CVE Lite CLI: Open-Source Dependency Vulnerability Scanner
▼ Summary
– CVE Lite CLI, an OWASP Incubator Project, moves dependency vulnerability scanning to the developer’s terminal, providing fix commands for npm, pnpm, Yarn, and Bun.
– The tool runs locally without an account or cloud platform, scanning in seconds against a cached advisory database and distinguishing direct from transitive dependencies.
– Integration is opt-in; teams can run it manually or via scripts, hooks, or CI, with a –fail-on flag for severity thresholds and SARIF output for GitHub Code Scanning.
– It queries the Open Source Vulnerabilities (OSV) database, which maps advisories to package ecosystems and version ranges, though the tool acknowledges OSV’s limitations.
– In tests on OWASP Juice Shop, CVE Lite CLI reduced findings from 39 to 18 across two passes, clearing high-severity issues and helping separate fixable vulnerabilities from broader dependency decisions.
Dependency vulnerability scanning in JavaScript and TypeScript projects has traditionally been a late-stage activity, triggered only after code is pushed and CI pipelines execute. Developers open pull requests, CI runs, and a security scanner spits out a list of CVE identifiers that must be triaged hours or days after the code was written. CVE Lite CLI, now an officially recognized OWASP Incubator Project, shifts that check directly to the developer’s terminal.
This open-source tool, maintained by Sonu Kapoor, reads a project’s lockfile, queries the Open Source Vulnerabilities (OSV) database, and returns copy-and-run fix commands tailored to the relevant package manager. It supports npm, pnpm, Yarn, and Bun.
Closing the feedback loop earlier
“In many teams, dependency vulnerabilities are first surfaced in CI. That is useful, but it often happens late in the workflow,” Kapoor told Help Net Security. “A developer changes a dependency, pushes the branch, waits for CI, gets a large scanner report, and then has to work backward through the output to understand what changed, whether the vulnerable package is direct or transitive, and what can actually be fixed.”
CVE Lite CLI operates locally with no account, no cloud platform, and no source code leaving the developer’s machine. A scan completes in seconds against a cached advisory database. The output clearly distinguishes direct dependencies from transitive ones, identifies the top-priority fix, and provides the exact install command to apply it. For transitive npm findings, the tool recommends `npm update
Kapoor described the design intent in plain terms. “The shift I care about is moving from ‘CI found a large report later’ to ‘the developer gets a clear fix plan locally while the dependency change is still fresh.'”
Integration is opt-in
CVE Lite CLI does not block dependency installation or interrupt development by default. Teams choose where to place the check. It can be run manually, added as a package script, wired into a pre-commit or pre-push hook, or executed in CI through the project’s first-party GitHub Action.
“CVE Lite CLI provides the fast local scanner and the structured output; the team decides where that check belongs in its workflow,” Kapoor said.
For continuous integration, the `–fail-on` flag exits non-zero when findings meet or exceed a severity threshold. SARIF output uploads directly to GitHub Code Scanning, surfacing results in the Security tab and as inline pull request annotations.
OSV as the advisory source
The decision to query OSV reflects the project’s focus on package-and-version-oriented scanning. Kapoor said OSV’s data model fits a lockfile scanner because it maps advisories cleanly to open source package ecosystems and affected version ranges.
He acknowledged the limits of any single source. “I do not think any single advisory source should be treated as perfect. Coverage gaps, timing differences, severity differences, and fixed-version data quality can vary across sources. That is why CVE Lite CLI is explicit in its output that OSV is the advisory source.”
Future work may include clearer alias display, visibility into fixed-version confidence, and cross-referencing additional advisory feeds where it can be done without slowing the tool.
How it performs in the real world
Kapoor said he wanted to see how CVE Lite CLI would perform against real applications with known dependency CVEs, and pointed to OWASP Juice Shop as a representative test because its dependency tree resembles that of real-world JavaScript projects.
According to Kapoor, the tool reduced findings from 39 to 18 across two remediation passes and cleared the high-severity issue, while making upstream dependency risk easier to separate from problems a developer could address locally. “The useful part is helping developers understand which vulnerabilities are direct, which are transitive, which can be fixed now, and which require broader dependency decisions,” Kapoor said.
Offline support and enterprise use
For restricted-network and air-gapped environments, the CLI supports syncing the advisory database ahead of time. Ingesting roughly 217,000 advisory records completes in under nine seconds, which the project says is 9.9 times faster than the initial implementation. Scans then run with no outbound API calls.
CVE Lite CLI also writes AI assistant skill files for Claude Code, Codex CLI, Gemini CLI, Cursor, and GitHub Copilot through the `install-skill` command, letting coding assistants parse scan output and produce remediation plans.
CVE Lite CLI is available for free on GitHub.
(Source: Help Net Security)