Add it to Claude Code
claude mcp add osv-ui -- npx -y osv-ui-mcpMake your agent remember this setup
osv-ui's config, env vars, and the gotchas you hit — recalled in every future Claude Code, Cursor, and Codex session.
npx conare@latestFree · one command · indexes the sessions already on disk. Set up in the browser instead →
What it does
- Scans npm, Python, Go, and Rust project manifests for vulnerabilities
- Powered by live OSV.dev data updated daily from NVD and GitHub Advisory
- Supports multi-service monorepo scanning in a single command
- Provides risk scores and clear upgrade guides for identified CVEs
- Runs 100% locally with no API keys or external data tracking
Try it
Original README from toan203/osv-ui

osv-ui
A beautiful, zero-config visual CVE dashboard for npm, Python, Go, and Rust projects.
One command. No signup. No API key. Runs 100% locally — your code never leaves your machine.
🇻🇳 Tiếng Việt · 🇺🇸 English · 🇨🇳 中文 · 🇯🇵 日本語
The problem
$ npm audit
# ... 300 lines of this ...
# moderate Regular Expression Denial of Service in semver
# package semver
# patched in >=7.5.2
# ...
# 12 vulnerabilities (3 moderate, 6 high, 3 critical)
Nobody reads that. Security gets ignored. Dependencies stay vulnerable.
The solution
npx osv-ui
→ Opens a dashboard. Every CVE, every fix, all your services. Done.
Why give it a try?
- Zero-config: No complex setup, no signup, no API key required.
- Privacy First: Analysis is done 100% on your machine.
- Fast & Visual: Real-time Risk Scores, vulnerability charts, and clear upgrade guides in seconds.
- Multi-platform: Native support for Node.js (npm), Python, Go, and Rust.
Features
| 🟨 npm + 🐍 Python + 🔵 Go + 🦀 Rust | Scans package-lock.json, Pipfile.lock, poetry.lock, requirements.txt, go.sum, Cargo.lock |
| 📡 Live CVE data | Powered by OSV.dev — updated daily from NVD, GitHub Advisory, PyPI Advisory. No API key. |
| 🏢 Multi-service | Scan your entire monorepo in one command — frontend, backend, workers, ML services |
| 💊 Fix guide | Dependabot-style upgrade table: current version → safe version + one-click copy command |
| 🔌 Built-in REST API | Power your own security dashboards with GET /api/data or CLI export flags |
| 🎯 Risk score | 0–100 per service so you know where to focus first |
| 🔍 CVE drill-down | Click any row — CVSS score, description, NVD link, GitHub Advisory link |
| 🌙 Dark Mode | Eye-friendly security audits, day or night |
Quick start
Scan current directory:
npx osv-ui
Scan a monorepo (multiple services at once):
npx osv-ui ./frontend ./api ./worker ./ml-service
Auto-discover all services under the current directory:
npx osv-ui -d
Add to your package.json scripts:
{
"scripts": {
"audit:ui": "npx osv-ui",
"audit:all": "npx osv-ui ./frontend ./api ./worker"
}
}
--discover, -d Auto-find service dirs that contain a supported manifest
--port=2003 Use a custom port (default: 2003)
--json[=file] Save report as JSON without opening browser (defaults to osv-report.json)
--html[=file] Save report as HTML without opening browser (defaults to osv-report.html)
--no-open Don't auto-open the browser
--offline Skip OSV.dev lookup — parse manifests only
-h, --help Show help message
🤖 AI Agent Integration (MCP)
osv-ui is now a Model Context Protocol (MCP) server. This allows AI agents like Claude Desktop, Cursor, and Claude Code to:
- Scan your project for CVEs automatically.
- Open the visual dashboard for you to review findings (Human-in-the-loop).
- Apply fixes after your explicit confirmation.
Quick setup (npx):
{
"mcpServers": {
"osv-ui": {
"command": "npx",
"args": ["-y", "osv-ui-mcp"]
}
}
}
See the MCP Package README for detailed setup instructions.
🔌 Powerful built-in API
osv-ui isn't just a dashboard; it's a security data engine.
Once the dashboard is running, you can pull the raw security data for your whole project:
# Get full JSON payload for all services
curl http://localhost:2003/api/data
# Use it in your custom scripts
curl -s http://localhost:2003/api/data | jq '.[0].vulns'
Supported manifest files
| Ecosystem | Files |
|---|---|
| npm | package-lock.json (lockfileVersion 1, 2, 3) |
| Python | requirements.txt · Pipfile.lock · poetry.lock · pyproject.toml |
| Go | go.sum |
| Rust | Cargo.lock |
More ecosystems coming — see Roadmap.
How it works
Your project files
│
├─ package-lock.json ──┐
├─ Pipfile / poetry ──┤──► parser ──► package list