osv-scanner

OSV-Scanner is a dependency vulnerability scanner from Google that detects known vulnerabilities in open-source dependencies by matching project manifests and lock files against the OSV database.

Key Features:

Broad ecosystem support: Scans dependencies from multiple package managers and lockfile formats
Source project scanning: Recursively scans source directories for vulnerable packages
SARIF output: Exports findings in SARIF format for CI and security platform integrations
Configurable behavior: Supports repository-level configuration using osv-scanner.toml
Reliable vulnerability data: Uses OSV.dev vulnerability records maintained by the open source security community
Fast CI usage: Designed for automated security checks in pipelines and pre-commit workflows

osv-scanner documentation

Version in MegaLinter: 2.3.5
Visit Official Web Site
See How to configure osv-scanner rules
See How to ignore files and directories with osv-scanner

Configuration in MegaLinter

Enable osv-scanner by adding REPOSITORY_OSV_SCANNER in ENABLE_LINTERS variable
Disable osv-scanner by adding REPOSITORY_OSV_SCANNER in DISABLE_LINTERS variable

Variable	Description	Default value
REPOSITORY_OSV_SCANNER_ARGUMENTS	User custom arguments to add in linter CLI call Ex: `-s --foo "bar"`
REPOSITORY_OSV_SCANNER_COMMAND_REMOVE_ARGUMENTS	User custom arguments to remove from command line before calling the linter Ex: `-s --foo "bar"`
REPOSITORY_OSV_SCANNER_CLI_LINT_MODE	Override default CLI lint mode ⚠️ As default value is project, overriding might not work - `file`: Calls the linter for each file - `list_of_files`: Call the linter with the list of files as argument - `project`: Call the linter from the root of the project	`project`
REPOSITORY_OSV_SCANNER_PRE_COMMANDS	List of bash commands to run before the linter	None
REPOSITORY_OSV_SCANNER_POST_COMMANDS	List of bash commands to run after the linter	None
REPOSITORY_OSV_SCANNER_UNSECURED_ENV_VARIABLES	List of env variables explicitly not filtered before calling REPOSITORY_OSV_SCANNER and its pre/post commands	None
REPOSITORY_OSV_SCANNER_CONFIG_FILE	osv-scanner configuration file name Use `LINTER_DEFAULT` to let the linter find it	`osv-scanner.toml`
REPOSITORY_OSV_SCANNER_RULES_PATH	Path where to find linter configuration file	Workspace folder, then MegaLinter default rules
REPOSITORY_OSV_SCANNER_DISABLE_ERRORS	Run linter but consider errors as warnings	`false`
REPOSITORY_OSV_SCANNER_DISABLE_ERRORS_IF_LESS_THAN	Maximum number of errors allowed	`0`
REPOSITORY_OSV_SCANNER_CLI_EXECUTABLE	Override CLI executable	`['osv-scanner']`

MegaLinter Flavors

This linter is available in the following flavors

Flavor	Description	Embedded linters
all	Default MegaLinter Flavor	135
c_cpp	Optimized for pure C/C++ projects	56
ci_light	Optimized for CI items (Dockerfile, Jenkinsfile, JSON/YAML schemas,XML	21
cupcake	MegaLinter for the most commonly used languages	90
documentation	MegaLinter for documentation projects	49
dotnet	Optimized for C, C++, C# or VB based projects	64
dotnetweb	Optimized for C, C++, C# or VB based projects with JS/TS	73
go	Optimized for GO based projects	51
java	Optimized for JAVA based projects	54
javascript	Optimized for JAVASCRIPT or TYPESCRIPT based projects	59
php	Optimized for PHP based projects	54
python	Optimized for PYTHON based projects	66
ruby	Optimized for RUBY based projects	50
rust	Optimized for RUST based projects	50
salesforce	Optimized for Salesforce based projects	56
security	Optimized for security	24
swift	Optimized for SWIFT based projects	50
terraform	Optimized for TERRAFORM based projects	54

Behind the scenes

How are identified applicable files

If this linter is active, all files will always be linted

How the linting is performed

osv-scanner is called once on the whole project directory (project CLI lint mode)

filtering can not be done using MegaLinter configuration variables,it must be done using osv-scanner configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false doesn't make osv-scanner analyze only updated files

Example calls

osv-scanner scan source --recursive .

osv-scanner scan source --format sarif --output-file report.sarif --recursive .

Help content


NAME:
  osv-scanner - scans various mediums for dependencies and checks them against the OSV database

USAGE:
  osv-scanner [global options] command [command options]

EXAMPLES:
  # Scan a source directory
  $ osv-scanner scan source -r <source_directory>

  # Scan a source directory in offline mode
  $ osv-scanner scan source --offline-vulnerabilities --download-offline-database -r <source_directory>

  # Scan a container image
  $ osv-scanner scan image <image_name>

  # Scan a local image archive (e.g. a tar file) and generate HTML output
  $ osv-scanner scan image --serve --archive <image_name.tar>

  # Fix vulnerabilities in a manifest file and lockfile (non-interactive mode)
  $ osv-scanner fix -M <manifest_file> -L <lockfile>

  For full usage details, please refer to the help command of each subcommand (e.g. osv-scanner scan --help).

  Alternatively, you can access the detailed documentation here: https://google.github.io/osv-scanner/

VERSION:
  2.3.5

COMMANDS:
  scan              scans projects and container images for dependencies, and checks them against the OSV database.
  fix               scans a manifest and/or lockfile for vulnerabilities and suggests changes for remediating them
  experimental-mcp  Run osv-scanner as an MCP service (experimental)


GLOBAL OPTIONS:
    --help, -h  show help  --version, -v  print the version

Installation on mega-linter Docker image

Dockerfile commands :

# renovate: datasource=repology depName=alpine_edge/osv-scanner versioning=loose
ARG REPOSITORY_OSV_SCANNER_VERSION=2.3.5-r2
RUN apk add --no-cache \
    --repository=https://dl-cdn.alpinelinux.org/alpine/edge/main \
    --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community \
    osv-scanner=${REPOSITORY_OSV_SCANNER_VERSION}