of multiple package ecosystems and OS package databases. For av.db-style metadata, it is a useful example of a CLI whose value comes from being able to understand many package managers consistently rather than from managing one package format deeply.

Timeline

  • 2022-11-14: GitHub records creation of `google/osv-scanner`.
  • 2022-12-13: Google announced OSV-Scanner on the Google Online Security Blog.
  • 2025-01-24: the project opened a discussion thread for OSV-Scanner V2 beta feedback.
  • 2026-06-18: GitHub release v2.4.0 added support including CycloneDX 1.7, more default source-scanning plugins, Alpine PURL distro qualifiers, Swift Package.resolved scanning, and Chisel container extraction.

Related projects

  • OSV.dev provides the vulnerability database and API that OSV-Scanner queries.
  • OSV-Scalibr provides extraction and scanning components used under the OSV-Scanner V2 architecture.
  • deps.dev supplies supplemental package data used by OSV-Scanner for dependency resolution, license scanning, container metadata, and package deprecation checks.

security posture

Risk level: red

escape, surveillance, or offensive capability signal.

Risk classifier

red risk · medium confidence · escape-surveillance-offensive

Why

  • escape, surveillance, or offensive capability signal

Signals

  • text:vulnerability scanner

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
osv-scanner.toml

executables

Installed executables

CommandKindExposureNote
osv-scannercliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version2.4.0
manager updated2026-06-18
local dataok
upstreamcurrent
latest detectedv2.4.0

https://github.com/google/osv-scanner

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:osv-scanner
Version2.4.0
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/osv-scanner
Homepagehttps://google.github.io/osv-scanner/
Repositoryhttps://github.com/google/osv-scanner
Upstream docshttps://github.com/google/osv-scanner#readme
LicenseApache-2.0
Source archivehttps://github.com/google/osv-scanner/archive/refs/tags/v2.4.0.tar.gz
Last updated2026-06-18T16:37:24Z
Pulseupdated
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nameosv-scanner
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

osv-scanner

nix profile install nixpkgs#osv-scanner
  • normalized package name match
  • Matched by: Osv Scanner
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/os/osv-scanner/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
apk95%

osv-scanner 2.3.8-r1

Vulnerability scanner written in Go which uses the data provided by https://osv.dev

https://github.com/google/osv-scanner

sudo apk add osv-scanner
  • License: Apache-2.0
  • Architecture: x86_64
  • Source Package: osv-scanner
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Osv Scanner
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: osv-scanner from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
pacman95%

osv-scanner 2.3.8-1

Vulnerability scanner written in Go which uses the data provided by https://osv.dev

https://github.com/google/osv-scanner

sudo pacman -S osv-scanner
  • License: Apache-2.0
  • Architecture: x86_64
  • 1 dependencies
  • normalized package name match
  • Matched by: Osv Scanner
Arch Linux sync databases · geo.mirror.pkgbuild.com · Arch Linux sync databases: osv-scanner from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz
zypper95%

osv-scanner 2.3.8-1.1

Vulnerability scanner written in Go

https://github.com/google/osv-scanner

sudo zypper install osv-scanner
  • License: Apache-2.0
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: osv-scanner
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Osv Scanner
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: osv-scanner from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
Scoop95%

main/osv-scanner

scoop install main/osv-scanner
  • normalized package name match
  • Matched by: Osv Scanner
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/osv-scanner.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1
winget95%

Google.OSVScanner

winget install --id Google.OSVScanner -e
  • normalized package name match
  • Matched by: Osv Scanner
Windows Package Manager source index · cdn.winget.microsoft.com · Windows Package Manager source index: Google.OSVScanner from https://cdn.winget.microsoft.com/cache/source.msix

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment