Google on Tuesday announced the release of an updated iteration of OSV-Scanner, its free vulnerability scanner for open source developers.
OSV-Scanner was introduced in 2022 as a front-end for the open source vulnerability database launched in 2021, to help developers receive detailed bug reports and improve the security of the open source ecosystem.
The new iteration of the scanner builds on the capabilities introduced earlier this year with the release of OSV-SCALIBR (Software Composition Analysis LIBRary), an extensible file system scanner that extracts information on software inventory.
OSV-Scanner V2.0.0 integrates OSV-SCALIBR features and becomes the official command-line code and container scanning tool for the open source library.
“This V2 release builds upon the foundation we laid with OSV-SCALIBR and adds significant new capabilities to OSV-Scanner, making it a comprehensive vulnerability scanner and remediation tool with broad support for formats and ecosystems,” Google says.
Courtesy of this integration, the scanner can now extract from projects source manifest and lockfiles (including .NET: deps.json, Python: uv.lock, JavaScript: bun.lock, and Haskell: cabal.project.freeze and stack.yaml.lock), and artifacts (such as Node modules, Python wheels, Java uber jars, and Go binaries).
It also includes layer-aware scanning for Alpine, Debian, and Ubuntu container images, providing details such as layer history and commands, layers where a package was introduced, the base image, the OS and distribution the container is running, and vulnerabilities unlikely to affect the container image.
OSV-Scanner V2.0.0 comes with a new interactive local HTML output format to deliver scan information such as flaw advisories, a breakdown on severity, and filtering of packages, IDs, and vulnerability importance.
The scanner now includes guided remediation support for Maven to help address security defects in both direct and transitive dependencies, and provides support for reading and writing pom.xml files, for specifying a private registry to fetch metadata, and for updating dependencies in pom.xml to the latest version.
“We also introduced machine readable output for guided remediation that makes it easier to integrate guided remediation into your workflow,” Google notes.
The internet giant will continue to integrate OSV-SCALIBR functionality into OSV-Scanner’s CLI interface, expand support for additional ecosystems, add support for accounting for every file in a container image, integrate reachability analysis, and add support for Vulnerability Exchange (VEX).
OSV-Scanner V2.0.0 is available on GitHub, the same as OSV-SCALIBR, and Google welcomes feedback and contributions to both.
Related: UK Government Report Calls for Stronger Open Source Supply Chain Security Practices
Related: OpenSSF Releases Security Baseline for Open Source Projects
Related: Cyber Insights 2025: Open Source and Software Supply Chain Security
Related: Google Open Sources Security Patch Validation Tool for Android
