AI-assisted vulnerability scanner for open source projects
Scans any public GitHub repository for known CVEs in its dependencies by querying the OSV (Open Source Vulnerabilities) database. Supports Python and Node.js ecosystems out of the box.
- ๐ Dependency scanning โ parses
requirements.txt,package.json,pyproject.toml - ๐ก๏ธ CVE lookup โ queries OSV.dev in real-time for known vulnerabilities
- ๐ Severity ranking โ CRITICAL / HIGH / MEDIUM / LOW with fix version hints
- ๐ Zero config โ just point it at a GitHub URL
# Install
pip install -e .
# Scan a repository
vulnscope scan https://github.com/owner/repoExample output:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ vulnscope OSS Vulnerability Scanner โ
โ Target: https://github.com/owner/repo โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Scanning 42 dependencies against OSV database...
โโ django (3 issues) โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ID โ Severity โ Summary โ Fix โ
โ CVE-2023-36053 โ HIGH โ ReDoS in EmailVal.. โ 4.2.3โ
โ CVE-2023-41164 โ HIGH โ Potential DoS via... โ 4.2.5โ
โ GHSA-xxx-xxx โ MEDIUM โ ... โ 3.2.1โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
| File | Ecosystem |
|---|---|
requirements.txt |
PyPI |
pyproject.toml |
PyPI |
package.json |
npm |
PRs welcome. If you find a false negative (a vulnerability we missed), please open an issue.
MIT