MCPcopy Index your code
hub / github.com/OWASP/cve-lite-cli

github.com/OWASP/cve-lite-cli @v1.26.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.26.0 ↗ · + Follow
703 symbols 2,154 edges 202 files 23 documented · 3% 1 cross-repo links
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

OWASP Lab Project npm version npm downloads CI GitHub Marketplace License Protected by CVE Lite CLI OpenSSF Best Practices

CVE Lite CLI — An OWASP Foundation Project

CVE Lite CLI

🏆 Officially recognized as an OWASP Lab Project

Vulnerability scanning that starts in your terminal and fits cleanly into CI.

Scan your lockfile, get copy-and-run fix commands, and ship clean code.

Scan. Understand. Fix.

🏆 OWASP Lab Project Peer-reviewed by the org behind the OWASP Top 10 — the security standard followed by millions of developers 🎯 Remediation-first Validated fix commands + parent-aware transitive guidance — not just CVE IDs 🔒 Runs locally Nothing leaves your machine — not your code, not your dependency tree
<a href="#quick-start">Quick Start</a> •
<a href="#usage">Usage</a> •
<a href="#what-it-looks-like">Screenshots</a> •
<a href="https://owasp.org/cve-lite-cli/docs/html-report">HTML Report</a> •
<a href="https://owasp.org/cve-lite-cli/docs/comparison">Compare</a> •
<a href="https://owasp.org/cve-lite-cli/docs/roadmap">Roadmap</a> •
<a href="https://github.com/OWASP/cve-lite-cli/blob/main/src/docs/CONTRIBUTING.md">Contributing</a> •
<a href="https://owasp.org/slack/invite">Join Slack</a>

Package Managers

npm npm pnpm pnpm Yarn Yarn Bun Bun

The problem with how security scanning works today

Most security tooling is designed around pipelines, not people.

Dependabot files PRs you'll get to eventually. CI scanners block merges hours after the fact. Security dashboards surface a list of CVE IDs with no clear path to resolving them. By the time a developer is looking at a scan result, the code has already been reviewed and is waiting to ship.

The feedback loop is too slow to be useful, and too noisy to be trusted. Developers learn to ignore it.

There is also a more fundamental problem: these tools tell you what is vulnerable. Very few tell you what to actually do about it. The result is a gap between detection and remediation that security teams paper over with manual triage, and developers experience as alert fatigue.

A different model

CVE Lite CLI is built around a different idea: vulnerability scanning belongs at the developer's terminal, not at the end of a pipeline.

It reads your lockfile locally, queries OSV for advisory data, and produces a concrete remediation plan — not a list of identifiers. You get copy-and-run npm install, pnpm add, yarn add, or bun add commands scoped to your package manager. You see exactly which packages are directly installed versus pulled in transitively. You can scan with no internet connection in restricted-network environments.

The tool is designed for the moment right before you push: fast, honest, and actionable.

Quick start

npm install -g cve-lite-cli
cve-lite /path/to/project

Or one-off with npx:

npx cve-lite-cli /path/to/project

No account. No configuration. No source code leaves your machine.

What it does

  • Produces copy-and-run fix commands — every finding comes with a package-manager-aware install command you can run immediately
  • Distinguishes direct from transitive risk — shows whether the vulnerability is in something you installed or buried three levels deep in a dependency chain
  • Explains parent update paths — for transitive npm findings, recommends npm update <parent> when the current parent range can resolve a known non-vulnerable child, or a parent upgrade when the range itself must change
  • Usage-aware reachability — optionally uses static analysis to detect whether vulnerable packages are actually imported in your code, cutting noise with --usage and --only-used
  • Offline advisory DB — sync advisory data ahead of time and scan with zero runtime API calls, designed for enterprise and air-gapped environments
  • Interactive HTML report — generate a self-contained dashboard with severity cards, a searchable findings table, and copy-ready fix commands (--report)
  • Auto-fix mode — apply validated direct dependency fixes and rescan automatically (--fix)
  • Override hygiene checks — audit npm/pnpm/yarn/bun overrides and resolutions for orphaned targets, floating tags, surpassed pins, ineffective nested overrides, and platform-binary coupling (--check-overrides, rules OA001-OA008)
  • CI-ready--fail-on high exits non-zero on findings at or above a severity threshold; a first-party GitHub Action is available on the Marketplace; --sarif writes SARIF 2.1.0 output for direct upload to GitHub Code Scanning; --cdx writes a CycloneDX 1.4 SBOM for Dependency-Track and compliance artifacts; --json integrates with SIEM tools and dashboards
  • Minimal footprint — four runtime dependencies, intentionally kept small for a security tool

What it looks like

Terminal output HTML dashboard (--report)
CVE Lite CLI terminal output CVE Lite CLI HTML dashboard
Default scan output · output guide Generated with --report · HTML report guide

Verbose terminal output — includes the full fix plan

Verbose output part 1 Verbose output part 2 Verbose output part 3

Workflow integration

CVE Lite CLI fits at every stage of the development workflow, not just CI.

Local development — run a scan before opening a PR. The default output is fast and minimal. --verbose adds the full fix plan with dependency paths and prioritized remediation commands. --report opens an interactive HTML dashboard.

CI pipelines — use --fail-on high to gate builds on severity. JSON output (--json) integrates with SIEM, dashboards, and custom automation. SARIF output (--sarif) writes a SARIF 2.1.0 file for direct upload to GitHub Code Scanning — findings appear in the Security tab and annotate PRs.

Restricted and enterprise environments — sync the advisory database ahead of time with cve-lite advisories sync, then scan offline with --offline. No runtime outbound calls during the scan. Syncing ~217,065 advisory records completes in under 9 seconds.

GitHub Actions — a first-party action is available on the Marketplace:

- uses: OWASP/cve-lite-cli@v1
  with:
    verbose: "true"
    fail-on: high
    sarif: "true"

- name: Upload to GitHub Code Scanning
  uses: github/codeql-action/upload-sarif@v4
  if: always()
  with:
    sarif_file: ${{ github.workspace }}

Note: if: always() is required on the upload step. Without it, the upload is skipped when --fail-on exits non-zero — losing your findings in Code Scanning exactly when they matter most.

CVE Lite CLI scans its own dependencies in CI. See self-scan.yml.

For full CI patterns including offline workflows, git hooks, and scripted automation, see the CI and Workflow Integration guide.

How it compares

No other free tool combines all of the following: lockfile scanning across npm, pnpm, Yarn, and Bun; parent-aware transitive remediation that tells you which package to upgrade (not just which one is vulnerable); fix version validation before suggesting an upgrade; and a fully offline advisory DB for restricted environments.

Capability CVE Lite CLI npm audit OSV-Scanner Snyk CLI Socket CLI
JS/TS lockfile scanning
npm + pnpm + Yarn + Bun support
No account required
Free to use
Usage-aware reachability scanning ⚠️
Direct vs transitive visibility ⚠️
Dev vs runtime dependency labelling ⚠️ ⚠️
Copy-and-run fix commands ⚠️
Transitive parent update guidance ⚠️ ⚠️ ⚠️
Suggested remediation plan ⚠️ ⚠️
Ratcheting mode (baseline suppression) ⚠️
Interactive HTML report
SARIF / GitHub Code Scanning output
JSON output
Offline/local advisory DB ⚠️
Override hygiene auditing

✅ = built-in strength · ⚠️ = partial or workflow-dependent · ❌ = not a core strength

The transitive parent guidance is a key difference: CVE Lite CLI avoids recommending direct installs for packages that are only present transitively. For npm lockfiles, it can identify when npm update <parent> is enough to re-resolve a known non-vulnerable child within the current parent range, and when the parent package itself needs an upgrade.

About Socket CLI

Socket provides deep supply-chain analysis (malware, typosquatting, maintainer risk) but requires a paid account for full features. CVE Lite CLI remains one of the few fully free, offline, and account-free options with strong transitive analysis.

For detailed per-tool analysis, see Comparison with other tools.

Real-world validation

CVE Lite CLI has been evaluated against real open-source projects to verify that it surfaces meaningful issues — including non-obvious transitive vulnerabilities and complex upgrade paths — not just low-signal advisory matches.

  • OWASP Juice Shop — scanning a deliberately vulnerable application with known dependency issues
  • NestJS — working through a real transitive dependency remediation sequence across a widely-used Node.js framework
  • Analog — scanning a modern pnpm v9 Angular monorepo (3,367 packages) with unexpected toolchain vulnerabilities
  • Ghost — 26 vulnerable packages across 4,447 resolved in a professionally maintained CMS — every one transitive, including a critical XSS in the library responsible for making user content safe
  • [Astro](https://owasp.org/

Extension points exported contracts — how you extend this code

AuditLogHandle (Interface)
(no doc) [6 implementers]
src/audit-log/handle.ts
AdvisorySource (Interface)
(no doc) [4 implementers]
src/advisory/advisory-source.ts
WriteOutputsInput (Interface)
(no doc)
src/output/write-outputs.ts
VerifyTarget (Interface)
(no doc)
src/cli/fix-overrides-hook.ts
FixOptions (Interface)
(no doc)
src/overrides/fixer.ts
MultiFolderScanResult (Interface)
(no doc)
src/scan/multi-folder-scan.ts
CtxOpts (Interface)
(no doc)
tests/overrides/detectors/oa005.test.ts
OverridesJson (Interface)
(no doc)
tests/e2e/package-managers.test.ts

Core symbols most depended-on inside this repo

removeDir
called by 82
tests/test-utils.ts
detect
called by 78
src/overrides/detectors/oa008-materialized.ts
runCli
called by 61
tests/e2e/harness.ts
escapeHtml
called by 60
src/output/html-reporter.ts
pluralize
called by 57
src/utils/string.ts
buildSuggestedFixCommandPlan
called by 55
src/remediation/fix-commands.ts
rmProject
called by 48
tests/e2e/harness.ts
looksLikeVersion
called by 46
src/utils/version.ts

Shape

Function 613
Interface 47
Method 27
Class 16

Languages

TypeScript100%

Modules by API surface

src/output/printers.ts28 symbols
src/remediation/fix-commands.ts22 symbols
src/parsers/npm-lock-graph.ts20 symbols
src/output/formatters.ts19 symbols
src/scanner.ts18 symbols
src/remediation/npm-transitive-resolution.ts17 symbols
src/utils/network.ts15 symbols
src/utils/create-pr.ts15 symbols
src/remediation/parent-upgrade.ts13 symbols
src/parsers/pnpm-lock.ts13 symbols
src/overrides/fixer.ts13 symbols
src/output/html-reporter.ts13 symbols

Used by 1 indexed graphs manifest dependencies, hub-wide

For agents

$ claude mcp add cve-lite-cli \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page