The OSV-Scanner tool, offered free to developers by Google, enables the detection of security flaws in open source projects, including both code and dependencies.
Security as code is starting to instill in companies. To embrace the movement, Google has announced a tool that will serve developers well. Offered for free on Github, OSV-Scanner detects errors both in the code and in the dependencies created for open source applications and/or services.
“Each dependency contains potentially existing known vulnerabilities or new bugs that can be discovered at any time. There are simply too many dependencies and versions to track manually, so automation is necessary,” the company explains in a blog post. “If you run OSV- Scanning your project, you will first find any transitive dependencies used to scan manifests, SBOMs, and commit hashes. The scanner then links this information to the OSV database and displays the relevant vulnerabilities for your project”.
Open source distributed database OSD.dev as a pillar
Integrated into the OpenSSF Vulnerability Scanning Dashboard, OSV-Scanner is an additional security-as-code initiative from Google aimed at open source developers. The OSV scanner generates vulnerability information that supplies the distributed open source database OSV.dev, based on the Open Source Vulnerabilty publication scheme announced in 2021 by the Mountain View company.