CVE Lite CLI is a free, open-source vulnerability scanner officially recognized as an OWASP Incubator Project<\/a>, designed to bring dependency security directly into developers\u2019 terminals rather than leaving it buried in CI pipelines.<\/p>\n Maintained by Sonu Kapoor and backed by the same organization behind the OWASP Top 10<\/a>, the tool addresses a longstanding gap in developer security workflows: the absence of fast, actionable, local-first remediation guidance.<\/p>\n Most security scanners are built for pipelines, not people. Tools like Dependabot file pull requests, developers get to \u201ceventually,\u201d CI scanners block merges hours after code is reviewed, and security dashboards surface lists of CVE IDs with no clear path to resolution. The result is alert fatigue; developers learn to tune out the noise.<\/p>\n CVE Lite CLI takes a different approach: it runs at the moment just before a developer pushes code, producing a concrete remediation plan rather than just a list of vulnerability identifiers.<\/p>\n As OWASP noted, \u201cthe goal is to make dependency security part of the everyday developer workflow, not just a CI check or enterprise-only concern.\u201d<\/p>\n CVE Lite CLI reads a project\u2019s lockfile locally and queries the Open Source Vulnerabilities (OSV) database for advisory data. It supports all four major JavaScript package managers, npm, pnpm, Yarn, and Bun, and produces copy-and-run install commands scoped precisely to whichever one a project uses. Critically, nothing leaves the developer\u2019s machine: no source code, no dependency tree, no credentials.<\/p>\n The tool distinguishes between direct and transitive dependencies, a nuance most free scanners miss. For transitive findings, it goes further by identifying whether a simple The tool can be cloned from<\/a> GitHub. Installation takes a single command with no account, no configuration, and no data leaving the machine:<\/p>\n Or as a one-off scan via npx:<\/p>\n The attached scan output above illustrates a real-world result \u2014 39 vulnerable packages detected across 1,620 parsed dependencies, with 3 critical findings including jsonwebtoken@0.1.0 (transitive, fix via express-jwt upgrade) and marsdb@0.6.11 (direct), alongside a prioritized top fix command ready to run immediately.<\/p>\n Being accepted as an OWASP Incubator Project means CVE Lite CLI has been peer-reviewed by security professionals and operates under vendor-neutral, community-driven governance.<\/p>\n The tool has been validated against real-world codebases, including OWASP Juice Shop, Visual Studio Code, NestJS, Ghost CMS, Gatsby, Storybook, and the Vercel AI SDK, and has documented scans with real findings, not demos.<\/p>\n CVE Lite CLI has a minimal runtime footprint of just four dependencies (yaml, yarn-lockfile, better-sqlite3, fflate), keeping it auditable and lightweight by design, a deliberate choice for a security-oriented tool.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post OWASP CVE Lite CLI \u2013 New Tool to Scan for Vulnerabilities in Your Projects<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nOWASP CVE Lite CLI Tool<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj_7ufkgMQ9wTVS8MzN8NwsLUzunVDIeWLjmVdEv8-A_ZjwjGFSI4kghOnmpOzsbuKb8ciVA9zpTNrbXqQ24wlIrpKvCwPLjES9vlcYzAs_iKMiAp48yMjRQbZdSqesCREx2jkfjCKanHbwDJqGG6oYI81-eTpfi5rvFFHtTcqdNuKKmsNsVD2r81F170KS\/s16000\/OWASP%2520CVE%2520Lite%2520CLI%2520Tool1.webp?ssl=1\")
npm update <parent><\/code> resolves the vulnerable child within the current version range, or whether the parent package itself needs a major upgrade.<\/p>\n\n
--usage<\/code>) \u2014 static analysis detects whether vulnerable packages are actually imported in source code, cutting false-positive noise.<\/li>\ncve-lite advisories sync<\/code>.<\/li>\n--report<\/code>) \u2014 generates a self-contained dashboard with severity cards, a searchable findings table, and copy-ready commands.<\/li>\n--fix<\/code>) \u2014 applies validated direct dependency fixes using the detected package manager, then rescans automatically.<\/li>\n--fail-on high<\/code> exits non-zero on threshold breaches; --sarif<\/code> writes SARIF 2.1.0 output for GitHub Code Scanning; --cdx<\/code> generates a CycloneDX 1.4 SBOM.<\/li>\ninstall-skill<\/code>) \u2014 writes skill files for Claude Code, Codex CLI, Gemini CLI, Cursor, and GitHub Copilot so AI assistants can analyze scan output and generate prioritized fix plans.<\/li>\n<\/ul>\nbash
npm install -g cve-lite-cli\ncve-lite \/path\/to\/project<\/code><\/pre>\nbash
npx cve-lite-cli \/path\/to\/project<\/code><\/pre>\n