Using OSV for Secure Dependency Management in Open Source Projects

Written By:
Founder & CTO
June 23, 2025

In today’s interconnected software landscape, developers build applications that lean heavily on open source dependencies. This reliance offers speed, flexibility, and access to battle-tested code, but it also introduces a significant surface area for security vulnerabilities. Vulnerabilities in popular packages like Log4j, OpenSSL, or even transitive dependencies buried deep within a package tree have taught the developer community one vital lesson: you are only as secure as your weakest dependency.

To address this challenge at scale, Google introduced OSV (Open Source Vulnerabilities), a comprehensive, structured, and developer-first vulnerability database and ecosystem. Unlike traditional tools that offer noisy, inconsistent, and often vague results, OSV delivers precise vulnerability detection, ecosystem-specific clarity, and developer-oriented remediation guidance. It fundamentally transforms how we think about and handle secure dependency management in modern software projects.

This blog will take you deep into how OSV works, why it matters, how to integrate it into your development workflow, and how to build an automated, secure, and resilient open-source supply chain.

Why Dependency Management Needs a Rethink
Modern development is dependency-driven

The average JavaScript project has over 1000 dependencies, many of which are deeply nested transitive packages. Developers often install libraries that depend on other libraries, leading to vast dependency trees that are hard to inspect manually.

In Python, packages installed via pip often bring in a host of ancillary packages, each with their own versioning and potential vulnerabilities. The same is true for Java’s Maven projects, Golang’s modules, or even compiled binaries built from C/C++.

Developers don’t just write code, they assemble code.

But every added dependency becomes a potential liability. From zero-day vulnerabilities to unpatched issues and even compromised maintainers, the attack surface is growing. Tools like Snyk, Dependabot, and NVD-based scanners attempt to surface vulnerabilities, but often generate noise and lack deep integration into developer workflows.

That’s where OSV steps in.

Introducing OSV: A Purpose-Built Vulnerability Database
What is OSV?

OSV (Open Source Vulnerabilities) is a vulnerability database and scanning ecosystem designed by Google. It consolidates advisories across many ecosystems, structured around a universal format optimized for developers. It includes an API, command-line scanner, and integration tools.

Key goals of OSV:

  • Deliver accurate, actionable vulnerability data.

  • Support a wide range of ecosystems (JavaScript, Python, Go, Java, Rust, Linux distros, containers, and more).

  • Reduce false positives and avoid overwhelming developers.

  • Offer tools to detect, remediate, and manage vulnerabilities in real time.

Unlike generic CVE databases, OSV focuses on version-aware reporting. It doesn’t just tell you a package might be vulnerable, it tells you this specific version you use is vulnerable, and this is the patch.

Why is this better?

Traditional vulnerability feeds often lack precision. A package name might be flagged as vulnerable without specifying which versions are affected. Developers then waste hours chasing false alarms, investigating packages they don’t even use.

OSV uses a structured schema that maps vulnerabilities to specific commit hashes, semantic versions, and affected ranges. This lets scanners like osv-scanner identify only those vulnerabilities that affect your exact dependencies.

How OSV Works: Under the Hood
A unified schema for all ecosystems

OSV defines a clear, consistent JSON schema for vulnerability advisories. This format captures:

  • Affected version ranges

  • Commit identifiers

  • Severity levels

  • Ecosystem (npm, PyPI, Go, Rust, etc.)

  • Fix availability (patch version or commit)

  • Metadata (CVE ID, links, summaries)

By normalizing data across ecosystems, OSV makes it possible to compare and query vulnerabilities consistently, whether you're working with a Java project or a Docker container.

Multi-ecosystem support

OSV supports a wide array of package ecosystems:

  • npm (JavaScript/Node.js)

  • PyPI (Python)

  • Go modules

  • Maven (Java)

  • Cargo (Rust)

  • Debian/Alpine/Ubuntu Linux packages

  • Container images

This means your backend services, CLI tools, frontend packages, and containerized applications can all be scanned and secured with the same system.

Getting Started with OSV-Scanner
Install the scanner

Installing the osv-scanner CLI tool is simple. It is distributed as a Go binary, or you can use precompiled releases. Installation is quick, light, and requires no external dependencies.

go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest

Once installed, you can immediately scan local directories, lockfiles, or even container images.

Basic usage

To scan a directory recursively for known vulnerability files (like package-lock.json, go.sum, requirements.txt):

osv-scanner -r ./my-project/

The scanner detects supported files, parses package versions, and matches them against OSV’s advisory database in real-time. The output is developer-friendly, providing:

  • Affected package name

  • Vulnerability ID (e.g., CVE-2024-1234)

  • Affected versions and your current version

  • Fixed version (if available)

  • Remediation advice

Container support

You can also scan Docker images:

osv-scanner -D my-image:latest

It will analyze installed packages inside the image layers and detect vulnerable versions from OS distributions or custom binaries.

Guided Remediation and Automation
osv-scanner fix: Precision upgrades

The fix command analyzes your dependency graph and suggests minimal upgrades to eliminate vulnerabilities. This prevents you from blindly upgrading your entire dependency tree and breaking compatibility.

osv-scanner fix --lockfile=package-lock.json --strategy=in-place

There are two remediation strategies:

  • In-place: Patch only vulnerable dependencies.

  • Relock: Upgrade dependency tree with updated lockfile.

This is essential for enterprises where stability and backwards compatibility matter as much as security.

GitHub Actions & CI/CD integration

You can integrate osv-scanner into your pipelines:

- uses: google/osv-scanner-action@v1

  with:

    path: ./my-project/

This ensures:

  • Vulnerabilities are detected during pull requests

  • Teams get alerted before merging code

  • CI fails if high-severity issues are found

Scheduled scans can also be configured to catch new disclosures that affect previously safe versions.

Advanced Capabilities for Deep Security Insight
Reachability analysis

Some vulnerabilities only pose a threat if the vulnerable code path is executed. OSV is working on reachability-based analysis, which will allow tools to determine whether vulnerable functions are even used in your application.

This reduces false positives and helps developers prioritize real threats.

License scanning

Modern security isn’t just about CVEs, it’s about governance. OSV-Scanner includes license detection, allowing teams to identify incompatible or risky licenses (like GPL in commercial apps).

This helps engineering and legal teams ensure compliance while securing the codebase.

Layer-aware container scanning

The scanner can detect which container image layer introduced a vulnerable package. This is crucial for DevOps and SRE teams who need to pinpoint base image versions or Dockerfile changes that introduced a threat.

OSV in the Real World: Use Cases and Testimonials
Open-source projects

OSV is already used by major open-source projects including:

  • TensorFlow

  • Flutter

  • Angular

These teams rely on OSV to prevent vulnerable dependencies from slipping into production releases.

Enterprises

Enterprise teams have used OSV to:

  • Clean up hundreds of transitive vulnerabilities without destabilizing production

  • Migrate legacy apps with actionable security insights

  • Automate daily scans of production Docker containers

One tech lead at a fintech startup shared:

“We dropped Dependabot in favor of OSV. The signal-to-noise ratio is so much better. We only get alerted when there’s something that really matters.”

Best Practices for Secure Dependency Management with OSV
Always use lockfiles

Lockfiles like package-lock.json, go.sum, or Pipfile.lock are essential. They let OSV match exact versions, enabling accurate vulnerability mapping. Never deploy without a locked dependency state.

Automate vulnerability detection

Run scans on every PR and nightly. Set thresholds for severity. Fail builds on critical issues. This ensures security is part of your daily workflow, not an afterthought.

Use fix automation with care

Let osv-scanner fix propose patches. Review them manually or in CI pipelines. Only update critical dependencies or deploy in staged environments first.

Watch your containers

Containers are often overlooked. Scan your base images regularly. Rebuild and redeploy when security patches are released, even if your app code hasn’t changed.

Stay updated

OSV evolves fast. New ecosystems are being added regularly. Update your CLI tools and CI plugins to benefit from improved precision, coverage, and speed.

Final Thoughts: OSV Is Built for Developers

OSV is not just another scanner, it's a smarter, developer-focused way to manage security in open-source software. By prioritizing accuracy, ecosystem-awareness, and developer productivity, OSV enables teams to proactively protect applications without slowing them down.

Whether you're an open-source maintainer or managing enterprise services, OSV empowers you to:

  • Detect only real, relevant threats

  • Fix vulnerabilities efficiently

  • Secure your supply chain with automation

Start using OSV today, and make secure dependency management a natural part of your software development lifecycle, not a painful afterthought.