OSV-Scanner Review 2026: Google's Free Vuln Scanner

Name: OSV-Scanner
Availability: OnlineOnly

OSV-Scanner is Google’s free, open-source vulnerability scanner for open-source dependencies. It queries the OSV.dev database, the largest aggregated source of open-source vulnerability data, covering dozens of ecosystems with normalized advisory information from NVD, GitHub Advisories, and ecosystem-specific sources. With the Synopsys 2024 OSSRA report finding that 96% of commercial codebases contain open-source components, free tooling like OSV-Scanner makes baseline SCA accessible to every team.

Version 2.0, released in March 2025, transformed OSV-Scanner from a basic dependency checker into a full remediation tool with container image scanning, guided upgrade recommendations, and interactive HTML reports. The project has over 6,000 GitHub stars and is written in Go.

What is OSV-Scanner?

OSV-Scanner reads your project’s manifest and lockfiles, identifies every dependency in the tree, and checks each one against the OSV.dev database. Unlike databases that rely solely on CVE identifiers, OSV.dev normalizes advisories across ecosystems so a single vulnerability affecting multiple package managers is tracked consistently.

The scanner goes beyond detection. Its guided remediation engine analyzes your dependency graph and recommends the minimum set of upgrades needed to resolve vulnerabilities, ranked by factors like dependency depth, severity, and return on investment.

Guided Remediation

Analyzes your dependency graph and recommends prioritized upgrade paths. Considers dependency depth, severity, fix strategy, and ROI to suggest the minimum changes needed. Supports npm and Maven pom.xml.

Container Scanning

Layer-aware scanning for Debian, Ubuntu, and Alpine images. Shows which layer introduced each package, identifies the base image, and filters vulnerabilities unlikely to affect the container.

OSV.dev Database

The largest open-source vulnerability database, aggregating advisories from NVD, GitHub, PyPI, RubyGems, Go, Rust, and dozens more sources into a normalized, machine-readable format.

Key features

Guided remediation

This is OSV-Scanner’s standout feature. Rather than dumping a list of CVEs and leaving you to figure out what to upgrade, it calculates the optimal set of dependency upgrades. The engine considers:

Dependency depth – Direct dependencies are easier to upgrade than transitive ones
Severity – Critical and high findings get priority
Fix strategy – Whether to use in-place upgrades or relaxed constraints
Return on investment – How many vulnerabilities a single upgrade resolves

Guided remediation currently supports npm (package.json / package-lock.json) and Maven (pom.xml), with more ecosystems planned.

Layer-aware container scanning

OSV-Scanner V2 doesn’t just scan container images. It understands their layer structure. For each package found, it reports which layer introduced it, the layer history and commands, the base image, and the OS distribution. It also filters out vulnerabilities that are unlikely to affect the container in practice, reducing noise compared to flat image scanners.

This feature currently supports Alpine, Debian, and Ubuntu-based images.

Broad ecosystem coverage

OSV-Scanner extracts dependencies from source manifests, lockfiles, and compiled artifacts.

Source Type	Formats
JavaScript	package-lock.json, yarn.lock, pnpm-lock.yaml, bun.lock
Python	requirements.txt, poetry.lock, Pipfile.lock, uv.lock
Java	pom.xml, gradle.lockfile
Go	go.sum
Rust	Cargo.lock
.NET	deps.json, packages.lock.json
Ruby	Gemfile.lock
PHP	composer.lock
Dart	pubspec.lock
Haskell	cabal.project.freeze, stack.yaml.lock
Elixir	mix.lock
Containers	Alpine, Debian, Ubuntu images
Artifacts	Go binaries, Java uber JARs, Python wheels, Node modules

Interactive HTML output

OSV-Scanner V2 can generate an interactive HTML report that visualizes scan results. This makes it easier to share findings with team members who do not work in the terminal, and provides filtering and sorting without additional tooling.

OSV.dev database advantage

OSV.dev aggregates vulnerability data from over 30 ecosystem-specific sources. When a vulnerability is disclosed in a Python package, for example, OSV.dev pulls the advisory from PyPI, cross-references it with NVD and GitHub, and presents a single normalized record. This means OSV-Scanner often has advisory coverage before tools relying solely on NVD.

Installation and usage

Install the CLI – Use Go, Homebrew, or download a prebuilt binary from the GitHub releases page: go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest

Scan your project – Run osv-scanner scan -r /path/to/project to recursively scan all supported lockfiles in a directory.

Scan a container image – Run osv-scanner scan image image:tag to perform layer-aware scanning on a container image.

Get remediation advice – Run osv-scanner fix -M package.json -L package-lock.json to get guided upgrade recommendations.

# Install via Go
go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest

# Install via Homebrew
brew install osv-scanner

# Scan a directory recursively
osv-scanner scan -r .

# Scan a specific lockfile
osv-scanner scan -L package-lock.json

# Scan a container image
osv-scanner scan image alpine:latest

# Scan an SBOM
osv-scanner scan -L sbom.cdx.json

# Guided remediation for npm
osv-scanner fix -M package.json -L package-lock.json

# Guided remediation for Maven
osv-scanner fix -M pom.xml

# Output as JSON
osv-scanner scan -r . --format json

# Generate HTML report
osv-scanner scan -r . --format html > report.html

CI/CD integration

GitHub Actions

name: OSV-Scanner
on:
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 6 * * 1'

jobs:
  osv-scan:
    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.0.0"

Note: OSV-Scanner V2 uses a reusable workflow called at the job level, not a regular action step.

OSV-Scanner also supports scheduled scanning via the osv-scanner-action/osv-reporter-action to monitor for newly disclosed vulnerabilities between code changes.

When to use OSV-Scanner

OSV-Scanner is a strong choice for teams that want a free, no-strings-attached vulnerability scanner backed by Google’s infrastructure and the broadest open-source vulnerability database available.

Strengths:

Completely free with no usage limits or account requirements
Guided remediation saves time on figuring out which upgrades to apply
OSV.dev database aggregates 30+ sources for broad coverage
Layer-aware container scanning filters irrelevant findings
Interactive HTML reports for non-terminal users

Limitations:

Guided remediation currently limited to npm and Maven
No web dashboard or continuous monitoring (CLI-only)
Container scanning restricted to Debian, Ubuntu, and Alpine images
No license compliance scanning
No automated fix PRs (you apply the recommendations manually)

Best for

Teams that want a free, Google-backed vulnerability scanner with guided remediation and broad ecosystem coverage, without vendor lock-in or account requirements.

How it compares:

vs.	Key difference
Grype	Grype has EPSS and KEV risk scoring and deeper container support. OSV-Scanner has guided remediation and the broader OSV.dev database.
Snyk Open Source	Snyk offers automated fix PRs, a web dashboard, and continuous monitoring. OSV-Scanner is completely free with no limits.
Dependabot	Dependabot auto-opens PRs on GitHub. OSV-Scanner works anywhere and offers guided remediation with ROI-based prioritization.
OWASP Dependency-Check	Dependency-Check uses NVD data only. OSV-Scanner queries 30+ sources through OSV.dev for broader coverage.

Further reading: What is SCA? | SCA in CI/CD Pipelines

Frequently Asked Questions

What is OSV-Scanner?

OSV-Scanner is a free, open-source vulnerability scanner built by Google. It checks your project’s dependencies against the OSV.dev database, the largest open-source vulnerability database aggregating advisories from dozens of ecosystems. V2, released in March 2025, added container scanning, guided remediation for Maven, and interactive HTML output.

Is OSV-Scanner free?

Yes. OSV-Scanner is fully free and open-source under the Apache 2.0 license. There are no paid tiers, usage limits, or account requirements. Google maintains it as part of the broader OSV.dev project.

What languages and ecosystems does OSV-Scanner support?

OSV-Scanner covers 11+ language ecosystems including Go, Java, JavaScript, Python, Rust, C/C++, Dart, Elixir, PHP, R, and Ruby. It reads 19+ lockfile formats including package-lock.json, go.sum, pom.xml, Cargo.lock, poetry.lock, uv.lock, bun.lock, and more.

How does OSV-Scanner compare to Grype and Trivy?

OSV-Scanner uses the OSV.dev database which aggregates advisories from multiple sources into a normalized format. Grype focuses on container scanning with EPSS-based risk scoring. Trivy is a broader multi-scanner covering vulnerabilities, IaC, and secrets. OSV-Scanner’s unique strength is guided remediation that recommends specific upgrade paths.

Can OSV-Scanner scan container images?

Yes. OSV-Scanner V2 added layer-aware scanning for Debian, Ubuntu, and Alpine container images. It identifies which layer introduced each package, detects the base image, and filters out vulnerabilities unlikely to affect the running container.