DEV Community

Alex Spinov
Alex Spinov

Posted on

OSV.dev Has a Free API — Find Vulnerabilities in Any Open-Source Package

#python #api #security #tutorial

The Story

I was auditing a Python project with 47 dependencies. Running pip-audit found 3 vulnerabilities, but I needed more details — CVE descriptions, fix versions, affected ranges. The NVD API is slow and clunky.

Then I found OSV.dev — Google's open-source vulnerability database with a clean, fast API.

What Is OSV.dev?

OSV.dev aggregates vulnerabilities from:

  • GitHub Security Advisories
  • PyPI Advisory Database
  • npm Advisories
  • RustSec
  • Go Vulnerability Database
  • Linux kernel vulnerabilities
  • And 15+ other sources

One API to search them all.

The API 

# Check if a package has vulnerabilities
curl -s -X POST "https://api.osv.dev/v1/query" \
  -H "Content-Type: application/json" \
  -d '{"package": {"name": "requests", "ecosystem": "PyPI"}}'

# Get a specific vulnerability
curl -s "https://api.osv.dev/v1/vulns/GHSA-j8r2-6x86-q33q"

# Batch query multiple packages
curl -s -X POST "https://api.osv.dev/v1/querybatch" \
  -H "Content-Type: application/json" \
  -d '{"queries": [{"package": {"name": "lodash", "ecosystem": "npm"}}, {"package": {"name": "django", "ecosystem": "PyPI"}}]}'
Enter fullscreen mode Exit fullscreen mode

Practical Example: Audit Your Dependencies 

import requests
import json

def check_package(name, ecosystem="PyPI", version=None):
    payload = {"package": {"name": name, "ecosystem": ecosystem}}
    if version:
        payload["version"] = version

    r = requests.post("https://api.osv.dev/v1/query", json=payload)
    vulns = r.json().get("vulns", [])

    return {
        "package": name,
        "vuln_count": len(vulns),
        "vulns": [
            {
                "id": v["id"],
                "summary": v.get("summary", "No summary")[:80],
                "severity": v.get("database_specific", {}).get("severity", "UNKNOWN")
            }
            for v in vulns[:5]
        ]
    }

# Audit popular packages
packages = [
    ("requests", "PyPI"),
    ("flask", "PyPI"),
    ("django", "PyPI"),
    ("lodash", "npm"),
    ("express", "npm"),
]

for name, eco in packages:
    result = check_package(name, eco)
    status = "VULNERABLE" if result["vuln_count"] > 0 else "CLEAN"
    print(f"{status}: {name} ({eco}) — {result['vuln_count']} vulns")
Enter fullscreen mode Exit fullscreen mode

No API Key, No Rate Limits

Feature OSV.dev NVD Snyk
API Key Not needed Required Required
Rate Limit None (be nice) 50/30sec 100/min
Ecosystems 20+ All CVEs 10+
Speed Fast Slow Fast
Cost Free Free Freemium

Supported Ecosystems

  • Python: PyPI
  • JavaScript: npm
  • Go: Go modules
  • Rust: crates.io
  • Java: Maven
  • Ruby: RubyGems
  • Linux: Debian, Alpine, Ubuntu
  • C/C++: OSS-Fuzz
  • And more...

Build a CI/CD Security Gate 

# In your CI pipeline — check requirements.txt
pip install pip-audit
pip-audit -r requirements.txt --desc --fix

# Or use OSV-Scanner directly
# https://github.com/google/osv-scanner
osv-scanner --lockfile=package-lock.json
Enter fullscreen mode Exit fullscreen mode

More security tools: Free Security APIs

How do you audit your dependencies? npm audit, pip-audit, Snyk, or something else? Drop your workflow in the comments!

Follow me for daily free API discoveries and security tools.

Top comments (0)