Skip to content
Latchkey

osv-scanner: Scan Lockfiles Against OSV.dev

osv-scanner scans lockfiles (or a directory tree) against the OSV.dev database and exits 1 when any vulnerability is found.

OSV-Scanner is Google's open-source SCA tool. It understands lockfiles across many ecosystems and queries the open OSV.dev database, no account required.

What it does

osv-scanner parses lockfiles (package-lock.json, poetry.lock, go.mod, Cargo.lock, and more), matches package versions against OSV.dev, and prints a table of advisories. Exit 0 means no vulnerabilities, 1 means vulnerabilities were found, and 127/128 are usage errors.

Common usage

Terminal
# scan one lockfile
osv-scanner --lockfile=package-lock.json
# recursively scan a directory for all lockfiles
osv-scanner scan -r ./
# scan a built container image
osv-scanner scan image my-app:latest

Options

FlagWhat it does
--lockfile <file>Scan a specific lockfile
-r, --recursiveWalk a directory and scan every lockfile found
scan image <ref>Scan an OCI image's installed packages
--config <file>osv-scanner.toml with ignored vulnerabilities
--format <fmt>table, json, sarif, markdown output
--output <file>Write the report to a file
--call-analysisReachability analysis (Go, Rust) to cut noise

In CI

osv-scanner exits 1 on findings, so it fails the job by default with no extra flags. Use an osv-scanner.toml to ignore advisories you have triaged (with an expiry date), and --call-analysis for Go to suppress vulnerabilities in code paths you never call. It queries OSV.dev, so the runner needs network egress.

Common errors in CI

"no lockfiles found" means the path has no recognized manifest; point --lockfile at the right file or use -r. "failed to determine version" can mean an unparseable or partial lockfile. On an air-gapped runner, "failed to query OSV" appears because the database lookups need outbound HTTPS to api.osv.dev.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →