Skip to content

docs: How to transition from osv-scalibr to osv-scanner #2173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
another-rex merged 8 commits into from
Aug 19, 2025
Merged

docs: How to transition from osv-scalibr to osv-scanner #2173

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
b0c7082
Allow running docs locally consistently.
another-rex Aug 11, 2025
b3704bb
Doc for describing how to use osv-scanner if transitioning from osv-s…
another-rex Aug 11, 2025
4df7afe
Run formatter
another-rex Aug 11, 2025
7f3ed00
Merge branch 'run-docs-locally' into scalibr-to-scanner-doc
another-rex Aug 11, 2025
2d6d8e3
Use local-docs to actually allow it to run
another-rex Aug 11, 2025
ebb5f8d
Merge branch 'main' into scalibr-to-scanner-doc
another-rex Aug 14, 2025
7837659
Point to full list
another-rex Aug 19, 2025
05c3123
Break tables again
another-rex Aug 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,5 @@ clean:
update-snapshots:
UPDATE_SNAPS=true scripts/run_tests.sh

docs:
local-docs:
scripts/run_local_docs.sh
18 changes: 9 additions & 9 deletions docs/manual-plugin-selection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,10 @@ Experimental
{:toc}
</details>

By default, OSV-Scanner automatically enables the relevant plugins for each scanning situation (see [this page](./supported_languages_and_lockfiles.md) for more details). However, if the default selection is not suitable, or you require additional plugins from OSV-Scalibr (e.g., detectors), you can manually enable or disable them.
By default, OSV-Scanner automatically enables the relevant plugins for each scanning situation
(see [this page](./supported_languages_and_lockfiles.md) for more details).
However, if the default selection is not suitable, or you require additional plugins from OSV-Scalibr (e.g., detectors),
you can manually enable or disable them.

## Enabling and Disabling Plugins

Expand All @@ -30,13 +33,8 @@ You can control which plugins to run using the following flags:
- `--experimental-plugins`: Enables a comma-separated list of specific plugins.
- `--experimental-disable-plugins`: Disables a comma-separated list of specific plugins.

For a full list of available plugin names, see OSV-Scalibr's `list.go` files:

- [`enricher/enricherlist/list.go`](https://github.com/google/osv-scalibr/blob/main/enricher/enricherlist/list.go)
- [`annotator/list/list.go`](https://github.com/google/osv-scalibr/blob/main/annotator/list/list.go)
- [`detector/list/list.go`](https://github.com/google/osv-scalibr/blob/main/detector/list/list.go)
- [`extractor/standalone/list/list.go`](https://github.com/google/osv-scalibr/blob/main/extractor/standalone/list/list.go)
- [`extractor/filesystem/list/list.go`](https://github.com/google/osv-scalibr/blob/main/extractor/filesystem/list/list.go)
For a full list of available plugin names, see OSV-Scalibr's documentation here:
https://github.com/google/osv-scalibr/blob/main/docs/supported_inventory_types.md

### Presets

Expand All @@ -63,7 +61,9 @@ osv-scanner scan source --experimental-plugins lockfile --experimental-disable-p

### Detectors

OSV-Scalibr provides detectors that can identify potential security issues beyond known vulnerabilities. We experimentally support these detectors. Currently, detector findings are only available in the JSON output under `experimental_generic_findings`.
OSV-Scalibr provides detectors that can identify potential security issues beyond known vulnerabilities.
We experimentally support these detectors. Currently, detector findings are only available in the JSON output under
`experimental_generic_findings`.

**Available Detector Presets:**

Expand Down
121 changes: 121 additions & 0 deletions docs/migrating-from-scalibr.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
---
layout: default
title: Migrating from osv-scalibr
nav_order: 18
---

# Migrating from osv-scalibr to osv-scanner

This guide is for users who are familiar with `osv-scalibr` and want to migrate to `osv-scanner`. It explains how to
achieve similar results with `osv-scanner`.

`osv-scanner` has integrated `osv-scalibr`'s inventory collection and vulnerability scanning capabilities.
While most of `osv-scalibr`'s functionalities are available in `osv-scanner`, the command-line flags and output formats
are different.

## Command-line Equivalence

The `osv-scanner` CLI is designed to be more intuitive and user-friendly. Here's a mapping of common `osv-scalibr`
commands to their `osv-scanner` equivalents.

### Scanning a directory

**osv-scalibr:**

```sh
scalibr --root /path/to/your/project --result result.json
```

**osv-scanner:**

```sh
osv-scanner /path/to/your/project
```

### Selecting plugins
Copy link
Copy Markdown
Contributor

@cuixq cuixq Aug 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

though covered in manual-plugin-selection.md, it might be worth mentioning where to find the list of available plugins; also the list of plugins may be scoped to the ones in the scalibr version that we depend on.


OSV-Scanner has access to the full list of OSV-Scalibr plugins, though only a well tested subset of them are enabled by
default in OSV-Scanner.

In `osv-scalibr`, you can select which plugins to run using the `--extractors`, `--detectors` flags,
or alternatively using the `--plugins` flag.

For a full list of available plugin names, see OSV-Scalibr's documentation here:
https://github.com/google/osv-scalibr/blob/main/docs/supported_inventory_types.md

**osv-scalibr:**

```sh
scalibr --plugins python/pip,go/gomod --detectors go/govulncheck /path/to/your/project
```

In `osv-scanner`, you can achieve the same by using the `--experimental-plugins` flag. This is an experimental feature.

**osv-scanner:**

```sh
osv-scanner --experimental-plugins python/pip,go/gomod,go/govulncheck /path/to/your/project
```

`osv-scanner` also allows you to disable default plugins with `--experimental-disable-plugins`.

For more details on manual plugin selection in `osv-scanner`, see the [manual plugin selection documentation](manual-plugin-selection.md).

### Generating SPDX output

`osv-scalibr` uses the `-o` flag to specify the output format and file. For example, to generate an SPDX JSON report:

**osv-scalibr:**

```sh
scalibr -o spdx23-json=result.spdx.json /path/to/your/project
```

`osv-scanner` uses the `--format` flag to specify the output format and the output is written to standard output,
and a separate `--output` flag if you wish to save the output into a file.

**osv-scanner:**

```sh
osv-scanner --format spdx-2.3-json /path/to/your/project > result.spdx.json
```

For more details on `osv-scanner` output formats, see the [output documentation](output.md).

## Flag Translation Table

| `osv-scalibr` Flag | `osv-scanner` Flag | Notes |
| --------------------------------- | ------------------------- | ----------------------------------------------------------------------------------------------------- |
| `--version` | `--version` | `osv-scanner version` |
| `--root` | `[directory]` (argument) | `osv-scanner scan source [directory]` |
| `--result` | `--output` | `osv-scanner --output <file>` |
| `-o` | `--format` and `--output` | e.g. `osv-scalibr -o spdx23-json=r.json` becomes `osv-scanner --format spdx-2.3-json --output r.json` |
| `--plugins` | `--experimental-plugins` | |
Copy link
Copy Markdown
Contributor

@hogo6002 hogo6002 Aug 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we want to list some example plugins/extractors/detectors here?

Copy link
Copy Markdown
Collaborator Author

@another-rex another-rex Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made google/osv-scalibr#1137 which I'll link to on this doc for the list of plugins available.

| `--extractors` | `--experimental-plugins` | |
| `--detectors` | `--experimental-plugins` | |
| `--annotators` | `--experimental-plugins` | |
| `--ignore-sub-dirs` | (no direct equivalent) | `osv-scanner` is not recursive by default. Use `--recursive` to enable. |
| `--skip-dirs` | Not yet available | |
| `--skip-dir-regex` | Not yet available | |
| `--skip-dir-glob` | Not yet available | |
| `--max-file-size` | Not yet available | |
| `--use-gitignore` | (default behavior) | Use `--no-ignore` to disable. |
| `--remote-image` | `[image]` (argument) | `osv-scanner scan image [image]` |
| `--image-tarball` | `--archive` | `osv-scanner scan image --archive [tarball]` |
| `--image-local-docker` | `[image]` (argument) | `osv-scanner scan image [image]` (it will look for local images first) |
| `--image-platform` | Not yet available | |
| `--gobinary-version-from-content` | Not yet available | |
| `--govulncheck-db` | Not yet available | |
| `--spdx-document-name` | Not yet available | |
| `--spdx-document-namespace` | Not yet available | |
| `--spdx-creators` | Not yet available | |
| `--cdx-component-name` | Not yet available | |
| `--cdx-component-type` | Not yet available | |
| `--cdx-component-version` | Not yet available | |
| `--cdx-authors` | Not yet available | |
| `--verbose` | `--verbosity` | `osv-scanner --verbosity <level>`, e.g. `debug`. |
| `--explicit-extractors` | (default behavior) | |
| `--filter-by-capabilities` | (default behavior) | `osv-scanner` automatically filters plugins. |
| `--windows-all-drives` | Not yet available | |
| `--offline` | `--offline` | |
| `--local-registry` | `--maven-registry` | Only for Maven. |
Loading