OWASP CVE Lite CLI: Scan Project Vulnerabilities Easily

CVE Lite CLI is a free, open-source vulnerability scanner now officially recognized as an OWASP Incubator Project. This tool aims to bring dependency security insights directly to developers’ terminals, moving them beyond traditional CI pipelines where they can often remain overlooked.

Maintained by Sonu Kapoor and backed by the same organization behind the OWASP Top 10, the tool addresses a longstanding gap in developer security workflows: the absence of fast, actionable, local-first remediation guidance.

OWASP CVE Lite CLI Tool

Most security scanners are built for pipelines, not people. Tools like Dependabot file pull requests, developers get to “eventually,” CI scanners block merges hours after code is reviewed, and security dashboards surface lists of CVE IDs with no clear path to resolution. The result is alert fatigue; developers learn to tune out the noise.

CVE Lite CLI takes a different approach: it runs at the moment just before a developer pushes code, producing a concrete remediation plan rather than just a list of vulnerability identifiers.

As OWASP noted, “the goal is to make dependency security part of the everyday developer workflow, not just a CI check or enterprise-only concern.”

CVE Lite CLI reads a project’s lockfile locally and queries the Open Source Vulnerabilities (OSV) database for advisory data. It supports all four major JavaScript package managers, npm, pnpm, Yarn, and Bun, and produces copy-and-run install commands scoped precisely to whichever one a project uses. Critically, nothing leaves the developer’s machine: no source code, no dependency tree, no credentials.

The tool distinguishes between direct and transitive dependencies, a nuance most free scanners miss. For transitive findings, it goes further by identifying whether a simple npm update <parent> resolves the vulnerable child within the current version range, or whether the parent package itself needs a major upgrade.

• Remediation-first output — every finding includes a validated, copy-and-run fix command, not just a CVE ID.
• Usage-aware reachability (--usage) — static analysis detects whether vulnerable packages are actually imported in source code, cutting false-positive noise.
• Offline advisory DB — sync ~217,065 advisory records in under 9 seconds for air-gapped or enterprise environments using cve-lite advisories sync.
• Interactive HTML report (--report) — generates a self-contained dashboard with severity cards, a searchable findings table, and copy-ready commands.
• Auto-fix mode (--fix) — applies validated direct dependency fixes using the detected package manager, then rescans automatically.
• CI/CD integration — --fail-on high exits non-zero on threshold breaches; --sarif writes SARIF 2.1.0 output for GitHub Code Scanning; --cdx generates a CycloneDX 1.4 SBOM.
• AI assistant integration (install-skill) — writes skill files for Claude Code, Codex CLI, Gemini CLI, Cursor, and GitHub Copilot so AI assistants can analyze scan output and generate prioritized fix plans.

The tool can be cloned from GitHub. Installation takes a single command with no account, no configuration, and no data leaving the machine:

bashnpm install -g cve-lite-cli
cve-lite /path/to/project

Or as a one-off scan via npx:

bashnpx cve-lite-cli /path/to/project

The attached scan output above illustrates a real-world result — 39 vulnerable packages detected across 1,620 parsed dependencies, with 3 critical findings including [email protected] (transitive, fix via express-jwt upgrade) and [email protected] (direct), alongside a prioritized top fix command ready to run immediately.

Being accepted as an OWASP Incubator Project means CVE Lite CLI has been peer-reviewed by security professionals and operates under vendor-neutral, community-driven governance.

The tool has been validated against real-world codebases, including OWASP Juice Shop, Visual Studio Code, NestJS, Ghost CMS, Gatsby, Storybook, and the Vercel AI SDK, and has documented scans with real findings, not demos.

CVE Lite CLI has a minimal runtime footprint of just four dependencies (yaml, yarn-lockfile, better-sqlite3, fflate), keeping it auditable and lightweight by design, a deliberate choice for a security-oriented tool.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.