In a significant move to strengthen open-source security, Google has rolled out OSV-Scanner V2.0.0 — the latest version of its free vulnerability scanning tool designed for open-source developers. This follows recent moves to improve cyber defense which HP made earlier this week.
Initially launched in 2022, OSV-Scanner acts as a user-friendly front-end for Google’s open-source vulnerability database, which debuted in 2021. Its mission has remained clear: help developers detect vulnerabilities early and maintain safer codebases across the open-source community.
The major upgrade builds on OSV-SCALIBR — Google’s extensible file system scanner introduced earlier this year. With this integration, OSV-Scanner V2.0.0 officially becomes the primary command-line tool for scanning code and container images in open-source projects.
According to Google, “This V2 release builds upon OSV-SCALIBR’s foundation, transforming OSV-Scanner into a full-fledged vulnerability detection and remediation tool that supports a wide range of ecosystems and formats.”
Broader Ecosystem and File Support for Developers
One of the standout features of OSV-Scanner V2.0.0 is its expanded ability to scan various manifest and lockfiles directly from project sources. It now supports:
- .NET’s
deps.json - Python’s
uv.lock - JavaScript’s
bun.lock - Haskell’s
cabal.project.freezeandstack.yaml.lock
Additionally, the scanner can process project artifacts, including Node modules, Python wheels, Java uber JARs, and Go binaries — offering developers deeper insight into their software inventory.
Smarter Container Scanning with Layer-Level Insights
The updated scanner brings robust layer-aware analysis for container images built on Alpine, Debian, and Ubuntu. Developers can now access detailed reports showing:
- Package origins and the layer where they were introduced
- Base images and operating systems in use
- Vulnerabilities that are present but unlikely to impact the final image
This enhanced visibility helps teams pinpoint risks faster and reduce unnecessary security noise.
New Interactive HTML Reports for Better Visualization
Google also introduced a sleek interactive local HTML output in this release. Users can now view scan results in a user-friendly format, complete with:
- Flaw advisories and severity breakdowns
- Package-level filtering
- ID-based sorting and vulnerability importance ranking
This feature simplifies vulnerability management and makes the data easier to act on.
Guided Remediation for Java Developers
Another valuable addition is guided remediation support for Maven. Java developers can now fix both direct and transitive vulnerabilities more efficiently. The scanner offers:
- Read and write access to
pom.xmlfiles - Ability to pull metadata from private registries
- Automated updates to the latest safe dependency versions
Google also introduced machine-readable output for remediation tasks, enabling seamless integration into CI/CD pipelines and other workflows.
What’s Next for OSV-Scanner?
Looking ahead, Google plans to further enhance OSV-Scanner’s capabilities. Upcoming updates will include:
- Broader ecosystem support
- Complete file accounting within container images
- Advanced reachability analysis
- Integration of Vulnerability Exchange (VEX) support
Both OSV-Scanner V2.0.0 and OSV-SCALIBR are open-sourced and available on GitHub. Google encourages developers to explore, contribute, and provide feedback to help improve the toolset.
