x osv - Open Source Vulnerabilities
Query Google OSV database for package vulnerabilities and scan local projects.
Quick Start
# Query vulnerability for a package
x osv q -p jq -v 1.7.1
# Scan local project for vulnerabilities (requires osv-scanner)
x osv scanner .
Features
- Vulnerability Query: Query OSV database for package vulnerabilities
- Project Scanning: Scan local projects using osv-scanner
- SARIF Reports: Generate SARIF security reports
- Multi-ecosystem: Supports npm, pip, Maven, Go, Rust, etc.
Prerequisites
| Tool | Purpose | Install |
|---|---|---|
| x-cmd | Required module runtime | brew install x-cmd |
| osv-scanner | Project scanning | https://github.com/google/osv-scanner |
Commands
| Command | Description |
|---|---|
x osv q <pkg> | Query vulnerabilities for a package |
x osv scanner <path> | Scan project for vulnerabilities (requires osv-scanner) |
x osv vuln <id> | Get vulnerability details |
x osv sarif | Generate SARIF security reports |
x osv eco | List supported ecosystems |
Examples
Query Vulnerabilities
# Query specific package version
x osv q -p jq -v 1.7.1
# Query by commit hash
x osv q -c 6879efc2c1596d11a6a6ad296f80063b558d5e0f
Scan Projects
# Scan current directory (requires osv-scanner installed)
x osv scanner .
# Scan specific lockfile
x osv scanner --lockfile requirements.txt
x osv scanner --lockfile package-lock.json
Generate SARIF Reports
# Scan npm project
x osv sarif npm ./my-project/
# Scan pip project with JSON output
x osv sarif pip ./project/ --json
Supported Ecosystems
View all supported ecosystems:
x osv eco
Includes: npm, PyPI, Maven, Go, Rust, NuGet, Packagist, etc.
API Key
No API key required for basic usage. Rate limits apply for unauthenticated requests.
Related
- OSV.dev - Official OSV website
- osv-scanner - Required tool for project scanning