Skip to content

OWASP/cve-lite-cli

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Repository files navigation

Most tools tell you what's wrong. CVE Lite CLI tells you what to run.

OWASP Lab Project npm version npm downloads CI GitHub Marketplace License Protected by CVE Lite CLI OpenSSF Best Practices

CVE Lite CLI — An OWASP Foundation Project

CVE Lite CLI

🏆 Officially recognized as an OWASP Lab Project

Vulnerability scanning that starts in your terminal and fits cleanly into CI.
Scan your lockfile, get copy-and-run fix commands, and ship clean code.

Scan. Understand. Fix.


🏆 🎯 🔒
OWASP Lab Project
Peer-reviewed by the org behind the OWASP Top 10 —
the security standard followed by millions of developers
Remediation-first
Validated fix commands + parent-aware
transitive guidance — not just CVE IDs
Runs locally
Nothing leaves your machine — not your
code, not your dependency tree

Quick StartUsageScreenshotsHTML ReportCompareRoadmapContributingJoin Slack


Package Managers

npm
npm
pnpm
pnpm
Yarn
Yarn
Bun
Bun

Quick start

npm install -g cve-lite-cli
cve-lite /path/to/project

Or one-off with npx:

npx cve-lite-cli /path/to/project

No account. No configuration. No source code leaves your machine.

Usage

cve-lite /path/to/project                   # basic scan
cve-lite /path/to/project --verbose         # full fix plan with dependency paths
cve-lite /path/to/project --fix             # apply validated direct fixes and rescan
cve-lite /path/to/project --fail-on high    # exit non-zero on high severity and above
cve-lite /path/to/project --json            # JSON output
cve-lite /path/to/project --sarif           # SARIF output for GitHub Code Scanning
cve-lite /path/to/project --report          # interactive HTML dashboard
cve-lite /path/to/project --check-overrides # audit override hygiene (OA001-OA008)
cve-lite advisories sync                    # sync advisory DB for offline use
cve-lite /path/to/project --offline         # scan with no runtime API calls

For the full flag reference and exit codes see the CLI Reference guide and Fix mode guide.

Override hygiene (overrides)

overrides and resolutions are powerful, but they rot. --check-overrides audits them across npm, pnpm, yarn, and bun, catching eight classes of problem:

Rule What it catches
OA001 Orphaned target: override for a package no longer in the tree
OA002 Floating tag: override pinned to a moving tag (latest, next)
OA003 Wrong section: override placed in the wrong container
OA004 Surpassed pin: the rest of the tree has moved past the pin
OA005 Nested ineffective override that never applies
OA006 Coupled platform binary: override fights a parent's exact pin
OA007 Frozen latest: registry has drifted past the pinned version (needs --check-network)
OA008 Materialized vulnerable copy still on disk despite the override
cve-lite /path/to/project --check-overrides       # audit
cve-lite /path/to/project --check-overrides --fix # audit and auto-fix where possible

For the full guide with per-rule examples and CI patterns, see the Override Hygiene Auditing guide.

What it looks like

Terminal output HTML dashboard (--report)
CVE Lite CLI terminal output CVE Lite CLI HTML dashboard
Default scan output · output guide Generated with --report · HTML report guide
Verbose terminal output — includes the full fix plan

Verbose output part 1 Verbose output part 2 Verbose output part 3

Why CVE Lite CLI

Most security tooling is built around pipelines, not developers. Dependabot opens PRs you'll get to eventually. CI scanners block merges after the fact. Dashboards surface lists of CVE IDs with no clear path to fixing them. Developers learn to ignore it.

CVE Lite CLI is built for the moment before you push. It reads your lockfile locally, queries OSV, and produces copy-and-run npm install, pnpm add, yarn add, or bun add commands — not a list of identifiers. You see which packages are direct versus transitive, get parent-aware upgrade guidance, and can scan offline in restricted environments.

The closer a security tool is to a developer's natural workflow, the more likely it is to be used.

How it compares

No other free tool combines all of the following: lockfile scanning across npm, pnpm, Yarn, and Bun; parent-aware transitive remediation that tells you which package to upgrade (not just which one is vulnerable); fix version validation before suggesting an upgrade; and a fully offline advisory DB for restricted environments.

Capability CVE Lite CLI npm audit OSV-Scanner Snyk CLI Socket CLI
JS/TS lockfile scanning
npm + pnpm + Yarn + Bun support
No account required
Free to use
Usage-aware reachability scanning ⚠️
Direct vs transitive visibility ⚠️
Dev vs runtime dependency labelling ⚠️ ⚠️
Copy-and-run fix commands ⚠️
Transitive parent update guidance ⚠️ ⚠️ ⚠️
Suggested remediation plan ⚠️ ⚠️
Ratcheting mode (baseline suppression) ⚠️
Interactive HTML report
SARIF / GitHub Code Scanning output
JSON output
Offline/local advisory DB ⚠️
Override hygiene auditing

✅ = built-in strength · ⚠️ = partial or workflow-dependent · ❌ = not a core strength

The transitive parent guidance is a key difference: CVE Lite CLI avoids recommending direct installs for packages that are only present transitively. For npm lockfiles, it can identify when npm update <parent> is enough to re-resolve a known non-vulnerable child within the current parent range, and when the parent package itself needs an upgrade.

For detailed per-tool analysis, see Comparison with other tools.

Replace Dependabot with one batched PR

CVE Lite CLI v1.26.0 ships a GitHub Action fix mode that runs on a schedule and opens a single batched pull request with all validated dependency upgrades - advisory IDs, before/after finding counts, and OSV-confirmed fix versions included.

Add this file to your repo:

# .github/workflows/cve-lite-fix.yml
name: CVE Lite security fixes
on:
  schedule:
    - cron: '0 6 * * 1'  # every Monday at 6am
  workflow_dispatch:
permissions:
  contents: write
  pull-requests: write
jobs:
  fix:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.repository.default_branch }}
      - uses: OWASP/cve-lite-cli@v1
        with:
          fix: 'true'
          create-pr: 'true'
Dependabot CVE Lite fix mode
PRs per run One per package One batched PR
Advisory IDs in PR body No Yes (GHSA-xxxx, CVE-xxxx)
Fix version validated against OSV No Yes
Before/after finding counts No Yes
pnpm / Yarn Berry / Bun Limited Full native support
OWASP recognition No OWASP Lab Project

Full Action documentation -> - for scan-only CI gating see the CI and Workflow Integration guide.

Real-world validation

CVE Lite CLI has been evaluated against real open-source projects to verify that it surfaces meaningful issues - including non-obvious transitive vulnerabilities and complex upgrade paths - not just low-signal advisory matches.

  • OWASP Juice Shop - scanning a deliberately vulnerable application with known dependency issues
  • NestJS - working through a real transitive dependency remediation sequence across a widely-used Node.js framework
  • Visual Studio Code - two direct Anthropic SDK advisories and a high-severity gulp toolchain chain in the VS Code root lockfile
  • Gatsby - Yarn Classic monorepo with 128 findings, five direct CVEs, and CVE Lite vs yarn audit deduplication
  • Analog - modern pnpm Angular monorepo with unexpected toolchain vulnerabilities

20+ case studies across npm, pnpm, Yarn, and Bun projects ->

In-repo lockfile fixtures for most projects live under examples/ - clone and scan immediately without downloading full upstream checkouts.

These are not demos. They are documented scans against real codebases with real findings, recorded before and after applying fix commands.

If you maintain an open-source JavaScript or TypeScript project and want CVE Lite CLI evaluated on it, open an issue and share the repository.

Press

Full press coverage ->

Recognized by OWASP

OWASP (Open Web Application Security Project) is the globally recognized nonprofit behind the security standards followed by millions of developers worldwide - most notably the OWASP Top 10, the most widely cited web application security reference in the industry. Organizations from startups to Fortune 500 companies use OWASP guidelines as the foundation of their security programs.

CVE Lite CLI is an OWASP Lab Project - reviewed and accepted by the OWASP community as a vendor-neutral, open source security tool.

Where it fits in the OWASP ecosystem:

CVE Lite CLI fills a specific gap - fast, local-first JS/TS dependency scanning close to release time - that broader OWASP tools are not optimized for:

Tool Focus
CVE Lite CLI Lockfile-first, local developer CLI, remediation-focused, JS/TS
OWASP Dependency-Check Multi-language, SAST-style, broader ecosystem
OWASP dep-scan Multi-language and environment, SBOM and cloud-native
OWASP Dependency-Track Platform and SBOM management, not a local CLI

CVE Lite CLI complements these tools. It is not a replacement for continuous monitoring or full SBOM management - it is the fast local check you run before pushing.

Community and adoption

CVE Lite CLI is used in production across organizations and independent developers in multiple countries. Confirmed users span government digital services, enterprise engineering platforms, open-source libraries, and security education.

Notable adopters include:

  • DINUM (France) - integrated across four French government digital service repositories, including official AI training infrastructure for civil servants
  • DGAFP (France) - Ministry for Civil Service, used as a pre-commit hook on a public-sector HR chatbot
  • Government of British Columbia (Canada) - running as a required merge gate alongside Trivy at the Ministry of Citizens' Services
  • Valibot and Formish - integrated as a GitHub Action and dev script with branch protection

Current limitations

  • does not detect malicious packages before they appear in advisory data
  • does not perform behavioral malware detection or package content analysis
  • does not prove exploitability or verify runtime reachability
  • does not scan container images, binaries, secrets, or IaC
  • does not replace a full application security program
  • currently focused on JS/TS dependency scanning
  • local advisory sync performance will need continued optimization as the advisory dataset grows

Dependency footprint

Runtime: yaml · yarn-lockfile · better-sqlite3 · fflate

Dev only: @types/node · tsx · typescript

This is intentional. Because CVE Lite CLI is a security-oriented tool, runtime dependencies are kept minimal and reviewable.

More documentation

  • Troubleshooting guide - no lockfile found, zero results, slow advisory sync, offline DB errors, --fix skipping findings, CI failures
  • Parser Coverage guide - supported lockfile formats, selection priority, package.json fallback, monorepos, private registries
  • Remediation Strategy guide - how CVE Lite CLI chooses upgrade targets and parent update paths

Security and verification

Every release is signed - GPG-signed git tags for source, Sigstore Artifact Attestations for the release tarball, and ECDSA signatures via the npm registry. Verify with:

gh attestation verify cve-lite-cli-X.Y.Z.tgz --repo OWASP/cve-lite-cli
npm audit signatures

For full details, fingerprints, and the project's threat model, see SECURITY.md and the Security Assurance Case.

For governance details - roles, decision-making, and dispute resolution - see CONTRIBUTING.md.

Contributing

Feedback on output clarity, remediation guidance, ecosystem coverage, and CI usage is especially valuable.

See CONTRIBUTING.md to get started.

Add a badge to your project

If you use CVE Lite CLI in your project, add this badge to your README:

[![Protected by CVE Lite CLI](https://img.shields.io/badge/Protected_by-CVE_Lite_CLI-brightgreen)](https://github.com/OWASP/cve-lite-cli)

Protected by CVE Lite CLI

Community and support

For bug reports and feature requests: GitHub Issues

Helpful feedback includes reproducible bug reports, real-world lockfile edge cases, ideas for clearer output and remediation guidance, and CI or JSON workflow examples.

Using CVE Lite CLI at your company or in your projects? Share your use case in the community thread.

For security-related reporting: SECURITY.md

This project follows a Code of Conduct. Please review it before participating.

If CVE Lite CLI helps your release workflow, a GitHub star helps more developers find it.

Contributors

Thanks to everyone who helps improve CVE Lite CLI - issues, pull requests, documentation, case studies, and real-world lockfile feedback all count.

Contributors to OWASP/cve-lite-cli

Avatar grid generated from the GitHub contributors graph via contrib.rocks.

New here? See CONTRIBUTING.md to get started, and review the Code of Conduct before participating.


Maintainer note: CVE Lite CLI is an OWASP Lab Project maintained by Sonu Kapoor. The goal is to build a tool the security and developer community trusts and returns to - not a product that requires vendor lock-in or a dashboard to be useful. If you find a real-world lockfile edge case, a remediation gap, or a workflow that doesn't fit, open an issue. Real-world feedback from real projects is the most valuable input this project gets. See CONTRIBUTING.md for how to get involved.


License

MIT - built in public and maintained as an OWASP Foundation Project by Sonu Kapoor.

About

Fast, developer-friendly JS/TS dependency vulnerability scanner with local lockfile scanning, OSV matching, direct vs transitive visibility, --fix, JSON output, and practical remediation guidance.

Topics

Resources

License

Code of conduct

Contributing

Stars

Watchers

Forks

Sponsor this project

Contributors