# Install osv-scanner with Homebrew, apk, Nix, pacman, scoop, winget, zypper

Vulnerability scanner which uses the OSV database. Version 2.4.0 via Homebrew; verified 2026-06-18.

## Install

```sh
sudo av install brew:osv-scanner
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install osv-scanner
```

  Evidence: local Homebrew formula metadata

### Linux

- apk (92%):

```sh
sudo apk add osv-scanner
```

  Evidence: Alpine Linux edge package indexes: osv-scanner from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz

- Nix (92%):

```sh
nix profile install nixpkgs#osv-scanner
```

  Evidence: nixpkgs package indexes: pkgs/by-name/os/osv-scanner/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S osv-scanner
```

  Evidence: Arch Linux sync databases: osv-scanner from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

- zypper (92%):

```sh
sudo zypper install osv-scanner
```

  Evidence: openSUSE Tumbleweed package metadata: osv-scanner from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

### Windows

- Scoop (92%):

```sh
scoop install main/osv-scanner
```

  Evidence: Scoop official bucket manifest trees: bucket/osv-scanner.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

- winget (92%):

```sh
winget install --id Google.OSVScanner -e
```

  Evidence: Windows Package Manager source index: Google.OSVScanner from https://cdn.winget.microsoft.com/cache/source.msix

## Package facts

- **Package key:** brew:osv-scanner
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/osv-scanner>
- **Version:** 2.4.0
- **Source summary:** Vulnerability scanner which uses the OSV database
- **Homepage:** <https://google.github.io/osv-scanner/>
- **Repository:** <https://github.com/google/osv-scanner>
- **Upstream docs:** <https://github.com/google/osv-scanner#readme>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/google/osv-scanner/archive/refs/tags/v2.4.0.tar.gz>
- **Last updated:** 2026-06-18T16:37:24Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- osv-scanner (cli)
- osv-scanner (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 2.4.0
- Package-manager updated: 2026-06-18
- Local data: ok
- Upstream repository: https://github.com/google/osv-scanner
- Upstream latest detected: v2.4.0 (current)
## Project history and usage

OSV-Scanner is Google's command-line vulnerability scanner for matching project dependencies, source trees, SBOMs, and container contents against the OSV.dev vulnerability database. It is significant because it turns the OSV schema and distributed advisory corpus into a developer-facing tool that package maintainers, security teams, and CI systems can run without buying into a proprietary advisory database.

### Project history

Google's GitHub repository records `google/osv-scanner` as created on 2022-11-14, and the Google Online Security Blog announced OSV-Scanner on 2022-12-13 as a free tool from the Google Open Source Security Team. The announcement framed it as an access layer for OSV vulnerability information: it would scan manifests, lockfiles, SBOMs, and git directories, then report known vulnerabilities affecting the discovered packages.

The project later moved beyond a thin OSV lookup client. Its README describes OSV-Scanner as both the officially supported frontend to the OSV database and a CLI interface to OSV-Scalibr, Google's extraction/scanning library. The V2 line added broader package extraction, OS package detection, container image scanning, license scanning through deps.dev data, offline database downloads, and guided remediation workflows for selected ecosystems.

### Adoption history

OSV-Scanner's adoption path is closely tied to OSV.dev itself. OSV.dev presents OSV as an open, precise, distributed vulnerability database and publishes GitHub workflows that run OSV-Scanner in CI/CD. That made the scanner useful not just as a local audit command, but also as a reusable supply-chain check for pull requests and scheduled repository scans.

Package-manager availability widened the audience beyond Go developers: the input metadata records packages for Homebrew, Alpine, Nix, Arch, Scoop, winget, and zypper. Homebrew packaging is especially important for a CLI security tool because it lets macOS developers add the scanner to local and CI environments with the same command style they use for other developer tools.

### How it is used

Developers use OSV-Scanner to recursively scan a source directory, point it at lockfiles and manifests, scan SBOMs, or inspect container images. Its documented `scan source` and `scan image` modes cover the common package-nerd cases: checking npm, Go, Maven, PyPI, Cargo, RubyGems, Composer, NuGet, and other ecosystem metadata against advisories.

Security teams use it in automation because the output is tied to machine-readable OSV records and because it can run without a custom service. The README also documents offline scanning after downloading local OSV databases, which matters for reproducible audits and restricted build environments.

### Why package nerds care

OSV-Scanner is package-nerd infrastructure: it operationalizes lockfile parsing, package URL/ecosystem mapping, advisory matching, and remediation suggestions. Its significance is not just that it scans dependencies, but that it exposes how much package metadata quality determines vulnerability precision.

The tool also sits at the intersection of multiple package ecosystems and OS package databases. For av.db-style metadata, it is a useful example of a CLI whose value comes from being able to understand many package managers consistently rather than from managing one package format deeply.

### Timeline

- 2022-11-14: GitHub records creation of `google/osv-scanner`.
- 2022-12-13: Google announced OSV-Scanner on the Google Online Security Blog.
- 2025-01-24: the project opened a discussion thread for OSV-Scanner V2 beta feedback.
- 2026-06-18: GitHub release v2.4.0 added support including CycloneDX 1.7, more default source-scanning plugins, Alpine PURL distro qualifiers, Swift Package.resolved scanning, and Chisel container extraction.

### Related projects

- OSV.dev provides the vulnerability database and API that OSV-Scanner queries.
- OSV-Scalibr provides extraction and scanning components used under the OSV-Scanner V2 architecture.
- deps.dev supplies supplemental package data used by OSV-Scanner for dependency resolution, license scanning, container metadata, and package deprecation checks.

### Sources

- <https://api.github.com/repos/google/osv-scanner>
- <https://formulae.brew.sh/formula/osv-scanner>
- <https://github.com/google/osv-scanner>
- <https://github.com/google/osv-scanner/releases/tag/v2.4.0>
- <https://google.github.io/osv-scanner/>
- <https://osv.dev/>
- <https://raw.githubusercontent.com/google/osv-scanner/main/README.md>
- <https://security.googleblog.com/2022/12/announcing-osv-scanner-vulnerability.html>


## Security Notes

escape, surveillance, or offensive capability signal.

- **Geiger risk:** red / medium
- escape, surveillance, or offensive capability signal


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: osv-scanner.toml
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** osv-scanner
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - osv-scanner: normalized package name match | nixpkgs package indexes: pkgs/by-name/os/osv-scanner/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- apk - osv-scanner - 2.3.8-r1: normalized package name match | Alpine Linux edge package indexes: osv-scanner from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Vulnerability scanner written in Go which uses the data provided by https://osv.dev | https://github.com/google/osv-scanner
- pacman - osv-scanner - 2.3.8-1: normalized package name match | Arch Linux sync databases: osv-scanner from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | Vulnerability scanner written in Go which uses the data provided by https://osv.dev | https://github.com/google/osv-scanner
- zypper - osv-scanner - 2.3.8-1.1: normalized package name match | openSUSE Tumbleweed package metadata: osv-scanner from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Vulnerability scanner written in Go | https://github.com/google/osv-scanner
- Scoop - main/osv-scanner: normalized package name match | Scoop official bucket manifest trees: bucket/osv-scanner.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1
- winget - Google.OSVScanner: normalized package name match | Windows Package Manager source index: Google.OSVScanner from https://cdn.winget.microsoft.com/cache/source.msix


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Language runtime packages](https://www.automicvault.com/pkg/language-runtime-packages/) - Matched language runtime, compiler, or interpreter metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [bomber](https://www.automicvault.com/pkg/brew/bomber/) - Shares av.db curated category or tags: cli, security, vulnerability-scanner, vulnerability-scanning.
- [govulncheck](https://www.automicvault.com/pkg/brew/govulncheck/) - Shares av.db curated category or tags: cli, go, security, vulnerability-scanning.
- [grype](https://www.automicvault.com/pkg/brew/grype/) - Shares av.db curated category or tags: cli, security, vulnerability-scanner, vulnerability-scanning.
- [nuclei](https://www.automicvault.com/pkg/brew/nuclei/) - Shares av.db curated category or tags: cli, security, vulnerability-scanner, vulnerability-scanning.
- [terrapin-scanner](https://www.automicvault.com/pkg/brew/terrapin-scanner/) - Shares av.db curated category or tags: cli, security, vulnerability-scanner, vulnerability-scanning.
- [vuls](https://www.automicvault.com/pkg/brew/vuls/) - Shares av.db curated category or tags: cli, security, vulnerability-scanner, vulnerability-scanning.
- [clair](https://www.automicvault.com/pkg/brew/clair/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [safety](https://www.automicvault.com/pkg/brew/safety/) - Shares av.db curated category or tags: cli, security, vulnerability-scanner, vulnerability-scanning.

## Combined YAML source

View the package source record on GitHub. [combined/osv-scanner.yml](https://github.com/automic-vault/db/blob/main/combined/osv-scanner.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
