Skip to main content
OSV-Scanner is Google’s vulnerability scanner that identifies vulnerabilities in your project’s dependencies using the OSV.dev database.

Files

OSV-Scanner scans the following manifest and lock files:
  • package.json, package-lock.json, yarn.lock, pnpm-lock.yaml
  • requirements.txt, Pipfile.lock, poetry.lock, pdm.lock, uv.lock
  • go.mod
  • pom.xml, build.gradle, buildscript-gradle.lockfile, gradle.lockfile
  • Gemfile.lock
  • composer.lock
  • Cargo.toml, Cargo.lock
  • pubspec.yaml, pubspec.lock
  • mix.lock
  • renv.lock
  • cabal.project.freeze, stack.yaml.lock
  • conan.lock
  • deps.json
  • packages.lock.json, packages.config
  • bom.json, bom.xml, spdx.json, cdx.json (SBOMs)

Configuration

OSV-Scanner requires an osv-scanner.toml configuration file to run.
CodeRabbit will only run OSV-Scanner if your repository contains an osv-scanner.toml configuration file.

Notes

  • OSV-Scanner scans dependency manifest and lock files to identify known vulnerabilities.
  • Findings include vulnerability severity scores and details from the OSV.dev database.