OWASP CVE Lite CLI – New Tool to Scan for Vulnerabilities in Your Projects
Cybersecurity NewsArchived Jun 06, 2026✓ Full text saved
CVE Lite CLI is a free, open-source vulnerability scanner officially recognized as an OWASP Incubator Project, designed to bring dependency security directly into developers’ terminals rather than leaving it buried in CI pipelines. Maintained by Sonu Kapoor and backed by the same organization behind the OWASP Top 10, the tool addresses a longstanding gap in […] The post OWASP CVE Lite CLI – New Tool to Scan for Vulnerabilities in Your Projects appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
OWASP CVE Lite CLI – New Tool to Scan for Vulnerabilities in Your Projects
By Guru Baran
June 6, 2026
CVE Lite CLI is a free, open-source vulnerability scanner officially recognized as an OWASP Incubator Project, designed to bring dependency security directly into developers’ terminals rather than leaving it buried in CI pipelines.
Maintained by Sonu Kapoor and backed by the same organization behind the OWASP Top 10, the tool addresses a longstanding gap in developer security workflows: the absence of fast, actionable, local-first remediation guidance.
OWASP CVE Lite CLI Tool
Most security scanners are built for pipelines, not people. Tools like Dependabot file pull requests, developers get to “eventually,” CI scanners block merges hours after code is reviewed, and security dashboards surface lists of CVE IDs with no clear path to resolution. The result is alert fatigue; developers learn to tune out the noise.
CVE Lite CLI takes a different approach: it runs at the moment just before a developer pushes code, producing a concrete remediation plan rather than just a list of vulnerability identifiers.
As OWASP noted, “the goal is to make dependency security part of the everyday developer workflow, not just a CI check or enterprise-only concern.”
CVE Lite CLI reads a project’s lockfile locally and queries the Open Source Vulnerabilities (OSV) database for advisory data. It supports all four major JavaScript package managers, npm, pnpm, Yarn, and Bun, and produces copy-and-run install commands scoped precisely to whichever one a project uses. Critically, nothing leaves the developer’s machine: no source code, no dependency tree, no credentials.
OWASP CVE Lite CLI Tool
The tool distinguishes between direct and transitive dependencies, a nuance most free scanners miss. For transitive findings, it goes further by identifying whether a simple npm update <parent> resolves the vulnerable child within the current version range, or whether the parent package itself needs a major upgrade.
Remediation-first output — every finding includes a validated, copy-and-run fix command, not just a CVE ID.
Usage-aware reachability (--usage) — static analysis detects whether vulnerable packages are actually imported in source code, cutting false-positive noise.
Offline advisory DB — sync ~217,065 advisory records in under 9 seconds for air-gapped or enterprise environments using cve-lite advisories sync.
Interactive HTML report (--report) — generates a self-contained dashboard with severity cards, a searchable findings table, and copy-ready commands.
Auto-fix mode (--fix) — applies validated direct dependency fixes using the detected package manager, then rescans automatically.
CI/CD integration — --fail-on high exits non-zero on threshold breaches; --sarif writes SARIF 2.1.0 output for GitHub Code Scanning; --cdx generates a CycloneDX 1.4 SBOM.
AI assistant integration (install-skill) — writes skill files for Claude Code, Codex CLI, Gemini CLI, Cursor, and GitHub Copilot so AI assistants can analyze scan output and generate prioritized fix plans.
The tool can be cloned from GitHub. Installation takes a single command with no account, no configuration, and no data leaving the machine:
bashnpm install -g cve-lite-cli
cve-lite /path/to/project
Or as a one-off scan via npx:
bashnpx cve-lite-cli /path/to/project
The attached scan output above illustrates a real-world result — 39 vulnerable packages detected across 1,620 parsed dependencies, with 3 critical findings including jsonwebtoken@0.1.0 (transitive, fix via express-jwt upgrade) and marsdb@0.6.11 (direct), alongside a prioritized top fix command ready to run immediately.
Being accepted as an OWASP Incubator Project means CVE Lite CLI has been peer-reviewed by security professionals and operates under vendor-neutral, community-driven governance.
The tool has been validated against real-world codebases, including OWASP Juice Shop, Visual Studio Code, NestJS, Ghost CMS, Gatsby, Storybook, and the Vercel AI SDK, and has documented scans with real findings, not demos.
CVE Lite CLI has a minimal runtime footprint of just four dependencies (yaml, yarn-lockfile, better-sqlite3, fflate), keeping it auditable and lightweight by design, a deliberate choice for a security-oriented tool.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Comodo Internet Security 0-Day Vulnerability Lets Attacker Crash the User’s Windows System
Malicious Browser Add-Ons Target ChatGPT, Claude, Copilot, Gemini, and DeepSeek Users
Microsoft Tightens Entra ID Password Resets With New Authentication Change
Hackers Use YouTube and SEO Poisoning to Spread WeedHack Minecraft Malware
Red Hat Confirms Supply Chain Compromise of @redhat-cloud-services npm Packages
Latest News
Cyber Security News
Hackers Publish Malicious Python Package Mimicking Legitimate Parsimonious Parser
Cyber Security News
Hackers are Increasingly Weaponizing Trusted Tools to Deploy Notorious Malware
Cyber Security News
New Magecart Attack Turns Stripe into a Malware Command Server
Cyber Security News
Hola Browser for Windows Delivery Pipeline Compromised to Deliver Cryptominer
Cyber Security News
New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation