Documentation
Comprehensive documentation is available here.
Viewing the web UI
An instance of OSV's web UI is deployed at https://osv.dev.
Using the scanner
We provide a Go based tool that will scan your dependencies, and check them against the OSV database for known vulnerabilities via the OSV API.
Currently it is able to scan various lockfiles, debian docker containers, SPDX and CycloneDB SBOMs, and git repositories.
The scanner is located in it's own repository.
This repository
This repository contains all the code for running https://osv.dev on GCP. This consists of:
- API server (
gcp/api) - Web interface (
gcp/appengine) - Workers for bisection and impact analysis (
docker/worker)
You'll need to check out submodules as well for many local building steps to work:
git submodule update --init --recursiveContributing
Contributions are welcome!
Learn more about code, data, and documentation contributions. We also have a mailing list.
Do you have a question or a suggestion? Please open an issue.
Third party tools and integrations
There are also community tools that use OSV. Note that these are community built tools and unsupported by the core OSV maintainers.
- Betterscan.io: Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners with One Report (Code, IaC)
- bomber
- Cortex XSOAR
- Dependency-Track
- dep-scan
- EZE-CLI: The one stop shop for security testing in modern development
- G-Rath/osv-detector: A scanner that uses the OSV database.
- it-depends
- .NET client library and support for the schema
- OSS Review Toolkit
- Packj
- pip-audit
- Renovate
- Rust client library
- Skjold: Security audit python project dependencies against several security advisory databases
- Trivy
Feel free to send a PR to add your project here.
![@dependabot[bot]](https://web.archive.org/web/20230614044808im_/https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
