OSV‑Scanner picking up steam
- Google’s OSV-Scanner has moved beyond a niche dependency checker into a broader code-and-container vulnerability tool, with its March 17, 2025 V2 release and a latest tagged version of v2.3.5 on March 24, 2026. - The tool now scans source trees and container images, supports Debian, Ubuntu, and Alpine layers, and its GitHub repository shows about 9,200 stars, a visible sign of growing developer adoption. - Google pitches OSV-Scanner as producing “fewer, more actionable” alerts by matching dependencies against the open OSV.dev database and machine-readable version data. (google.github.io)
Software vulnerability scanners are supposed to catch real problems, not flood engineers with noise. Google’s OSV-Scanner is gaining attention because it tries to do both dependency checking and container scanning with a smaller alert pile. (google.github.io) (security.googleblog.com) A dependency scanner works like a parts list checker for software: it reads lockfiles, manifests, or built artifacts, then matches those packages against known security flaws. OSV-Scanner says it extracts package data first and then matches it against vulnerability databases. (google.github.io) Google released OSV-Scanner V2.0.0 on March 17, 2025 and described it as the official command-line code and container scanning tool for the OSV-Scalibr library. That release expanded support for new lockfiles, built artifacts, and layer-aware container analysis. (security.googleblog.com) The current tagged release is v2.3.5, published March 24, 2026. Its release notes list Python `requirements.txt` transitive scanning through the deps.dev API, plus plugin and performance updates. (github.com) The container feature is a big part of the pitch. OSV-Scanner can scan Debian, Ubuntu, and Alpine images, show which layer first introduced a package, identify the base image, and group findings by package instead of dumping a raw list. (security.googleblog.com) (google.github.io) That matters in continuous integration and delivery pipelines, where teams often scan every build and triage results under time pressure. Google’s documentation says the tool is meant to run directly in a terminal or CI/CD pipeline, and its default container output is designed for the large vulnerability counts common in images. (google.github.io 1) (google.github.io 2) Google’s argument for lower noise comes from the data model behind the scanner. The company says OSV.dev uses open advisories from sources such as GitHub Security Advisories, RustSec, and Ubuntu notices, and stores affected versions in a machine-readable format that maps directly to package versions. (google.github.io) (github.com) The project’s public footprint has also grown. GitHub’s repository page showed roughly 9,200 stars when checked today, alongside active commits and recent release activity in April 2026. (github.com 1) (github.com 2) There are limits. Google warns that guided remediation, the `fix` command, can be risky on untrusted projects because package managers may execute scripts or reach external registries during updates. (google.github.io) So the story is less that OSV-Scanner suddenly appeared than that it has matured into a fuller security tool. For teams already scanning dependencies and images in build pipelines, the question now is whether its “fewer, more actionable” approach holds up in their own repos. (google.github.io)
