A beautiful, zero-config visual CVE dashboard for npm, Python, Go, and Rust.
osv-ui
A beautiful, zero-config visual CVE dashboard for npm, Python, Go, and Rust projects.
One command. No signup. No API key. Runs 100% locally β your code never leaves your machine.
π»π³ TiαΊΏng Viα»t Β· πΊπΈ English Β· π¨π³ δΈζ Β· π―π΅ ζ₯ζ¬θͺ
The problem
$ npm audit
# ... 300 lines of this ...
# moderate Regular Expression Denial of Service in semver
# package semver
# patched in >=7.5.2
# ...
# 12 vulnerabilities (3 moderate, 6 high, 3 critical)
Nobody reads that. Security gets ignored. Dependencies stay vulnerable.
The solution
npx osv-ui
β Opens a dashboard. Every CVE, every fix, all your services. Done.
Why give it a try?
- Zero-config: No complex setup, no signup, no API key required.
- Privacy First: Analysis is done 100% on your machine.
- Fast & Visual: Real-time Risk Scores, vulnerability charts, and clear upgrade guides in seconds.
- Multi-platform: Native support for Node.js (npm), Python, Go, and Rust.
Features
| π¨ npm + π Python + π΅ Go + π¦ Rust | Scans package-lock.json, Pipfile.lock, poetry.lock, requirements.txt, go.sum, Cargo.lock |
| π‘ Live CVE data | Powered by OSV.dev β updated daily from NVD, GitHub Advisory, PyPI Advisory. No API key. |
| π’ Multi-service | Scan your entire monorepo in one command β frontend, backend, workers, ML services |
| π Fix guide | Dependabot-style upgrade table: current version β safe version + one-click copy command |
| π Built-in REST API | Power your own security dashboards with GET /api/data or CLI export flags |
| π― Risk score | 0β100 per service so you know where to focus first |
| π CVE drill-down | Click any row β CVSS score, description, NVD link, GitHub Advisory link |
| π Dark Mode | Eye-friendly security audits, day or night |
Quick start
Scan current directory:
npx osv-ui
Scan a monorepo (multiple services at once):
npx osv-ui ./frontend ./api ./worker ./ml-service
Auto-discover all services under the current directory:
npx osv-ui -d
Add to your package.json scripts:
{
"scripts": {
"audit:ui": "npx osv-ui",
"audit:all": "npx osv-ui ./frontend ./api ./worker"
}
}
--discover, -d Auto-find service dirs that contain a supported manifest
--port=2003 Use a custom port (default: 2003)
--json[=file] Save report as JSON without opening browser (defaults to osv-report.json)
--html[=file] Save report as HTML without opening browser (defaults to osv-report.html)
--no-open Don't auto-open the browser
--offline Skip OSV.dev lookup β parse manifests only
-h, --help Show help message
π€ AI Agent Integration (MCP)
osv-ui is now a Model Context Protocol (MCP) server. This allows AI agents like Claude Desktop, Cursor, and Claude Code to:
- Scan your project for CVEs automatically.
- Open the visual dashboard for you to review findings (Human-in-the-loop).
- Apply fixes after your explicit confirmation.
Quick setup (npx):
{
"mcpServers": {
"osv-ui": {
"command": "npx",
"args": ["-y", "osv-ui-mcp"]
}
}
}
See the MCP Package README for detailed setup instructions.
π Powerful built-in API
osv-ui isn't just a dashboard; it's a security data engine.
Once the dashboard is running, you can pull the raw security data for your whole project:
# Get full JSON payload for all services
curl http://localhost:2003/api/data
# Use it in your custom scripts
curl -s http://localhost:2003/api/data | jq '.[0].vulns'
Supported manifest files
| Ecosystem | Files |
|---|---|
| npm | package-lock.json (lockfileVersion 1, 2, 3) |
| Python | requirements.txt Β· Pipfile.lock Β· poetry.lock Β· pyproject.toml |
| Go | go.sum |
| Rust | Cargo.lock |
More ecosystems coming β see Roadmap.
How it works
Your project files
β
ββ package-lock.json βββ
ββ Pipfile / poetry βββ€βββΊ parser βββΊ package list
Configuration
{"mcpServers": {"osv-ui": {"command": "npx", "args": ["-y", "osv-ui-mcp"]}}}