Skip to content
Latchkey

Adding OSV-Scanner to GitHub Actions

Scan your lockfiles against the open OSV database with Google OSV-Scanner.

OSV-Scanner checks your lockfiles against OSV.dev, the open vulnerability database aggregating advisories across ecosystems. Google publishes a reusable workflow that handles SARIF upload, so wiring it up is mostly a one-liner referencing that workflow.

What you need

  • Supported lockfiles (package-lock.json, poetry.lock, go.mod, Cargo.lock, etc.).
  • The google/osv-scanner-action reusable workflow.
  • security-events: write to upload SARIF.

The workflow

Call the reusable PR-scan workflow.

.github/workflows/osv.yml
jobs:
  scan:
    uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2
    with:
      scan-args: |-
        --recursive
        ./
    permissions:
      security-events: write
      contents: read

Common gotchas

  • It scans lockfiles, so a manifest without a committed lockfile yields nothing.
  • --recursive is needed for monorepos with nested lockfiles.
  • Findings can include transitive-only CVEs you cannot fix directly - triage before failing builds.

Key takeaways

  • OSV-Scanner checks lockfiles against the open OSV.dev database.
  • Use the google/osv-scanner-action reusable workflow for SARIF.
  • Commit lockfiles and use --recursive for monorepos.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →