Google's new OSV scanner
Google recently published a security scanner named OSV Scanner, that checks your files for vulnerabilities that hide in your code. It connects and checks for all issues collected on the OSV database. It is a great tool for developers to quickly check their code for vulnerabilities before they are released to the public.
If you have Go installed, it’s a simple one-liner to install the scanner:
1go install github.com/google/osv-scanner/cmd/osv-scanner@v1
Other methods are described on the GitHub page. The scanner is also available as a Docker image.
The check after that is easy:
1osv-scanner -r /path/to/repo
This will scan the repository recursively for vulnerabilities and print plenty of information on the CLI. Example:
This recursive check will be very slow, as it will check all files in the repository and all packages, even those that are dependencies of your dependencies, and so on. You might want to lower the amount of checks and only scan your own lockfiles, for example:
1osv-scanner --lockfile=/path/to/your/package-lock.json
You can ignore errors with a TOML-based configuration file, that contains a list of errors to ignore:
Why, however, you would wish to ignore a security issue is beyond my understanding :)
Lastly, reports! You can generate a report in JSON format, that can be used for further processing:
1osv-scanner --json --lockfile=/path/to/your/package-lock.json > /path/to/file.json
which will generate a JSON file with all the information about the vulnerabilities found in your code.
Read on about the tool on the Google Security blog or in the Github README.
This post is part of #100DaysToOffload 48 posts since Dec 04, 2022 — 85 total posts