SVS scans a CycloneDX SBOM (JSON) and checks listed software versions against OSV to produce a clean JSON + HTML vulnerability report.
- Professional SBOM input: CycloneDX JSON v1.5 and SPDX JSON 2.3
- Online CVE source: OSV API (aggregates multiple ecosystems)
- Outputs: JSON (machine-friendly) + HTML (human-friendly)
- Create a CycloneDX or SPDX JSON SBOM using your build tooling or CI pipeline.
- Run the scanner:
svs scan --sbom path/to/sbom.json --out reportsCommon commands:
svs scan --sbom examples/sample-sbom.json --out reports
svs summary --latest --dir reports --out svs-summary.md
svs open-report --dir reports
svs demo --out reportsOutputs:
reports/<sbom-name>_<timestamp>.jsonreports/<sbom-name>_<timestamp>.htmlreports/<sbom-name>_<timestamp>.sarif.json
You can try the included sample:
svs scan --sbom examples/sample-sbom.json --out reportsOr try the SPDX sample:
svs scan --sbom examples/sample-spdx.json --out reportsFor a full local demo (scan + summary + open report):
svs demo --out reportsDemo options:
svs demo --out reports --no-open
svs demo --out reports --min-severity high
svs demo --sbom path/to/your-sbom.json --out reports --summary-out svs-summary.md
svs demo --both-samples --out reportspython -m pip install cyclonedx-bom
cyclonedx-py environment --output-format JSON --spec-version 1.5 -o sbom.cdx.jsonpython -m pip install cyclonedx-bom
cyclonedx-py requirements requirements.txt --output-format JSON --spec-version 1.5 -o sbom.cdx.jsonnpm sbom --sbom-format=cyclonedx --sbom-type=application > sbom.cdx.json- SVS expects components to have
purlfields for best matching. - Components without
purlare reported but skipped from OSV queries. - Use
--timeoutand--retriesto tune OSV network behavior. - Use
--sarif/--no-sarifto toggle SARIF output. - Use
--min-severityto filter results (none/low/medium/high/critical). - PR summary includes upgrade risk labels; SARIF rules include upgrade hints when available.
- Use
svs summary --report <report.json>orsvs summary --latest --dir reportsto generate the PR summary locally. - Use
svs open-report --dir reports(or--path report.html) to open the latest HTML report. - Use
svs demo --out reportsto run a full local demo (scan + summary + open report). - Demo flags:
--no-opento skip opening the browser,--min-severityto filter results,--summary-outto control the summary filename,--both-samplesto scan CycloneDX + SPDX samples.
- Code of Conduct:
CODE_OF_CONDUCT.md - Contributing guide:
CONTRIBUTING.md - Security policy:
SECURITY.md - Roadmap:
ROADMAP.md - The HTML report includes client-side search, severity filters, a distribution chart, and a top-vulnerabilities table.
The included workflow .github/workflows/svs-scan.yml detects the project type and generates a CycloneDX SBOM in CI, runs SVS, uploads the SARIF report to GitHub code scanning, and posts a summary comment on pull requests (including top vulnerabilities and upgrade hints).
- Python projects:
cyclonedx-py(CycloneDX BOM CLI) - Node.js projects:
npm sbomin CycloneDX mode - Everything else: Anchore SBOM action fallback
By default it writes sbom.cdx.json. You can override the SBOM path when triggering the workflow manually via the sbom_path input.
- More SBOM formats (SPDX)
- Additional output formats (SARIF)
- Enriched severity analytics