CVE Lite CLI Joins OWASP as a Local-First Dependency Security Scanner

CVE Lite CLI, a free dependency vulnerability scanner for JavaScript and TypeScript projects, became an OWASP (Open Web Application Security Project) Incubator Project in May 2026. The tool reads a project’s lockfile, queries the OSV (Open Source Vulnerabilities) database, and returns copy-and-run fix commands scoped to the specific package manager in use, delivering a concrete remediation path rather than a list of CVE identifiers to sort through later.

The backdrop for its arrival is measurable. A Datadog State of DevSecOps 2026 report found that 87 percent of organizations run at least one exploitable vulnerability in their production services, and the median dependency trails its latest major version by 278 days, up from 215 days the year before.

The Gap Existing Scanners Leave Open

How Dependabot and npm Audit Fall Short

Dependabot files a pull request. npm audit returns a list. Neither tells a developer which findings are direct versus transitive, and neither provides the exact package manager command needed to fix the specific dependency in the version range a project actually uses.

A direct dependency is something a team knowingly added to package.json. A transitive dependency is a library pulled in by one of those libraries, one or two levels removed from anything the developer explicitly chose. When a scanner flags a transitive vulnerability, the fix often isn’t to install the vulnerable package at a newer version; it’s to upgrade the parent package that controls which version of the child resolves. Most free scanners don’t surface that path. npm audit’s own --fix flag applies bulk upgrades without distinguishing between safe in-range patches and potentially breaking major-version jumps, meaning a developer running it blind can break an application while technically clearing a CVE ID.

The CI Timing Problem

The standard workflow runs a scanner after a pull request is pushed, a CI (Continuous Integration) run completes, and the report lands in a dashboard. At that point the developer has already context-switched. Reviewing a list of CVE IDs then requires reconstructing the dependency decision made hours earlier. Practitioners report losing roughly seven hours per week to manual triage of irrelevant or unactionable security alerts, according to analysis by Apiiro, a DevOps security platform.

CVE Lite CLI places the check before a push, while the context is still live.

Parsing Lockfiles and Matching Advisories

The tool reads whichever lockfile is present in the project root: package-lock.json, pnpm-lock.yaml, yarn.lock, or bun.lock. It parses the resolved, pinned dependency versions from the lockfile graph rather than the range specifiers in package.json, keeping the scan accurate even when node_modules is stale or absent.

Those resolved versions are checked against the OSV database. OSV aggregates advisory data from 24 sources including the GitHub Advisory Database, in a machine-readable schema that maps to specific package version ranges. For offline or restricted-network environments, CVE Lite CLI can sync the advisory data locally ahead of time; it ingests 217,000 advisory records in under nine seconds, which the project says is 9.9 times faster than its initial implementation. Once synced, all scans run without a network call.

Installation takes a single command:

npm install -g cve-lite-cli
cve-lite /path/to/project

Or as a one-off: npx cve-lite-cli /path/to/project. No account, no configuration file, no API key. Beyond the basic scan, the core capabilities:

• --fix: Applies validated direct dependency upgrades using the detected package manager, then rescans automatically.
• --usage: Static analysis that checks whether a vulnerable package is actually imported in source, cutting noise for packages pulled in but never called.
• --report: Generates a self-contained HTML dashboard with severity cards, a searchable findings table, and copy-ready fix commands.
• --sarif: Writes SARIF (Static Analysis Results Interchange Format) 2.1.0 output compatible with GitHub Code Scanning for integration into CI review workflows.
• --cdx: Generates a CycloneDX 1.4 SBOM (Software Bill of Materials, a machine-readable inventory of a project’s dependencies) for compliance and audit needs.

The Transitive Dependency Problem

Most of the meaningful findings CVE Lite CLI surfaces are not in the packages a developer knowingly installed. They’re one or two levels deeper.

Ghost CMS, the open-source publishing platform, illustrates the point. A CVE Lite CLI scan of Ghost’s dependency tree resolved 4,447 packages and found 26 vulnerable ones. Every finding was transitive: nothing in Ghost’s direct dependencies was itself flagged.

A team relying on npm audit for transitive coverage gets a bulk advisory with no clear fix path. CVE Lite CLI handles this with parent-aware guidance: for npm lockfiles, the tool resolves the vulnerable child’s dependency path back to the controlling parent and outputs the most targeted command available, either npm update <parent> when the safe version falls within the existing allowed range, or an explicit parent-upgrade recommendation when the parent’s version constraint is the actual blocker. The Analog monorepo, a pnpm v9 Angular project, produced the same pattern at larger scale: 3,367 resolved packages, unexpected toolchain vulnerabilities, all transitive, found in a single scan.

Validated Against Open-Source Projects

The project validated the tool against real-world open-source codebases before applying for OWASP recognition, publishing before-and-after findings in documented scans rather than staged demos.

On OWASP Juice Shop, a deliberately vulnerable Node.js training application, an initial scan found 39 vulnerable packages. Two remediation passes using the tool’s output reduced that to 18 and cleared all high-severity findings. Sonu Kapoor, the project’s lead maintainer, described the workflow in a May 2026 interview with Help Net Security:

The useful part is helping developers understand which vulnerabilities are direct, which are transitive, which can be fixed now, and which require broader dependency decisions.

The Vercel AI SDK, NestJS, Gatsby, and Storybook also appear in the published test set, each documented with real findings. The tool’s runtime footprint was kept deliberately small: four production dependencies (yaml, yarn-lockfile, better-sqlite3, fflate), so the dependency tree of the security scanner itself stays auditable.

A Worsening Baseline

In 2025 alone, more than 40,000 new CVEs were disclosed across all software ecosystems, according to Qualys’s CI/CD security analysis. Supply chain attacks targeting development pipelines and their open-source libraries have become among the fastest-growing threat categories. Events like Log4Shell demonstrated how a single widely-used transitive dependency can cascade into thousands of affected systems within hours of public disclosure.

The Datadog State of DevSecOps 2026 report put a specific number on the production gap: the median dependency trails its latest major version by 278 days, up from 215 days the year before. That widening came during a year when AI-assisted coding tools accelerated release velocity, adding more dependencies faster than teams were auditing them.

The tool’s install-skill command addresses that acceleration directly. It writes skill files for Claude Code, Codex CLI, Gemini CLI, Cursor, and GitHub Copilot, so AI coding assistants can read scan output and generate prioritized fix plans. As AI agents write more of the code, the scan runs against what the agent produced.

OWASP Recognition and What It Confers

OWASP Incubator status means the project has been reviewed and accepted by the OWASP community under vendor-neutral, community-driven governance: the same process that governs the OWASP Top 10 and OWASP Dependency-Check, standards security teams reference daily. The CVE Lite CLI project page on owasp.org is MIT-licensed, with the governance model documented publicly on GitHub.

In practice, the recognition gives enterprise security teams a due-diligence reference point: an OWASP project has been peer-reviewed, operates under a neutral license, and isn’t anchored to a commercial vendor’s pricing tier. It also connects the project to OWASP’s global security community as the tool evolves.

The published project roadmap lists IDE integration as a Phase 3 target: a lightweight extension to highlight vulnerable packages directly inside VS Code and similar editors, catching a dependency the moment it’s typed into a dependency file before a lockfile is written. SPDX (Software Package Data Exchange) SBOM export is also on the list. The OWASP CVE Lite CLI repository on GitHub is public, MIT-licensed, and accepts contributions without requiring prior commit history. Until IDE integration ships, the terminal is where the check runs.

Frequently Asked Questions

Does CVE Lite CLI Work with JavaScript Monorepos?

Yes. Point the scan at the workspace root where the top-level lockfile lives. For pnpm workspaces, CVE Lite CLI handles v5, v6, and v9+ lockfile formats, including the newer snapshots model. Scanning individual workspace package directories without their own lockfile falls back to package.json mode, which limits transitive visibility to pinned direct dependencies only.

What Happens in Air-Gapped or Restricted-Network Environments?

CVE Lite CLI supports a full offline advisory database mode. Running cve-lite advisories sync downloads roughly 217,000 OSV advisory records to a local SQLite database in under nine seconds. Once synced, all scans run without any network calls. The local database needs periodic re-syncing when a network connection is available to stay current with newly published advisories.

How Does Transitive Dependency Handling Differ from npm Audit?

npm audit’s built-in fix command applies bulk upgrades without distinguishing between safe in-range child updates and breaking parent-level changes. CVE Lite CLI identifies the minimum change needed: for transitive npm findings, it checks whether the vulnerable child’s safe version resolves within the parent’s allowed range and outputs the most targeted command available, either npm update <parent> or an explicit parent-upgrade recommendation when the parent’s own version is the constraint.

Can CVE Lite CLI Run Inside a CI/CD Pipeline?

Yes. The --fail-on high flag exits non-zero when high-severity findings are present, making it usable as a pipeline gate. The tool also ships a first-party GitHub Actions integration on the Marketplace for low-friction CI adoption. SARIF 2.1.0 output via --sarif integrates with GitHub Code Scanning, and CycloneDX SBOM generation via --cdx supports compliance workflows requiring a dependency inventory.

Is CVE Lite CLI Free, and Does It Send Code Off the Machine?

CVE Lite CLI is free, open-source, and MIT-licensed. Nothing leaves the developer’s machine: no source code, no dependency tree, no credentials. The tool reads the lockfile locally and queries the OSV open vulnerability database at scan time, or uses the locally synced advisory database in offline mode.