OSV.DEV · LIVE

An honest software
bill of materials.

A CVE severity renders only when OSV.dev actually returned it. A version renders only when a lockfile actually pinned it. Everything else is blank: never a placeholder, never a guess. Scan your own manifest below: it never leaves your browser.

Scan a manifest free See pricing

Scan a manifest

Drop a file or paste it. We query OSV.dev live, then show real advisories or a blank line.
drop a manifest
package-lock.json · package.json
requirements.txt · pyproject.toml
Dockerfile
or click to choose a file
Nothing leaves your browser until you click. We never store your files.

We scan in your browser and discard nothing because nothing is uploaded. We never store your lockfiles or your dependency list. The only network call is to OSV.dev, the public vulnerability database, to fetch real advisory IDs you can verify yourself.

Pricing

The scan is free forever. Pay only for what runs while you sleep.
Scan
$0
free forever
  • Unlimited self-serve scans
  • Live OSV.dev advisories, real or blank
  • Drift, EOL runtime, lockfile gaps
  • Honesty Receipt export
  • Nothing stored. Nothing uploaded.
Scan now
Pro Monitoring
$49/mo
the advisory you miss is the one that ships
  • We re-scan your manifest daily
  • Email the moment a new real advisory lands
  • No false positives. No guessed severities.
  • Only alerts on versions you actually ship
  • Cancel anytime
Go Pro
Attestation Pack
$49
one estate, audit-ready
  • Signed CycloneDX SBOM export
  • 0-guessed-values attestation PDF
  • Hand it to a customer security questionnaire
  • Every line real-from-source or blank
  • One-time, per estate
Get the pack

Payments run securely through Stripe. We never see your card. Both paid tiers are backed by the same honesty gate as the free scan: a fact is real from an authoritative source, or it is blank.

Proof, on a real public estate

We ran the same scanner against axios/axios
1,359
components resolved
13
manifests parsed
9
real OSV advisories
0
guessed values

Every one of the 1,359 rows was parsed deterministically from a manifest or lockfile in the public axios/axios repo. Zero rows are model-sourced. The 9 advisories were returned live by OSV.dev: real GHSA IDs you can verify, not our opinion. The other 678 resolved package@versions returned no advisory and render nothing. That restraint is the product.

The gate

Why you can trust every value
A fact is verified only when its source is authoritative: a resolved lockfile, a package manifest, a Dockerfile digest, or a live osv.dev advisory. A security severity renders only when OSV actually returned an advisory for a resolved package@version, and is blank otherwise. A model's opinion about a severity, a license, or a "latest version" is never verified and never renders. A floating ^4.28.0 with no lockfile is not a version: it stays blank. Real or blank. Never a placeholder.