OSV-Scanner

Google's open-source vulnerability scanner that checks dependencies against the OSV (Open Source Vulnerabilities) database. Supports 26+ package ecosystems and scans lockfiles (package-lock.json, Cargo.lock, go.sum, etc.), SBOM files, and containers. Uses OSV.dev — the open vulnerability database aggregating CVE, GHSA, and ecosystem-specific advisories. The open-source alternative to Snyk/Dependabot with broad ecosystem coverage.

Evaluated Mar 06, 2026 (0d ago) v1.x

Homepage ↗ Repo ↗ Developer Tools security vulnerability osv google dependency-audit sbom open-source supply-chain

⚙ Agent Friendliness

/ 100

Can an agent use this?

🔒 Security

/ 100

Is it safe for agents?

⚡ Reliability

/ 100

Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality

Documentation

Error Messages

Auth Simplicity

100

Rate Limits

🔒 Security

TLS Enforcement

100

Auth Strength

Scope Granularity

Dep. Hygiene

Secret Handling

Google-maintained with strong security track record. Apache 2.0 and auditable. OSV.dev database aggregates NVD, GitHub Security Advisories, and ecosystem advisories. No credentials transmitted.

⚡ Reliability

Uptime/SLA

Version Stability

Breaking Changes

Error Recovery

Best When

You need a free, open-source dependency vulnerability scanner with broad ecosystem coverage that works in any CI/CD pipeline without vendor lock-in.

Avoid When

You need integrated PR-based fix suggestions and developer workflow — Dependabot (GitHub) or Renovate with security scanning is better integrated.

Use Cases

• Scan dependency lockfiles (npm, pip, cargo, go, maven) for known vulnerabilities against OSV database in CI/CD pipelines
• Audit SBOM (Software Bill of Materials) files against OSV for vulnerability reports in compliance workflows
• Check container images for vulnerable OS packages and application dependencies using Docker/OCI image scanning
• Replace or supplement Dependabot with a CLI-based scanner that works in non-GitHub environments
• Generate vulnerability reports for supply chain security audits with output in JSON, SARIF, or text formats

Not For

• Real-time monitoring and PR-based alerts — GitHub Dependabot and Snyk provide better developer workflow integration
• Commercial vulnerability prioritization with exploit intelligence — paid tools like Snyk or Veracode provide more actionable prioritization
• Code-level SAST scanning — OSV-Scanner is dependency scanning only, not static code analysis

Interface

REST API

GraphQL

gRPC

MCP Server

SDK

Webhooks

Authentication

Methods: none

OAuth: No Scopes: No

No authentication for CLI use. Queries OSV.dev API which is publicly accessible. No API key required for standard scanning.

Pricing

Model: open_source

Free tier: Yes

Requires CC: No

Apache 2.0 licensed. Google open source. Completely free. OSV.dev database is also free and open.

Agent Metadata

Pagination

none

Idempotent

Full

Retry Guidance

Not documented

Known Gotchas

⚠ Exit code 1 means vulnerabilities found (not tool error) — CI pipelines must distinguish vulnerability findings from tool failures
⚠ OSV database is updated continuously — same scan run on different days may produce different results as new CVEs are published
⚠ Docker image scanning requires Docker running locally — container scanning adds dependency on Docker daemon
⚠ Some transitive vulnerabilities may be reported even when direct dependencies have patched versions — review before blocking CI
⚠ SBOM scanning requires SPDX or CycloneDX format — other formats not supported
⚠ --offline flag uses cached database but requires pre-downloading; online mode makes network requests to OSV.dev on each scan

Alternatives

snyk-api dependabot grype-api trivy-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for OSV-Scanner.

$99

API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.