macOS
brew install osv-scannerlocal Homebrew formula metadata
brew
Vulnerability scanner which uses the OSV database. Version 2.4.0 via Homebrew; verified 2026-06-18.
install
brew install osv-scannerlocal Homebrew formula metadata
sudo apk add osv-scannerAlpine Linux edge package indexes · osv-scanner · source: dl-cdn.alpinelinux.org
nix profile install nixpkgs#osv-scannernixpkgs package indexes · pkgs/by-name/os/osv-scanner/package.nix · source: api.github.com
sudo pacman -S osv-scannerArch Linux sync databases · osv-scanner · source: geo.mirror.pkgbuild.com
sudo zypper install osv-scanneropenSUSE Tumbleweed package metadata · osv-scanner · source: download.opensuse.org
scoop install main/osv-scannerScoop official bucket manifest trees · bucket/osv-scanner.json · source: api.github.com
winget install --id Google.OSVScanner -eWindows Package Manager source index · Google.OSVScanner · source: cdn.winget.microsoft.com
overview
Vulnerability scanner which uses the OSV database
history
OSV-Scanner is Google's command-line vulnerability scanner for matching project dependencies, source trees, SBOMs, and container contents against the OSV.dev vulnerability database. It is significant because it turns the OSV schema and distributed advisory corpus into a developer-facing tool that package maintainers, security teams, and CI systems can run without buying into a proprietary advisory database.
Google's GitHub repository records `google/osv-scanner` as created on 2022-11-14, and the Google Online Security Blog announced OSV-Scanner on 2022-12-13 as a free tool from the Google Open Source Security Team. The announcement framed it as an access layer for OSV vulnerability information: it would scan manifests, lockfiles, SBOMs, and git directories, then report known vulnerabilities affecting the discovered packages.
The project later moved beyond a thin OSV lookup client. Its README describes OSV-Scanner as both the officially supported frontend to the OSV database and a CLI interface to OSV-Scalibr, Google's extraction/scanning library. The V2 line added broader package extraction, OS package detection, container image scanning, license scanning through deps.dev data, offline database downloads, and guided remediation workflows for selected ecosystems.
OSV-Scanner's adoption path is closely tied to OSV.dev itself. OSV.dev presents OSV as an open, precise, distributed vulnerability database and publishes GitHub workflows that run OSV-Scanner in CI/CD. That made the scanner useful not just as a local audit command, but also as a reusable supply-chain check for pull requests and scheduled repository scans.
Package-manager availability widened the audience beyond Go developers: the input metadata records packages for Homebrew, Alpine, Nix, Arch, Scoop, winget, and zypper. Homebrew packaging is especially important for a CLI security tool because it lets macOS developers add the scanner to local and CI environments with the same command style they use for other developer tools.
Developers use OSV-Scanner to recursively scan a source directory, point it at lockfiles and manifests, scan SBOMs, or inspect container images. Its documented `scan source` and `scan image` modes cover the common package-nerd cases: checking npm, Go, Maven, PyPI, Cargo, RubyGems, Composer, NuGet, and other ecosystem metadata against advisories.
Security teams use it in automation because the output is tied to machine-readable OSV records and because it can run without a custom service. The README also documents offline scanning after downloading local OSV databases, which matters for reproducible audits and restricted build environments.
OSV-Scanner is package-nerd infrastructure: it operationalizes lockfile parsing, package URL/ecosystem mapping, advisory matching, and remediation suggestions. Its significance is not just that it scans dependencies, but that it exposes how much package metadata quality determines vulnerability precision.
The tool also sits at the intersection of multiple package ecosystems and OS package databases. For av.db-style metadata, it is a useful example of a CLI whose value comes from being able to understand many package managers consistently rather than from managing one package format deeply.
security posture
escape, surveillance, or offensive capability signal.
red risk · medium confidence · escape-surveillance-offensive
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
osv-scanner.tomlexecutables
| Command | Kind | Exposure | Note |
|---|---|---|---|
osv-scanner | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/google/osv-scanner
install metadata
| Package key | brew:osv-scanner |
|---|---|
| Version | 2.4.0 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/osv-scanner |
| Homepage | https://google.github.io/osv-scanner/ |
| Repository | https://github.com/google/osv-scanner |
| Upstream docs | https://github.com/google/osv-scanner#readme |
| License | Apache-2.0 |
| Source archive | https://github.com/google/osv-scanner/archive/refs/tags/v2.4.0.tar.gz |
| Last updated | 2026-06-18T16:37:24Z |
| Pulse | updated |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | osv-scanner |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
osv-scanner
nix profile install nixpkgs#osv-scannerosv-scanner 2.3.8-r1
Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://github.com/google/osv-scanner
sudo apk add osv-scannerosv-scanner 2.3.8-1
Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://github.com/google/osv-scanner
sudo pacman -S osv-scannerosv-scanner 2.3.8-1.1
Vulnerability scanner written in Go
https://github.com/google/osv-scanner
sudo zypper install osv-scannermain/osv-scanner
scoop install main/osv-scannerGoogle.OSVScanner
winget install --id Google.OSVScanner -esource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.