Most tools tell you what's wrong. CVE Lite CLI tells you what to run.
🏆 Officially recognized as an OWASP Lab Project
Vulnerability scanning that starts in your terminal and fits cleanly into CI.
Scan your lockfile, get copy-and-run fix commands, and ship clean code.
Scan. Understand. Fix.
| 🏆 | 🎯 | 🔒 |
| OWASP Lab Project Peer-reviewed by the org behind the OWASP Top 10 — the security standard followed by millions of developers |
Remediation-first Validated fix commands + parent-aware transitive guidance — not just CVE IDs |
Runs locally Nothing leaves your machine — not your code, not your dependency tree |
Quick Start • Usage • Screenshots • HTML Report • Compare • Roadmap • Contributing • Join Slack
npm install -g cve-lite-cli
cve-lite /path/to/projectOr one-off with npx:
npx cve-lite-cli /path/to/projectNo account. No configuration. No source code leaves your machine.
cve-lite /path/to/project # basic scan
cve-lite /path/to/project --verbose # full fix plan with dependency paths
cve-lite /path/to/project --fix # apply validated direct fixes and rescan
cve-lite /path/to/project --fail-on high # exit non-zero on high severity and above
cve-lite /path/to/project --json # JSON output
cve-lite /path/to/project --sarif # SARIF output for GitHub Code Scanning
cve-lite /path/to/project --report # interactive HTML dashboard
cve-lite /path/to/project --check-overrides # audit override hygiene (OA001-OA008)
cve-lite advisories sync # sync advisory DB for offline use
cve-lite /path/to/project --offline # scan with no runtime API callsFor the full flag reference and exit codes see the CLI Reference guide and Fix mode guide.
overrides and resolutions are powerful, but they rot. --check-overrides audits them across npm, pnpm, yarn, and bun, catching eight classes of problem:
| Rule | What it catches |
|---|---|
OA001 |
Orphaned target: override for a package no longer in the tree |
OA002 |
Floating tag: override pinned to a moving tag (latest, next) |
OA003 |
Wrong section: override placed in the wrong container |
OA004 |
Surpassed pin: the rest of the tree has moved past the pin |
OA005 |
Nested ineffective override that never applies |
OA006 |
Coupled platform binary: override fights a parent's exact pin |
OA007 |
Frozen latest: registry has drifted past the pinned version (needs --check-network) |
OA008 |
Materialized vulnerable copy still on disk despite the override |
cve-lite /path/to/project --check-overrides # audit
cve-lite /path/to/project --check-overrides --fix # audit and auto-fix where possibleFor the full guide with per-rule examples and CI patterns, see the Override Hygiene Auditing guide.
| Terminal output | HTML dashboard (--report) |
|---|---|
|
|
| Default scan output · output guide | Generated with --report · HTML report guide |
Most security tooling is built around pipelines, not developers. Dependabot opens PRs you'll get to eventually. CI scanners block merges after the fact. Dashboards surface lists of CVE IDs with no clear path to fixing them. Developers learn to ignore it.
CVE Lite CLI is built for the moment before you push. It reads your lockfile locally, queries OSV, and produces copy-and-run npm install, pnpm add, yarn add, or bun add commands — not a list of identifiers. You see which packages are direct versus transitive, get parent-aware upgrade guidance, and can scan offline in restricted environments.
The closer a security tool is to a developer's natural workflow, the more likely it is to be used.
No other free tool combines all of the following: lockfile scanning across npm, pnpm, Yarn, and Bun; parent-aware transitive remediation that tells you which package to upgrade (not just which one is vulnerable); fix version validation before suggesting an upgrade; and a fully offline advisory DB for restricted environments.
| Capability | CVE Lite CLI | npm audit | OSV-Scanner | Snyk CLI | Socket CLI |
|---|---|---|---|---|---|
| JS/TS lockfile scanning | ✅ | ✅ | ✅ | ✅ | ✅ |
| npm + pnpm + Yarn + Bun support | ✅ | ❌ | ✅ | ✅ | ✅ |
| No account required | ✅ | ✅ | ✅ | ❌ | ❌ |
| Free to use | ✅ | ✅ | ✅ | ❌ | ❌ |
| Usage-aware reachability scanning | ✅ | ❌ | ❌ | ✅ | |
| Direct vs transitive visibility | ✅ | ✅ | ✅ | ✅ | |
| Dev vs runtime dependency labelling | ✅ | ❌ | ❌ | ||
| Copy-and-run fix commands | ✅ | ❌ | ❌ | ✅ | |
| Transitive parent update guidance | ✅ | ❌ | |||
| Suggested remediation plan | ✅ | ❌ | ✅ | ||
| Ratcheting mode (baseline suppression) | ✅ | ❌ | ❌ | ❌ | |
| Interactive HTML report | ✅ | ❌ | ❌ | ✅ | ❌ |
| SARIF / GitHub Code Scanning output | ✅ | ❌ | ✅ | ✅ | ❌ |
| JSON output | ✅ | ✅ | ✅ | ✅ | ✅ |
| Offline/local advisory DB | ✅ | ❌ | ❌ | ❌ | |
| Override hygiene auditing | ✅ | ❌ | ❌ | ❌ | ❌ |
✅ = built-in strength ·
The transitive parent guidance is a key difference: CVE Lite CLI avoids recommending direct installs for packages that are only present transitively. For npm lockfiles, it can identify when npm update <parent> is enough to re-resolve a known non-vulnerable child within the current parent range, and when the parent package itself needs an upgrade.
For detailed per-tool analysis, see Comparison with other tools.
CVE Lite CLI v1.26.0 ships a GitHub Action fix mode that runs on a schedule and opens a single batched pull request with all validated dependency upgrades - advisory IDs, before/after finding counts, and OSV-confirmed fix versions included.
Add this file to your repo:
# .github/workflows/cve-lite-fix.yml
name: CVE Lite security fixes
on:
schedule:
- cron: '0 6 * * 1' # every Monday at 6am
workflow_dispatch:
permissions:
contents: write
pull-requests: write
jobs:
fix:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.repository.default_branch }}
- uses: OWASP/cve-lite-cli@v1
with:
fix: 'true'
create-pr: 'true'| Dependabot | CVE Lite fix mode | |
|---|---|---|
| PRs per run | One per package | One batched PR |
| Advisory IDs in PR body | No | Yes (GHSA-xxxx, CVE-xxxx) |
| Fix version validated against OSV | No | Yes |
| Before/after finding counts | No | Yes |
| pnpm / Yarn Berry / Bun | Limited | Full native support |
| OWASP recognition | No | OWASP Lab Project |
Full Action documentation -> - for scan-only CI gating see the CI and Workflow Integration guide.
CVE Lite CLI has been evaluated against real open-source projects to verify that it surfaces meaningful issues - including non-obvious transitive vulnerabilities and complex upgrade paths - not just low-signal advisory matches.
- OWASP Juice Shop - scanning a deliberately vulnerable application with known dependency issues
- NestJS - working through a real transitive dependency remediation sequence across a widely-used Node.js framework
- Visual Studio Code - two direct Anthropic SDK advisories and a high-severity gulp toolchain chain in the VS Code root lockfile
- Gatsby - Yarn Classic monorepo with 128 findings, five direct CVEs, and CVE Lite vs
yarn auditdeduplication - Analog - modern pnpm Angular monorepo with unexpected toolchain vulnerabilities
20+ case studies across npm, pnpm, Yarn, and Bun projects ->
In-repo lockfile fixtures for most projects live under examples/ - clone and scan immediately without downloading full upstream checkouts.
These are not demos. They are documented scans against real codebases with real findings, recorded before and after applying fix commands.
If you maintain an open-source JavaScript or TypeScript project and want CVE Lite CLI evaluated on it, open an issue and share the repository.
- Sniff out stale AI override advice with this open source CLI - The Register (Thomas Claburn, Senior Reporter), June 2026
- Shift left: How CVE Lite CLI is transforming developer security - SD Times (David Rubinstein, Editor-in-Chief), June 2026
- As AI speeds coding, CVE Lite CLI keeps security deliberately AI-free - CSO Online (Shweta Sharma), May 2026
- CVE Lite CLI: Open-source dependency vulnerability scanner - Help Net Security, May 2026
OWASP (Open Web Application Security Project) is the globally recognized nonprofit behind the security standards followed by millions of developers worldwide - most notably the OWASP Top 10, the most widely cited web application security reference in the industry. Organizations from startups to Fortune 500 companies use OWASP guidelines as the foundation of their security programs.
CVE Lite CLI is an OWASP Lab Project - reviewed and accepted by the OWASP community as a vendor-neutral, open source security tool.
Where it fits in the OWASP ecosystem:
CVE Lite CLI fills a specific gap - fast, local-first JS/TS dependency scanning close to release time - that broader OWASP tools are not optimized for:
| Tool | Focus |
|---|---|
| CVE Lite CLI | Lockfile-first, local developer CLI, remediation-focused, JS/TS |
| OWASP Dependency-Check | Multi-language, SAST-style, broader ecosystem |
| OWASP dep-scan | Multi-language and environment, SBOM and cloud-native |
| OWASP Dependency-Track | Platform and SBOM management, not a local CLI |
CVE Lite CLI complements these tools. It is not a replacement for continuous monitoring or full SBOM management - it is the fast local check you run before pushing.
CVE Lite CLI is used in production across organizations and independent developers in multiple countries. Confirmed users span government digital services, enterprise engineering platforms, open-source libraries, and security education.
Notable adopters include:
- DINUM (France) - integrated across four French government digital service repositories, including official AI training infrastructure for civil servants
- DGAFP (France) - Ministry for Civil Service, used as a pre-commit hook on a public-sector HR chatbot
- Government of British Columbia (Canada) - running as a required merge gate alongside Trivy at the Ministry of Citizens' Services
- Valibot and Formish - integrated as a GitHub Action and dev script with branch protection
- does not detect malicious packages before they appear in advisory data
- does not perform behavioral malware detection or package content analysis
- does not prove exploitability or verify runtime reachability
- does not scan container images, binaries, secrets, or IaC
- does not replace a full application security program
- currently focused on JS/TS dependency scanning
- local advisory sync performance will need continued optimization as the advisory dataset grows
Runtime: yaml · yarn-lockfile · better-sqlite3 · fflate
Dev only: @types/node · tsx · typescript
This is intentional. Because CVE Lite CLI is a security-oriented tool, runtime dependencies are kept minimal and reviewable.
- Troubleshooting guide - no lockfile found, zero results, slow advisory sync, offline DB errors,
--fixskipping findings, CI failures - Parser Coverage guide - supported lockfile formats, selection priority,
package.jsonfallback, monorepos, private registries - Remediation Strategy guide - how CVE Lite CLI chooses upgrade targets and parent update paths
Every release is signed - GPG-signed git tags for source, Sigstore Artifact Attestations for the release tarball, and ECDSA signatures via the npm registry. Verify with:
gh attestation verify cve-lite-cli-X.Y.Z.tgz --repo OWASP/cve-lite-cli
npm audit signaturesFor full details, fingerprints, and the project's threat model, see SECURITY.md and the Security Assurance Case.
For governance details - roles, decision-making, and dispute resolution - see CONTRIBUTING.md.
Feedback on output clarity, remediation guidance, ecosystem coverage, and CI usage is especially valuable.
See CONTRIBUTING.md to get started.
If you use CVE Lite CLI in your project, add this badge to your README:
[](https://github.com/OWASP/cve-lite-cli)For bug reports and feature requests: GitHub Issues
Helpful feedback includes reproducible bug reports, real-world lockfile edge cases, ideas for clearer output and remediation guidance, and CI or JSON workflow examples.
Using CVE Lite CLI at your company or in your projects? Share your use case in the community thread.
For security-related reporting: SECURITY.md
This project follows a Code of Conduct. Please review it before participating.
If CVE Lite CLI helps your release workflow, a GitHub star helps more developers find it.
Thanks to everyone who helps improve CVE Lite CLI - issues, pull requests, documentation, case studies, and real-world lockfile feedback all count.
Avatar grid generated from the GitHub contributors graph via contrib.rocks.
New here? See CONTRIBUTING.md to get started, and review the Code of Conduct before participating.
Maintainer note: CVE Lite CLI is an OWASP Lab Project maintained by Sonu Kapoor. The goal is to build a tool the security and developer community trusts and returns to - not a product that requires vendor lock-in or a dashboard to be useful. If you find a real-world lockfile edge case, a remediation gap, or a workflow that doesn't fit, open an issue. Real-world feedback from real projects is the most valuable input this project gets. See CONTRIBUTING.md for how to get involved.
MIT - built in public and maintained as an OWASP Foundation Project by Sonu Kapoor.


