osv-scanner: Scan Lockfiles Against OSV.dev
osv-scanner scans lockfiles (or a directory tree) against the OSV.dev database and exits 1 when any vulnerability is found.
OSV-Scanner is Google's open-source SCA tool. It understands lockfiles across many ecosystems and queries the open OSV.dev database, no account required.
What it does
osv-scanner parses lockfiles (package-lock.json, poetry.lock, go.mod, Cargo.lock, and more), matches package versions against OSV.dev, and prints a table of advisories. Exit 0 means no vulnerabilities, 1 means vulnerabilities were found, and 127/128 are usage errors.
Common usage
# scan one lockfile
osv-scanner --lockfile=package-lock.json
# recursively scan a directory for all lockfiles
osv-scanner scan -r ./
# scan a built container image
osv-scanner scan image my-app:latestOptions
| Flag | What it does |
|---|---|
| --lockfile <file> | Scan a specific lockfile |
| -r, --recursive | Walk a directory and scan every lockfile found |
| scan image <ref> | Scan an OCI image's installed packages |
| --config <file> | osv-scanner.toml with ignored vulnerabilities |
| --format <fmt> | table, json, sarif, markdown output |
| --output <file> | Write the report to a file |
| --call-analysis | Reachability analysis (Go, Rust) to cut noise |
In CI
osv-scanner exits 1 on findings, so it fails the job by default with no extra flags. Use an osv-scanner.toml to ignore advisories you have triaged (with an expiry date), and --call-analysis for Go to suppress vulnerabilities in code paths you never call. It queries OSV.dev, so the runner needs network egress.
Common errors in CI
"no lockfiles found" means the path has no recognized manifest; point --lockfile at the right file or use -r. "failed to determine version" can mean an unparseable or partial lockfile. On an air-gapped runner, "failed to query OSV" appears because the database lookups need outbound HTTPS to api.osv.dev.