Google's new OSV scanner
Google recently published a security scanner named OSV Scanner, that checks your files for vulnerabilities that hide in your code. It connects and checks for all issues collected on the OSV database. It is a great tool for developers to quickly check their code for vulnerabilities before they are released to the public.
If you have Go installed, it’s a simple one-liner to install the scanner:
Other methods are described on the GitHub page. The scanner is also available as a Docker image.
The check after that is easy:
This will scan the repository recursively for vulnerabilities and print plenty of information on the CLI. Example:
This recursive check will be very slow, as it will check all files in the repository and all packages, even those that are dependencies of your dependencies, etc. You might want to lower the amount of checks and only scan your own lockfiles, for example:
You can ignore errors with a TOML-based configuration file, that contains a list of errors to ignore:
Why, however, you would wish to ignore a security issue is beyond my understanding :)
Lastly, reports!!! You can generate a report in JSON format, that can be used for further processing:
which will generate a JSON file with all the information about the vulnerabilities found in your code.
Read on about the tool on the Google Security blog or in the Github README.
This post is part of #100DaysToOffload (total posts:57)