CVE Lite CLI is a free, open-source vulnerability scanner officially recognized as an OWASP Incubator Project, designed to bring dependency security directly into developers’ terminals rather than leaving it buried in CI pipelines.
Maintained by Sonu Kapoor and backed by the same organization behind the OWASP Top 10, the tool addresses a longstanding gap in developer security workflows: the absence of fast, actionable, local-first remediation guidance.
Most security scanners are built for pipelines, not people. Tools like Dependabot file pull requests, developers get to “eventually,” CI scanners block merges hours after code is reviewed, and security dashboards surface lists of CVE IDs with no clear path to resolution. The result is alert fatigue; developers learn to tune out the noise.
CVE Lite CLI takes a different approach: it runs at the moment just before a developer pushes code, producing a concrete remediation plan rather than just a list of vulnerability identifiers.
As OWASP noted, “the goal is to make dependency security part of the everyday developer workflow, not just a CI check or enterprise-only concern.”
CVE Lite CLI reads a project’s lockfile locally and queries the Open Source Vulnerabilities (OSV) database for advisory data. It supports all four major JavaScript package managers, npm, pnpm, Yarn, and Bun, and produces copy-and-run install commands scoped precisely to whichever one a project uses. Critically, nothing leaves the developer’s machine: no source code, no dependency tree, no credentials.
The tool distinguishes between direct and transitive dependencies, a nuance most free scanners miss. For transitive findings, it goes further by identifying whether a simple npm update resolves the vulnerable child within the current version range, or whether the parent package itself needs a major upgrade.
- Remediation-first output — every finding includes a validated, copy-and-run fix command, not just a CVE ID.
- Usage-aware reachability (
--usage) — static analysis detects whether vulnerable packages are actually imported in source code, cutting false-positive noise. - Offline advisory DB — sync ~217,065 advisory records in under 9 seconds for air-gapped or enterprise environments using
cve-lite advisories sync. - Interactive HTML report (
--report) — generates a self-contained dashboard with severity cards, a searchable findings table, and copy-ready commands. - Auto-fix mode (
--fix) — applies validated direct dependency fixes using the detected package manager, then rescans automatically. - CI/CD integration —
--fail-on highexits non-zero on threshold breaches;--sarifwrites SARIF 2.1.0 output for GitHub Code Scanning;--cdxgenerates a CycloneDX 1.4 SBOM. - AI assistant integration (
install-skill) — writes skill files for Claude Code, Codex CLI, Gemini CLI, Cursor, and GitHub Copilot so AI assistants can analyze scan output and generate prioritized fix plans.
The tool can be cloned from GitHub. Installation takes a single command with no account, no configuration, and no data leaving the machine:
bashnpm install -g cve-lite-cli
cve-lite /path/to/projectOr as a one-off scan via npx:
bashnpx cve-lite-cli /path/to/projectThe attached scan output above illustrates a real-world result — 39 vulnerable packages detected across 1,620 parsed dependencies, with 3 critical findings including jsonwebtoken@0.1.0 (transitive, fix via express-jwt upgrade) and marsdb@0.6.11 (direct), alongside a prioritized top fix command ready to run immediately.
Being accepted as an OWASP Incubator Project means CVE Lite CLI has been peer-reviewed by security professionals and operates under vendor-neutral, community-driven governance.
The tool has been validated against real-world codebases, including OWASP Juice Shop, Visual Studio Code, NestJS, Ghost CMS, Gatsby, Storybook, and the Vercel AI SDK, and has documented scans with real findings, not demos.
CVE Lite CLI has a minimal runtime footprint of just four dependencies (yaml, yarn-lockfile, better-sqlite3, fflate), keeping it auditable and lightweight by design, a deliberate choice for a security-oriented tool.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
