🏆 Officially recognized as an OWASP Lab Project
Vulnerability scanning that starts in your terminal and fits cleanly into CI.
Scan your lockfile, get copy-and-run fix commands, and ship clean code.
Scan. Understand. Fix.
| 🏆 OWASP Lab Project Peer-reviewed by the org behind the OWASP Top 10 — the security standard followed by millions of developers | 🎯 Remediation-first Validated fix commands + parent-aware transitive guidance — not just CVE IDs | 🔒 Runs locally Nothing leaves your machine — not your code, not your dependency tree |
<a href="#quick-start">Quick Start</a> •
<a href="#usage">Usage</a> •
<a href="#what-it-looks-like">Screenshots</a> •
<a href="https://owasp.org/cve-lite-cli/docs/html-report">HTML Report</a> •
<a href="https://owasp.org/cve-lite-cli/docs/comparison">Compare</a> •
<a href="https://owasp.org/cve-lite-cli/docs/roadmap">Roadmap</a> •
<a href="https://github.com/OWASP/cve-lite-cli/blob/main/src/docs/CONTRIBUTING.md">Contributing</a> •
<a href="https://owasp.org/slack/invite">Join Slack</a>
Package Managers
Most security tooling is designed around pipelines, not people.
Dependabot files PRs you'll get to eventually. CI scanners block merges hours after the fact. Security dashboards surface a list of CVE IDs with no clear path to resolving them. By the time a developer is looking at a scan result, the code has already been reviewed and is waiting to ship.
The feedback loop is too slow to be useful, and too noisy to be trusted. Developers learn to ignore it.
There is also a more fundamental problem: these tools tell you what is vulnerable. Very few tell you what to actually do about it. The result is a gap between detection and remediation that security teams paper over with manual triage, and developers experience as alert fatigue.
CVE Lite CLI is built around a different idea: vulnerability scanning belongs at the developer's terminal, not at the end of a pipeline.
It reads your lockfile locally, queries OSV for advisory data, and produces a concrete remediation plan — not a list of identifiers. You get copy-and-run npm install, pnpm add, yarn add, or bun add commands scoped to your package manager. You see exactly which packages are directly installed versus pulled in transitively. You can scan with no internet connection in restricted-network environments.
The tool is designed for the moment right before you push: fast, honest, and actionable.
npm install -g cve-lite-cli
cve-lite /path/to/project
Or one-off with npx:
npx cve-lite-cli /path/to/project
No account. No configuration. No source code leaves your machine.
npm update <parent> when the current parent range can resolve a known non-vulnerable child, or a parent upgrade when the range itself must change--usage and --only-used--report)--fix)overrides and resolutions for orphaned targets, floating tags, surpassed pins, ineffective nested overrides, and platform-binary coupling (--check-overrides, rules OA001-OA008)--fail-on high exits non-zero on findings at or above a severity threshold; a first-party GitHub Action is available on the Marketplace; --sarif writes SARIF 2.1.0 output for direct upload to GitHub Code Scanning; --cdx writes a CycloneDX 1.4 SBOM for Dependency-Track and compliance artifacts; --json integrates with SIEM tools and dashboards| Terminal output | HTML dashboard (--report) |
|---|---|
|
|
| Default scan output · output guide | Generated with --report · HTML report guide |
Verbose terminal output — includes the full fix plan
CVE Lite CLI fits at every stage of the development workflow, not just CI.
Local development — run a scan before opening a PR. The default output is fast and minimal. --verbose adds the full fix plan with dependency paths and prioritized remediation commands. --report opens an interactive HTML dashboard.
CI pipelines — use --fail-on high to gate builds on severity. JSON output (--json) integrates with SIEM, dashboards, and custom automation. SARIF output (--sarif) writes a SARIF 2.1.0 file for direct upload to GitHub Code Scanning — findings appear in the Security tab and annotate PRs.
Restricted and enterprise environments — sync the advisory database ahead of time with cve-lite advisories sync, then scan offline with --offline. No runtime outbound calls during the scan. Syncing ~217,065 advisory records completes in under 9 seconds.
GitHub Actions — a first-party action is available on the Marketplace:
- uses: OWASP/cve-lite-cli@v1
with:
verbose: "true"
fail-on: high
sarif: "true"
- name: Upload to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: ${{ github.workspace }}
Note:
if: always()is required on the upload step. Without it, the upload is skipped when--fail-onexits non-zero — losing your findings in Code Scanning exactly when they matter most.
CVE Lite CLI scans its own dependencies in CI. See self-scan.yml.
For full CI patterns including offline workflows, git hooks, and scripted automation, see the CI and Workflow Integration guide.
No other free tool combines all of the following: lockfile scanning across npm, pnpm, Yarn, and Bun; parent-aware transitive remediation that tells you which package to upgrade (not just which one is vulnerable); fix version validation before suggesting an upgrade; and a fully offline advisory DB for restricted environments.
| Capability | CVE Lite CLI | npm audit | OSV-Scanner | Snyk CLI | Socket CLI |
|---|---|---|---|---|---|
| JS/TS lockfile scanning | ✅ | ✅ | ✅ | ✅ | ✅ |
| npm + pnpm + Yarn + Bun support | ✅ | ❌ | ✅ | ✅ | ✅ |
| No account required | ✅ | ✅ | ✅ | ❌ | ❌ |
| Free to use | ✅ | ✅ | ✅ | ❌ | ❌ |
| Usage-aware reachability scanning | ✅ | ❌ | ❌ | ✅ | ⚠️ |
| Direct vs transitive visibility | ✅ | ⚠️ | ✅ | ✅ | ✅ |
| Dev vs runtime dependency labelling | ✅ | ⚠️ | ❌ | ⚠️ | ❌ |
| Copy-and-run fix commands | ✅ | ❌ | ❌ | ✅ | ⚠️ |
| Transitive parent update guidance | ✅ | ❌ | ⚠️ | ⚠️ | ⚠️ |
| Suggested remediation plan | ✅ | ❌ | ⚠️ | ✅ | ⚠️ |
| Ratcheting mode (baseline suppression) | ✅ | ❌ | ❌ | ⚠️ | ❌ |
| Interactive HTML report | ✅ | ❌ | ❌ | ✅ | ❌ |
| SARIF / GitHub Code Scanning output | ✅ | ❌ | ✅ | ✅ | ❌ |
| JSON output | ✅ | ✅ | ✅ | ✅ | ✅ |
| Offline/local advisory DB | ✅ | ❌ | ⚠️ | ❌ | ❌ |
| Override hygiene auditing | ✅ | ❌ | ❌ | ❌ | ❌ |
✅ = built-in strength · ⚠️ = partial or workflow-dependent · ❌ = not a core strength
The transitive parent guidance is a key difference: CVE Lite CLI avoids recommending direct installs for packages that are only present transitively. For npm lockfiles, it can identify when npm update <parent> is enough to re-resolve a known non-vulnerable child within the current parent range, and when the parent package itself needs an upgrade.
Socket provides deep supply-chain analysis (malware, typosquatting, maintainer risk) but requires a paid account for full features. CVE Lite CLI remains one of the few fully free, offline, and account-free options with strong transitive analysis.
For detailed per-tool analysis, see Comparison with other tools.
CVE Lite CLI has been evaluated against real open-source projects to verify that it surfaces meaningful issues — including non-obvious transitive vulnerabilities and complex upgrade paths — not just low-signal advisory matches.
$ claude mcp add cve-lite-cli \
-- python -m otcore.mcp_server <graph>