OSV Scanner

OSV-Scanner is an open-source vulnerability scanner developed by Google that identifies security vulnerabilities affecting project dependencies by cross-referencing lockfiles, SBOMs (CycloneDX, SPDX), container images, and Git commits against the OSV.dev database, which aggregates vulnerability data from GitHub Security Advisories, PyPA, RustSec, and other sources across multiple programming languages and package managers. The tool provides layer-aware container scanning, guided remediation with upgrade recommendations, offline scanning capabilities, and comprehensive vulnerability reporting in both human-readable and machine-readable formats, integrating seamlessly into CI/CD pipelines to enable continuous security monitoring and automated dependency security management throughout the software development lifecycle.