Google Releases Open-Source Version of OSV-Scanner, Elevating Vulnerability Detection to a New Level

On March 17, 2025, Google officially introduced OSV-Scanner V2.0.0. This updated tool significantly enhances the ability of security professionals to identify and remediate vulnerabilities in software.

Initially launched in December 2022, OSV-Scanner has secured its place among open-source security tools. Its primary goal is to provide developers with fast and accurate information about vulnerabilities affecting their projects. With the V2 release, the tool has been further enhanced through integration with OSV-SCALIBR, expanding its capabilities.

The Google Open Source Security Team stated:
🗣️ “This V2 release, built on OSV-SCALIBR, takes OSV-Scanner to the next level. Now, it is not just a vulnerability scanning tool but a complete solution for identifying and remediating security issues across multiple ecosystems and formats.”

With OSV-Scanner V2, support has been expanded for more software ecosystems. The tool can now analyze dependencies in the following formats:
✅ .NET – deps.json
✅ Python – uv.lock
✅ JavaScript – bun.lock
✅ Haskell – cabal.project.freeze, stack.yaml.lock
✅ Various artifacts, including Node.js modules, Python wheels, Java Uber JARs, and Go binaries

This enables developers to automatically scan all dependencies in their projects and detect potential vulnerabilities with greater precision.

OSV-Scanner V2 now provides full container image analysis for Debian, Ubuntu, and Alpine. The tool offers:
🔹 Layer analysis, identifying where packages were introduced
🔹 Base image detection for enhanced security insights
🔹 Vulnerability filtering, tailored to container environments

The latest version introduces interactive HTML reports with advanced visualization options:
🔸 Filtering and prioritization based on severity level
🔸 Detailed insights on each vulnerability
🔸 Layer-based filtering and base image identification for container image analysis

This feature makes security reports more accessible and actionable, helping teams address vulnerabilities efficiently.

Previously, OSV-Scanner provided automatic remediation for npm packages. Now, this capability has been extended to Java projects using Maven:
✅ Support for pom.xml, allowing dependency updates to fix vulnerabilities
✅ Direct version upgrades or alternative dependency management options

This enhancement simplifies vulnerability remediation for Java developers.

💡 Why OSV-Scanner Stands Out from Commercial Alternatives

🔹 Fully Open-Source – The vulnerability database is continuously updated by the community
🔹 High-Quality Recommendations – Provides precise guidance on vulnerability mitigation
🔹 Multi-Language & Multi-Ecosystem Support – Works with Node.js, Python, Java, Go, .NET, and more

Google positions OSV-Scanner as a strong alternative to closed-source security tools, allowing developers to automate vulnerability detection and remediation in their projects.

🔹 Recommendations for Using OSV-Scanner

✅ Upgrade to OSV-Scanner V2.0.0 immediately
✅ Regularly scan dependencies for vulnerabilities
✅ Leverage container scanning features for enhanced security
✅ Integrate OSV-Scanner with GitHub Actions or CI/CD pipelines
✅ Follow remediation guidelines and keep dependencies updated

OSV-Scanner V2.0.0 is now available for download from the official GitHub repository.

👉 Source: GitHub – OSV-Scanner

With this release, Google has taken a significant step in enhancing software security. Developers and DevOps professionals can now quickly detect hidden vulnerabilities in their code and automatically remediate security risks.

🛡 Use OSV-Scanner to strengthen your cybersecurity defenses and protect your projects!