OSS INDEX
Find Safe Components
OSS Index is a free catalogue of open source components and scanning tools to help developers identify vulnerabilities, understand risk, and keep their software safe.
Sign up today!
Get access to:
- Vulnerability details for your components
- Remediation insights
- Higher rate limits for API and scans
Search millions of components to find any known, publicly disclosed vulnerabilities across a wide range of ecosystems.
Search by name or by coordinates.
Maven
npm
Go
PyPI
NuGet
RubyGems
Cargo
CocoaPods
Composer
Conan
Conda
RPM
Swift
Scan your projects for open source vulnerabilities, and build security into your development toolchain with native tools and integrations. The following scan tools all utilize the OSS Index public REST API.
Java / JVM
JavaScript
- AuditJS scans npm projects
- VS Code plugin
Go
- Nancy scans Golang projects
C/C++
- Cheque scans C/C++ projects
Python 
PHP
- Bach scans Composer projects
Ruby
- Chelsea scans RubyGem projects
Rust
- Cargo Pants scans Cargo projects
R
- oysteR scans R projects
Other
- Sonatype DepShield continuously monitors GitHub projects for vulnerabilities
- Ahab scans apt and yum operating systems
- OWASP Dependency-Check is an SCA utility for scanning project dependencies
- OWASP Dependency-Track is a component analysis platform
- OSS Review Toolkit is a suite of tools to assist with reviewing dependencies
Sonatype Lift installs as a Github app to automatically flag vulnerabilities on every pull request, and reports
findings as comments in code review. Lift catches high-risk issues and screens out likely false-positives,
helping you fix the things you care about most. See what Lift finds in your project.
Need DevSecOps at scale?
OSS Index and the associated tools are and always will be free to the community. The data we gather is derived from public sources, and does not include human curated intelligence nor expert remediation guidance.
Software development teams who want to scale with precise, curated, and highly actionable intelligence across their entire SDLC should check out the Nexus Platform. Release faster while controlling open source risk.
Vet parts early and automatically stop defective open source components from entering your software supply chain
Manage libraries and store artifacts in a universal repository and share them across development teams
Empower teams with precise component intelligence to enforce policies and continuously remediate risk
Identify open source risk and remediate vulnerabilities with precise component intelligence at CI and deployment