Versions:
OSV Scanner, maintained by Google, is a purpose-built vulnerability scanner written in Go that ingests the continuously updated open-source vulnerability database hosted at osv.dev. Designed for integration into CI pipelines, container builds, and local development workflows, the tool parses lock files such as package-lock.json, Gemfile.lock, go.mod, pom.xml, requirements.txt, Cargo.lock, and more, mapping every declared dependency against OSV’s precise, commit-level advisory data to surface affected versions without false positives tied to downstream forks. Version 2.3.5, the fifteenth public iteration since the project’s debut, introduces improved Alpine and Debian ecosystem coverage, refined SARIF output for GitHub Security tab compatibility, and a configurable --experimental-call-analysis flag that traces whether vulnerable functions are actually reachable in Go codebases. Enterprises use OSV Scanner to gate production deployments, cloud security teams embed it in image-hardening scripts to generate SBOMs and companion vulnerability reports, and open-source maintainers add its GitHub Action so pull requests are automatically annotated with impacted paths and remediation hints. Because the underlying osv.dev dataset is refreshed continuously from GitHub Security Advisories, PyPA, Go, Rust, Maven, npm, and other primary sources, scans reflect zero-day disclosures within minutes, allowing security engineers to shorten patch windows and satisfy “known-vulnerability” clauses in supply-chain compliance frameworks such as SLSA and SSDF. The command-line binary is self-contained, works offline after an initial database sync, and offers JSON, table, and SARIF export formats for consumption by SIEM, ticketing, and governance dashboards. OSV Scanner is available for free on get.nero.com, with downloads provided via trusted Windows package sources (e.g. winget), always delivering the latest version, and supporting batch installation of multiple applications.
Tags: