SCA Scan with OSV-Scanner

When to use

Prerequisites

• OSV-Scanner installed (

  go install github.com/google/osv-scanner/cmd/osv-scanner@latest

  or download binary)
• Verify:

  osv-scanner --version

Instructions

1. Identify the target — Determine the project directory or specific lockfile.
2. Run the scan:
   bash

   osv-scanner -r --json <target-directory> > osv-results.json

   • Specific lockfile:

     osv-scanner --lockfile=package-lock.json --json

   • SBOM input:

     osv-scanner --sbom=sbom.json --json

   • Skip git scanning:

     osv-scanner -r --skip-git --json <directory>

3. Parse the results — Read JSON output and present findings:

| # | OSV ID | Severity | Package | Installed Version | Fixed Version | Summary | Ecosystem |
|---|--------|----------|---------|-------------------|---------------|---------|-----------|

1. Summarize — Provide:
   • Total dependencies scanned vs vulnerabilities found
   • Critical/High severity findings first
   • Upgrade commands for each vulnerable package
   • Link to OSV advisory for each finding

Supported Lockfiles

package-lock.json

yarn.lock

pnpm-lock.yaml

requirements.txt

Pipfile.lock

poetry.lock

go.sum

Cargo.lock

pom.xml

gradle.lockfile

packages.lock.json

Gemfile.lock

composer.lock