What is OSV-Scanner?

OSV-Scanner is an open-source tool created by Google to detect vulnerabilities in projects by scanning dependencies against the Open Source Vulnerabilities database. By leveraging the continuously updated OSV database, OSV-Scanner provides accurate, up-to-date vulnerability information, helping developers to identify and mitigate security issues early in the development cycle.

OSV-Scanner is capable of scanning various file types that specify project dependencies, including but not limited to:

  • requirements.txt and Pipfile for Python projects.

  • package.json and yarn.lock for Node.js projects.

  • Gemfile.lock for Ruby projects.

  • go.mod for Go projects.

OSV-Scanner supports a wide range of languages and package ecosystems outside of those listed above, making it a versatile tool for developers looking to secure their codebase.

Installing OSV-Scanner

With Trunk Check, you can automatically install and configure OSV-Scanner along with any relevant linters in a few straightforward steps. Here's how:

First, if you haven't already installed Trunk CLI, you can do so with the command below:

1curl https://get.trunk.io -fsSL | bash

Next, you can initialize Trunk from the root of your git repository:

1trunk init

This command will scan your repository and create a .trunk/trunk.yaml file that enables all linters, formatters, and security analyzers, recommended by Trunk Check. This includes OSV-Scanner if applicable to your project.

To see all available linters Trunk Check installed, simply run:

1trunk check list

If you find OSV-Scanner is not automatically enabled, you can do so by running:

1trunk check enable osv-scanner

Alternatively, to disable OSV-Scanner run the command below. To disable other tooling applied by Trunk Check, simply replace osv-scanner with the respective tool you're looking to disable.

1trunk check disable osv-scanner

For more details on Trunk Check setup, see here.

Configuring OSV-Scanner

Most linters provide some mechanism to tweak their configuration, e.g. .eslintrc or Cargo.toml. Trunk is aware of all the ways individual tools are configured and supports them. This means linters you've already configured will continue to work exactly the same, just now supercharged by Trunk Check.

Like many linters with Trunk, OSV-Scanner works out of the box so there's no need to set up a custom configuration. For additional configurations like ignoring vulnerabilities by ID, we recommend checking out OSV-Scanner's docs.

If you're interested in other tooling outside of OSV-Scanner, check out our open-source repository to see how we define and support 90+ linters.

Running OSV-Scanner

To check your code with OSV-Scanner, run the command below. This command executes OSV-Scanner, along with any other linters Trunk Check has enabled on files you've modified. Since Trunk is git-aware, it knows what you've changed, and by adding batched execution and caching, you end up with a much faster and smoother way to run OSV-Scanner and other tools.

1trunk check

If you prefer to check files you've modified with OSV-Scanner only, run the following:

1trunk check --filter=osv-scanner

Although we'd recommend against it depending on the size of your repository, you can check all files with OSV-Scanner by running the command below.

1trunk check --all --filter=osv-scanner

In most scenarios, you'll want to execute against modified files. Since Trunk is git-aware, it knows what you've changed, and by adding batched execution and caching, you end up with a much faster and smoother way to run OSV-Scanner and other tools.

Updating Trunk Check & OSV-Scanner

To upgrade the Trunk CLI along with all plugins and linters in your trunk.yaml simply run:

1trunk upgrade

We highly recommend running on the latest validated versions of tools as updates will frequently include important security fixes and additional valuable checks. Trunk only auto-suggests linter upgrades to versions that we have tested and support, so you may see a slight lag time when a new linter version is released.

Upgrade will also recommend new tools that have become applicable since the last time your repository was scanned. This can be a result of using new technologies in your repository or Trunk itself adding support for more tools. If you don't like a particular recommendation, you can always run trunk check disable <linter> to teach trunk not to recommend it.

Recommended Linters to Pair with OSV-Scanner

Integrating OSV-Scanner with additional security tools will help with project protection. Here are some linters we'd recommend alongside OSV-Scanner:

  • Trufflehog: Detects exposed secrets in codebases.

  • Trivy: Scans container images, file systems, and configuration files for vulnerabilities.

  • Nancy: Verifies Go project dependencies against known vulnerabilities in the Sonatype OSS Index.

This combination ensures comprehensive coverage against vulnerabilities, from code secrets to project dependencies and container security.