OSV-Scanner
Google tool to find known vulnerabilities in open source dependencies from lockfiles, SBOMs, or directories using the OSV database.
Why it is included
Lightweight OSS complement to image scanners when the risk is dependency CVEs in application code.
Best for
CI pipelines scanning package locks (npm, Go, Maven, etc.) with minimal setup.
Strengths
- OSV API
- SBOM input
- Fast local runs
Limitations
- Coverage follows OSV ecosystem participation
Good alternatives
Trivy filesystem · Grype · Snyk (commercial)
Related tools
Security & Privacy
Dependency-Track
Continuous SBOM analysis platform tracking component vulnerabilities, policies, and audit trails for supply chain risk.
Security & Privacy
Grype
Vulnerability scanner for container images and filesystems using Anchore’s vulnerability DB and Syft SBOM input.
Security & Privacy
Syft
CLI and library for generating SBOMs (SPDX, CycloneDX) from images, directories, and archives.
Security & Privacy
Exploit Database
Curated archive of public exploits and proof-of-concepts with searchsploit CLI for offline lookup.
Security & Privacy
Semgrep
Static analysis engine matching AST patterns—rules for OWASP classes, secrets, and custom policies.
Security & Privacy
Trivy
All-in-one scanner for container images, IaC, Kubernetes manifests, SBOMs, and VM OS packages with CI integrations.