← 返回命令列表

Linux command

osv-scanner 命令

文件

复制后可按需替换文件名、目录或参数。

常用示例

Scan a directory recursively

osv-scanner scan -r [directory]

Scan a specific lockfile

osv-scanner scan --lockfile [package-lock.json]

Scan an SBOM file

osv-scanner scan --sbom [sbom.json]

Output results as JSON

osv-scanner scan -r [directory] --format json

Scan a Docker image

osv-scanner scan --docker [image:tag]

Scan and generate a guided remediation report

osv-scanner fix -r [directory]

说明

osv-scanner scans project dependencies for known vulnerabilities by querying the OSV.dev database, which aggregates vulnerability data from multiple sources including GitHub Advisory Database, PyPI, RubyGems, and crates.io. The tool automatically detects and parses lockfiles from most major package ecosystems including npm, pip, Go modules, Cargo, Maven, NuGet, and more. It can also scan SBOM files in SPDX or CycloneDX formats and Docker container images. The fix subcommand provides guided remediation by suggesting version upgrades that resolve detected vulnerabilities while minimizing breaking changes. Call graph analysis (supported for Go and Rust) can reduce false positives by determining whether vulnerable code paths are actually reachable from the project.

参数

scan
Scan dependencies for vulnerabilities.
fix
Generate guided remediation suggestions.
-r, --recursive _DIR_
Scan directory recursively for lockfiles and manifests.
--lockfile _FILE_
Scan a specific lockfile (auto-detects ecosystem).
--sbom _FILE_
Scan an SBOM file (supports SPDX and CycloneDX).
--docker _IMAGE_
Scan a Docker image for vulnerabilities.
--format _FORMAT_
Output format: table (default), json, markdown, sarif.
--config _FILE_
Path to osv-scanner.toml configuration file.
--call-analysis
Enable call graph analysis to filter unreachable vulnerabilities (Go, Rust).
--no-ignore
Do not respect ignore entries in the config file.
--verbosity _LEVEL_
Set verbosity level: error, warn, info, verbose.
--help
Display help information.

FAQ

What is the osv-scanner command used for?

osv-scanner scans project dependencies for known vulnerabilities by querying the OSV.dev database, which aggregates vulnerability data from multiple sources including GitHub Advisory Database, PyPI, RubyGems, and crates.io. The tool automatically detects and parses lockfiles from most major package ecosystems including npm, pip, Go modules, Cargo, Maven, NuGet, and more. It can also scan SBOM files in SPDX or CycloneDX formats and Docker container images. The fix subcommand provides guided remediation by suggesting version upgrades that resolve detected vulnerabilities while minimizing breaking changes. Call graph analysis (supported for Go and Rust) can reduce false positives by determining whether vulnerable code paths are actually reachable from the project.

How do I run a basic osv-scanner example?

Run `osv-scanner scan -r [directory]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does scan do in osv-scanner?

Scan dependencies for vulnerabilities.