Migrating from osv-scalibr to osv-scanner

This guide is for users who are familiar with osv-scalibr and want to migrate to osv-scanner. It explains how to achieve similar results with osv-scanner.

osv-scanner has integrated osv-scalibr’s inventory collection and vulnerability scanning capabilities. While most of osv-scalibr’s functionalities are available in osv-scanner, the command-line flags and output formats are different.

Command-line Equivalence

The osv-scanner CLI is designed to be more intuitive and user-friendly. Here’s a mapping of common osv-scalibr commands to their osv-scanner equivalents.

Scanning a directory

osv-scalibr:

scalibr --root /path/to/your/project --result result.json

osv-scanner:

osv-scanner /path/to/your/project

Selecting plugins

OSV-Scanner has access to the full list of OSV-Scalibr plugins, though only a well tested subset of them are enabled by default in OSV-Scanner.

In osv-scalibr, you can select which plugins to run using the --extractors, --detectors flags, or alternatively using the --plugins flag.

For a full list of available plugin names, see OSV-Scalibr’s documentation here: https://github.com/google/osv-scalibr/blob/main/docs/supported_inventory_types.md

osv-scalibr:

scalibr --plugins python/pip,go/gomod --detectors go/govulncheck /path/to/your/project

In osv-scanner, you can achieve the same by using the --experimental-plugins flag. This is an experimental feature.

osv-scanner:

osv-scanner --experimental-plugins python/pip,go/gomod,go/govulncheck /path/to/your/project

osv-scanner also allows you to disable default plugins with --experimental-disable-plugins.

For more details on manual plugin selection in osv-scanner, see the manual plugin selection documentation.

Generating SPDX output

osv-scalibr uses the -o flag to specify the output format and file. For example, to generate an SPDX JSON report:

osv-scalibr:

scalibr -o spdx23-json=result.spdx.json /path/to/your/project

osv-scanner uses the --format flag to specify the output format and the output is written to standard output, and a separate --output flag if you wish to save the output into a file.

osv-scanner:

osv-scanner --format spdx-2.3-json /path/to/your/project > result.spdx.json

For more details on osv-scanner output formats, see the output documentation.

Flag Translation Table

osv-scalibr Flag	osv-scanner Flag	Notes
--version	--version	osv-scanner version
--root	[directory] (argument)	osv-scanner scan source [directory]
--result	--output	osv-scanner --output <file>
-o	--format and --output	e.g. osv-scalibr -o spdx23-json=r.json becomes osv-scanner --format spdx-2.3-json --output r.json
--plugins	--experimental-plugins
--extractors	--experimental-plugins
--detectors	--experimental-plugins
--annotators	--experimental-plugins
--ignore-sub-dirs	(no direct equivalent)	osv-scanner is not recursive by default. Use --recursive to enable.
--skip-dirs	Not yet available
--skip-dir-regex	Not yet available
--skip-dir-glob	Not yet available
--max-file-size	Not yet available
--use-gitignore	(default behavior)	Use --no-ignore to disable.
--remote-image	[image] (argument)	osv-scanner scan image [image]
--image-tarball	--archive	osv-scanner scan image --archive [tarball]
--image-local-docker	[image] (argument)	osv-scanner scan image [image] (it will look for local images first)
--image-platform	Not yet available
--gobinary-version-from-content	Not yet available
--govulncheck-db	Not yet available
--spdx-document-name	Not yet available
--spdx-document-namespace	Not yet available
--spdx-creators	Not yet available
--cdx-component-name	Not yet available
--cdx-component-type	Not yet available
--cdx-component-version	Not yet available
--cdx-authors	Not yet available
--verbose	--verbosity	osv-scanner --verbosity <level>, e.g. debug.
--explicit-extractors	(default behavior)
--filter-by-capabilities	(default behavior)	osv-scanner automatically filters plugins.
--windows-all-drives	Not yet available
--offline	--offline
--local-registry	--maven-registry	Only for Maven.