🏆 Officially recognized as an OWASP Incubator Project
Vulnerability scanning that belongs in your terminal — not your CI pipeline.
Scan your lockfile, get copy-and-run fix commands, and ship clean code.
Scan. Understand. Fix.
🆓 Free to useNo account, no subscription, no cloud required |
🏠 Runs locallyScans your lockfile on your machine. Nothing leaves your environment |
⚡ FastResults in seconds. Local cache keeps rescans near-instant |
Quick Start • Usage • Screenshots • HTML Report • Compare • Roadmap • Contributing
Most security tooling is designed around pipelines, not people.
Dependabot files PRs you'll get to eventually. CI scanners block merges hours after the fact. Security dashboards surface a list of CVE IDs with no clear path to resolving them. By the time a developer is looking at a scan result, the code has already been reviewed and is waiting to ship.
The feedback loop is too slow to be useful, and too noisy to be trusted. Developers learn to ignore it.
There is also a more fundamental problem: these tools tell you what is vulnerable. Very few tell you what to actually do about it. The result is a gap between detection and remediation that security teams paper over with manual triage, and developers experience as alert fatigue.
CVE Lite CLI is built around a different idea: vulnerability scanning belongs at the developer's terminal, not at the end of a pipeline.
It reads your lockfile locally, queries OSV for advisory data, and produces a concrete remediation plan — not a list of identifiers. You get copy-and-run npm install, pnpm add, yarn add, or bun add commands scoped to your package manager. You see exactly which packages are directly installed versus pulled in transitively. You can scan with no internet connection in restricted-network environments.
The tool is designed for the moment right before you push: fast, honest, and actionable.
npm install -g cve-lite-cli
cve-lite /path/to/projectOr one-off with npx:
npx cve-lite-cli /path/to/projectNo account. No configuration. No source code leaves your machine.
- Produces copy-and-run fix commands — every finding comes with a package-manager-aware install command you can run immediately
- Distinguishes direct from transitive risk — shows whether the vulnerability is in something you installed or buried three levels deep in a dependency chain
- Usage-aware reachability — optionally uses static analysis to detect whether vulnerable packages are actually imported in your code, cutting noise with
--usageand--only-used - Offline advisory DB — sync advisory data ahead of time and scan with zero runtime API calls, designed for enterprise and air-gapped environments
- Interactive HTML report — generate a self-contained dashboard with severity cards, a searchable findings table, and copy-ready fix commands (
--report) - Auto-fix mode — apply validated direct dependency fixes and rescan automatically (
--fix) - CI-ready —
--fail-on highexits non-zero on findings at or above a severity threshold; a first-party GitHub Action is available on the Marketplace - Minimal footprint — four runtime dependencies, intentionally kept small for a security tool
| Terminal output | HTML dashboard (--report) |
|---|---|
|
|
| Default scan output · verbose output guide | Generated with --report · HTML report guide |
Verbose terminal output — includes the full fix plan
CVE Lite CLI fits at every stage of the development workflow, not just CI.
Local development — run a scan before opening a PR. The default output is fast and minimal. --verbose adds the full fix plan with dependency paths and prioritized remediation commands. --report opens an interactive HTML dashboard.
CI pipelines — use --fail-on high to gate builds on severity. JSON output (--json) integrates with SIEM, dashboards, and custom automation. SARIF output is on the roadmap for direct integration with GitHub Security.
Restricted and enterprise environments — sync the advisory database ahead of time with cve-lite advisories sync, then scan offline with --offline. No runtime outbound calls during the scan. Syncing ~217,065 advisory records completes in under 9 seconds.
GitHub Actions — a first-party action is available on the Marketplace:
- uses: OWASP/cve-lite-cli@v1
with:
verbose: "true"
fail-on: highCVE Lite CLI scans its own dependencies in CI. See self-scan.yml.
For full CI patterns including offline workflows, git hooks, and scripted automation, see the CI and Workflow Integration guide.
| Capability | CVE Lite CLI | npm audit | OSV-Scanner | Snyk CLI | Socket CLI |
|---|---|---|---|---|---|
| JS/TS lockfile scanning | ✅ | ✅ | ✅ | ✅ | ✅ |
| npm + pnpm + Yarn + Bun support | ✅ | ❌ | ✅ | ✅ | ✅ |
| No account required | ✅ | ✅ | ✅ | ❌ | ❌ |
| Free to use | ✅ | ✅ | ✅ | ❌ | ❌ |
| Usage-aware reachability scanning | ✅ | ❌ | ❌ | ✅ | |
| Direct vs transitive visibility | ✅ | ✅ | ✅ | ✅ | |
| Copy-and-run fix commands | ✅ | ❌ | ❌ | ✅ | |
| Suggested remediation plan | ✅ | ❌ | ✅ | ||
| JSON output | ✅ | ✅ | ✅ | ✅ | ✅ |
| Offline/local advisory DB | ✅ | ❌ | ❌ | ❌ |
✅ = built-in strength ·
For detailed per-tool analysis, see Comparison with other tools.
CVE Lite CLI has been evaluated against real open-source projects to verify that it surfaces meaningful issues — including non-obvious transitive vulnerabilities and complex upgrade paths — not just low-signal advisory matches.
- OWASP Juice Shop — scanning a deliberately vulnerable application with known dependency issues
- NestJS — working through a real transitive dependency remediation sequence across a widely-used Node.js framework
- Analog — scanning a modern pnpm v9 Angular monorepo (3,367 packages) with unexpected toolchain vulnerabilities
These are not demos. They are documented scans against real codebases with real findings, recorded before and after applying fix commands.
If you maintain an open-source JavaScript or TypeScript project and want CVE Lite CLI evaluated on it, open an issue and share the repository. Strong candidates may be turned into future public case studies.
CVE Lite CLI is an OWASP Incubator Project, peer-reviewed and maintained under the Open Web Application Security Project Foundation. Being part of OWASP means:
- Peer-reviewed by security professionals
- Community-driven development and governance
- Vendor-neutral with no commercial platform required
- Open source with transparent security practices and a minimal dependency footprint
Where it fits in the OWASP ecosystem:
CVE Lite CLI fills a specific gap — fast, local-first JS/TS dependency scanning close to release time — that broader OWASP tools are not optimized for:
| Tool | Focus |
|---|---|
| CVE Lite CLI | Lockfile-first, local developer CLI, remediation-focused, JS/TS |
| OWASP Dependency-Check | Multi-language, SAST-style, broader ecosystem |
| OWASP dep-scan | Multi-language and environment, SBOM and cloud-native |
| OWASP Dependency-Track | Platform and SBOM management, not a local CLI |
CVE Lite CLI complements these tools. It is not a replacement for continuous monitoring or full SBOM management — it is the fast local check you run before pushing.
Security tooling has optimized heavily for breadth of detection and compliance reporting. That is useful at the platform level. It is the wrong model for the individual developer trying to ship clean code before end of day.
Detection without remediation creates work without resolution. A vulnerability report that ends with a list of CVE IDs shifts the burden entirely onto the developer: look up each advisory, figure out which version is safe, work out whether it is a direct or transitive dependency, and construct the right install command by hand. That friction is why security findings go unresolved.
CVE Lite CLI is built on the premise that the closer a security tool is to the developer's natural workflow, the more likely it is to be used — and that a tool that surfaces a problem alongside the fix is more valuable than one that only surfaces the problem.
The CLI is the foundation. The model — local-first, actionable, developer-native — extends naturally beyond the terminal.
JSON and SARIF outputs make findings consumable by editors, dashboards, and automated workflows today. The next phase of the project is oriented around tighter developer integration: surfacing vulnerabilities at the point of dependency installation, not just at scan time; deeper IDE integration; and team-level visibility without requiring a cloud platform.
See roadmap.md for the current plan.
# Basic scan
cve-lite /path/to/project
# Show all findings
cve-lite /path/to/project --all
# Focus on urgent findings only
cve-lite /path/to/project --min-severity high
# Full output: fix plan, paths, and complete table
cve-lite /path/to/project --verbose
# Apply validated direct dependency fixes and rescan
cve-lite /path/to/project --fix
# Production dependencies only (where supported by the lockfile)
cve-lite /path/to/project --prod-only
# Fail a build on high severity and above
cve-lite /path/to/project --fail-on high
# JSON output
cve-lite /path/to/project --json
# Generate an HTML vulnerability dashboard (opens in browser automatically)
cve-lite /path/to/project --report
cve-lite /path/to/project --report ./my-report --no-open
# Scan project source files to check if vulnerable dependencies are actually imported
cve-lite /path/to/project --usage
# Filter out noise by only showing vulnerabilities in packages that are imported in your source code
cve-lite /path/to/project --usage --only-used
# Sync the local advisory DB for offline scans
cve-lite advisories sync
# Scan with zero runtime advisory API calls
cve-lite /path/to/project --offline
# Use a specific local advisory DB file
cve-lite /path/to/project --offline-db /path/to/advisories.db
# Use a custom advisory endpoint
cve-lite /path/to/project --osv-url https://security.company.internal/osv
# Show version
cve-lite --versionCVE Lite CLI is designed to be fast. Scanning a lockfile is nearly instantaneous, whereas running static reachability analysis across thousands of source files takes significantly more time. Static analysis can also produce false negatives when packages are used in build scripts or dynamically imported at runtime. Making --usage opt-in ensures the default lockfile scan remains instant and strictly reflects your dependency graph, while giving you the option to aggressively filter out unreachable noise when triaging findings.
--fix applies validated direct dependency fixes using your project's package manager, then rescans automatically.
In the current version it:
- applies only direct dependency fixes with a validated lowest known non-vulnerable target
- uses
npm install,pnpm add,yarn add, orbun addbased on your lockfile - rescans automatically after applying fixes
- does not auto-apply transitive overrides or guarantee application compatibility
npx cve-lite-cli /path/to/project --fixSee the Fix mode guide for output details and interpretation.
Generate a self-contained HTML dashboard from any scan — severity cards, an interactive findings table with search, copy-ready fix commands, and breaking-change indicators on upgrades — all written to a local directory and opened automatically in your browser.
cve-lite /path/to/project --report
cve-lite /path/to/project --report ./my-report --no-openSee the HTML Report guide for the full option reference and output details.
For teams in enterprise, restricted-network, or air-gapped environments:
# Sync advisory data locally
cve-lite advisories sync
# Scan with no runtime API calls
cve-lite . --offlineSyncing ~217,065 advisory records runs in under 9 seconds after bulk SQLite ingestion optimizations — roughly 9.9x faster than the initial implementation.
See the Offline Advisory DB guide for the full workflow including CI, scheduled refresh, and controlled-network patterns.
CVE Lite CLI is a good fit for:
- Independent developers and OSS maintainers — quick pre-release check without any platform overhead
- Startups and small teams — lightweight CI gate at no cost
- Consultants — run a scan on a client project in seconds, with a clear fix plan to hand over
- Enterprise teams with restricted networks — offline advisory DB workflow removes the need for runtime outbound calls during scans
- Teams running npm, pnpm, Yarn, and Bun — unified scanning across all four package managers in one tool
See the CI and Workflow Integration guide for concrete patterns across these scenarios.
- does not detect malicious packages before they appear in advisory data
- does not perform behavioral malware detection or package content analysis
- does not prove exploitability or verify runtime reachability
- does not scan container images, binaries, secrets, or IaC
- does not replace a full application security program
- currently focused on JS/TS dependency scanning
- local advisory sync performance will need continued optimization as the advisory dataset grows
Runtime: yaml · yarn-lockfile · better-sqlite3 · fflate
Dev only: @types/node · tsx · typescript
This is intentional. Because CVE Lite CLI is a security-oriented tool, runtime dependencies are kept minimal and reviewable.
See roadmap.md for the full plan. Phases 1 and 2 are complete. Phase 3 (ecosystem coverage: Bun, Deno, parser improvements) is in progress.
See troubleshooting.md for common issues: no lockfile found, zero results, slow advisory sync, offline DB errors, --fix skipping findings, and CI failures.
See parser-coverage.md for supported lockfile formats, selection priority, the package.json fallback, and known edge cases including monorepos and private registries.
Feedback on output clarity, remediation guidance, ecosystem coverage, and CI usage is especially valuable.
See CONTRIBUTING.md to get started.
If you use CVE Lite CLI in your project, add this badge to your README:
[](https://github.com/OWASP/cve-lite-cli)For bug reports and feature requests: GitHub Issues
Helpful feedback includes reproducible bug reports, real-world lockfile edge cases, ideas for clearer output and remediation guidance, and CI or JSON workflow examples.
For security-related reporting: SECURITY.md
If CVE Lite CLI helps your release workflow, a GitHub star helps more developers find it.
Most tools tell you what's wrong. CVE Lite CLI tells you what to run.
MIT