Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)
OSV scanner
OSV scanner is a Software Composition Analysis (SCA) tool developed by Google that identifies vulnerabilities in open-source dependencies using the OSV database. When integrated with Invicti AppSec, OSV scanner runs as a Docker-based scanner and supports reachability analysis — the ability to determine whether a detected vulnerability is actually exploitable through your application's code paths.
Reachability helps your team prioritize remediation efforts by distinguishing between vulnerabilities that can actually be reached at runtime and those that exist only in unused or unreachable code paths.
Requirements
Before you activate the OSV scanner integration, make sure the following prerequisites are in place:
| Requirement | Details |
|---|---|
| Operating system | Linux or macOS. Windows isn't supported for running OSV scanner. |
| Docker runtime | You need a Docker or container runtime environment on the scan host. |
| Docker image | The kondukto/osv-scanner image must be accessible. The supported image tags are: latest, 2.0.3, 1.9.2, v1.2.0. |
| Repository connection | You need a source control management (SCM) integration configured for the project (unless you're using SBOM file scan mode). |
| License | You need an active Invicti AppSec license. |
| Invicti AppSec access | Administrator permissions to activate integrations and configure scanners. |
If your environment uses a private container registry, you can specify a custom image registry when configuring the scanner through SBOM Radar.
Step 1: Activate the OSV scanner integration
You need to activate OSV scanner at the platform level before you can use it in any project.
- Select Integrations from the left side menu.
- Navigate to the Scanners category.
- Locate the OSV card under the SCA tab.
- Click Activate on the OSV card.
After activation, OSV scanner becomes available for use across your projects.
Activate OSV as an inspector tool in SBOM Radar (optional)
OSV scanner can also run automatically as a vulnerability inspector within the SBOM Radar integration. This enables scheduled, automated SBOM vulnerability inspection every 12 hours.
- Select Integrations from the left side menu.
- Navigate to the Scanners category and open the SCA tab.
- Click Settings on the SBOM Radar card.
- Under Trigger with, select the scan types that should automatically generate an SBOM (for example, SAST, SCA, CS, or IaC).
- Select a Generator tool (Syft, CDXGen, BlackDuck, Mend SCA, or Import).
- From the Inspector Tool dropdown, select OSV.
- Choose an SBOM format (CycloneDX or SPDX).
- Click Save.
Changing the inspector tool setting deletes all vulnerabilities that SBOM Radar previously discovered. Make sure you review this impact before switching inspector tools.
Step 2: Configure project scan settings
After activating the integration, configure OSV scanner at the project level to define how and when scans run.
Add an OSV scan profile
- Navigate to the project where you want to run OSV scans.
- Select Settings from the project menu, then go to the Scanners tab.
- From the Scan type dropdown, select SCA.
- From the Scanner dropdown, select OSV. The scanner shows a Docker icon, indicating it runs in a container.
- Click Add. The scan configuration drawer opens.
Configure the scan profile
Fill in the following fields in the scan configuration drawer:
| Field | Required | Description |
|---|---|---|
| Environment | No | Assign the scan to a specific environment (for example, Production, Staging, Feature, Development). Selecting Feature automatically enables the fork scan toggle. |
| Branch | Yes | The repository branch to scan. Use the auto-complete field to search available branches. This field is disabled when the Default Branch toggle is on. |
| Meta data | No | An optional metadata value for the scan. This must be unique per branch and tool combination. |
| Scan tag | No | An optional tag for organizational purposes. |
| Docker image tag | Yes | Select the OSV scanner version to use. The platform loads available tags from the container registry (for example, Latest, 2.0.3, 1.9.2, v1.2.0). Tags latest and 2.0.3 use OSV scanner V2 CLI syntax, while 1.9.2 and v1.2.0 use V1 syntax. |
| Fork default branch | No | When you enable this, the scan compares the selected branch against the project's default branch or a fork source branch. The label changes to Fork source branch when you select a feature environment. |
- Configure the Schedule for the scan using the scheduler component. You can set recurring scans (for example, daily, weekly) or trigger a one-time scan.
- Click Save to create the scan profile.
Start a scan
After you completed the integration configuration, start a scan.
- Scheduled scans run automatically based on the configured schedule.
- Trigger On-demand scans from the project's scan page.
When a scan starts, Invicti AppSec:
- Clones the specified branch from the configured repository.
- Runs the OSV scanner inside a Docker container against the cloned source code.
- Parses the scan results, extracting CVE IDs, severity scores, CVSS vectors, CWE IDs, affected packages, and fixed package versions.
- Stores the results and makes them available for you to query and analyze.
For SBOM Radar inspector scans, OSV scanner runs automatically every 12 hours against the generated SBOM. You don't need to trigger these manually.
Step 3: View reachability results
After a scan completes, you can find reachability information in the vulnerability details.
View reachability in vulnerability details
- Navigate to the Vulnerabilities page for your project.
- Click any SCA vulnerability discovered by OSV scanner to open its detail panel.
- In the vulnerability detail panel, locate the SCA section under Tool-Specific Details.
- The Reachable field displays one of the following values:
| Value | Indicator | Meaning |
|---|---|---|
| Yes | Green badge | The vulnerability is reachable through your application's code paths and potentially exploitable. Prioritize this for remediation. |
| No | Plain text | The vulnerability exists in a dependency but isn't reachable through your application code. Lower priority for remediation. |
| N/A | Plain text | The scanner couldn't determine reachability for this vulnerability. Treat conservatively. |
Interpret reachability for prioritization
Use the reachability status to guide your remediation strategy:
- Reachable (Yes): these vulnerabilities represent actual risk to your application. Focus remediation efforts here first.
- Not reachable (No): while the vulnerable dependency is present, your application doesn't exercise the affected code path. You can address these with lower urgency.
- Unknown (N/A): reachability analysis couldn't determine the status. Apply your organization's default risk posture for these findings.
Additional vulnerability information
Each OSV scanner finding also includes the following details in the vulnerability view:
| Field | Description |
|---|---|
| CVE ID | The Common Vulnerabilities and Exposures identifier. |
| CWE ID | The Common Weakness Enumeration classification. |
| Severity | The severity level from the OSV database (Critical, High, Medium, Low). |
| CVSS Score | The CVSS v3 score from the vulnerability data. |
| Current Version | The version of the affected package in your project. |
| Fixed Version | The earliest version that resolves the vulnerability. Only shows versions greater than the current version. |
| Package URL (PURL) | The standardized package URL for the affected component. |
| File Path | The source file where the scanner detected the dependency. |
| References | Links to advisories, patches, and related resources. |
Supported ecosystems
OSV scanner supports vulnerability detection across multiple package ecosystems, including:
- npm (Node.js)
- pip (Python)
- Maven (Java)
- Go modules
- Cargo (Rust)
- RubyGems (Ruby)
- And other ecosystems tracked by the OSV database
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center