Osv.dev Alternatives

osv.dev reviews and mentions

• I scanned 8 popular open-source repos for outdated dependencies and CVEs. Here's what I found.
  1 project | dev.to | 31 May 2026

  I built ScanReq, a VS Code extension that scans dependency files, checks versions against public registries in real time, and queries OSV.dev for known CVEs. It supports 8 ecosystems: Python, Node.js, Rust, Go, PHP, Ruby, and Java (both Maven and Gradle).

• Bumblebee vs OSV-Scanner: Two Takes on Supply Chain Scanning
  2 projects | dev.to | 23 May 2026

  osv-scanner reads manifest files (package.json, go.mod, etc.) and matches them against advisories in osv.dev.

• 4 Open-Source Security Tools Every Dev Should Know
  4 projects | dev.to | 6 May 2026

  OSV-Scanner is Google's answer, and it plugs into the OSV database — a unified vulnerability feed that aggregates data from dozens of sources.

• How to Check If Your Dependencies Are Vulnerable (30 Lines of Python)
  3 projects | dev.to | 25 Mar 2026

  For each package+version, queries OSV.dev (Google's vulnerability DB)

• OSV.dev Has a Free API — Find Vulnerabilities in Any Open-Source Package
  2 projects | dev.to | 24 Mar 2026

  OSV.dev aggregates vulnerabilities from:

• We Let an AI Attack Our Security Pipeline. Here's What 412 Attacks Taught Us.
  1 project | dev.to | 18 Mar 2026

  We ingest MCP-related CVEs from four sources every hour: the Vulnerable MCP Project, the NVD, the GitHub Advisory Database, and OSV.dev. Each new CVE becomes a regression test. The loop doesn't move to creative work until every CVE is defended.

• I ran npm audit and DepGra on the same project — here's what each one caught
  2 projects | dev.to | 15 Mar 2026

  Why? DepGra queries OSV.dev, which aggregates vulnerability data from multiple sources. npm audit queries the GitHub Advisory Database. Sometimes one source has advisories the other hasn't ingested yet. In this case, OSV.dev had this CVE and GitHub's advisory database didn't surface it through npm audit at the time I tested.

• 39 CVEs in WebGoat. Only 36 Were Reachable.
  2 projects | dev.to | 9 Mar 2026

  This is not a reachability gap — it is a database coverage gap. NetShield queries osv.dev, an open vulnerability database. Snyk uses a proprietary database with a dedicated research team that catalogs vulnerabilities faster, especially newly published ones (several of the missing CVEs were marked "new" in Snyk's output). NetShield correctly classified every CVE it received from OSV. It simply never received the 9 additional CVEs because OSV doesn't have them yet. A future version could integrate additional sources to close this gap.

• GitHub's Ubuntu Runners Have 1,681 Packages and 9 High Vulns
  1 project | news.ycombinator.com | 13 Oct 2025

  But you can use a runner that you run on your behalf in a clud instead and choose create the runner with minimum packages.

  It's the first time i became clear how big the problem really is - only looking at the vulns at https://osv.dev/ (thanks for sharing - i didn't know that one).

  I was aware of the vuln and lately wormed mess in npm, but i was sure everything else is mitigated much better - and runners, i of course thought are cared for a lot more. Yes, i am looking at you GH.

• Building AI Agents to Prioritize CVEs — A Google ADK Guide
  3 projects | dev.to | 23 Apr 2025

  In this story, we will create our first AI agents using Agent Development Kit. AI agents will be integrated with Google OSV, MITRE, KEV, and a bit of Google search. AI agents will enrich data about given vulnerabilities with public data from different sources to help prioritize (triage) problems.

• A note from our sponsor - SaaSHub
  www.saashub.com | 14 Jun 2026

  SaaSHub helps you find the best software and product alternatives Learn more →