# OSV Package Vulnerability Monitor (`orbiscribe/osv-package-vulnerability-monitor`) Actor Monitor package vulnerability records from OSV.dev for npm, PyPI, Go, Maven, crates.io, RubyGems, and SBOM-derived package lists. - **URL**: https://apify.com/orbiscribe/osv-package-vulnerability-monitor.md - **Developed by:** [Orbiscribe Labs](https://apify.com/orbiscribe) (community) - **Categories:** Developer tools, Automation, Business - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing $3.00 / 1,000 osv package vulnerability matches This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## OSV Package Vulnerability Monitor Monitor package watchlists against OSV.dev and get structured vulnerability records for remediation, SBOM review, and dependency-risk workflows. This Actor is for security teams, MSPs, developer-platform teams, and software agencies that need to check public package names from lockfiles, SBOM exports, or customer inventories. It supports OSV ecosystems such as npm, PyPI, Go, Maven, crates.io, and RubyGems. ### What It Does - Checks package names and optional versions against the public OSV API - Emits vulnerability IDs, CVE aliases, summaries, affected ranges, and fixed versions - Marks records as new, modified, or unchanged across scheduled runs - Produces dataset rows, high-priority exports, a buyer brief, and Slack-ready alerts - Works without credentials ### Input ```json { "packages": [ { "name": "lodash", "ecosystem": "npm" }, { "name": "django", "ecosystem": "PyPI" }, { "name": "org.apache.logging.log4j:log4j-core", "ecosystem": "Maven" } ], "maxVulnerabilitiesPerPackage": 5, "compareToPreviousRun": true, "dryRun": false } ```` ### Output Each row includes package, ecosystem, optional version, OSV ID, aliases, priority, summary, affected ranges, fixed versions, references, source URL, and change state. ```json { "recordType": "osv_package_vulnerability_match", "packageName": "lodash", "ecosystem": "npm", "vulnerabilityId": "GHSA-29mw-wpgm-hmr9", "aliases": ["CVE-2020-28500"], "changeType": "new_vulnerability", "priority": "high", "fixedVersions": ["4.17.21"], "sourceUrl": "https://osv.dev/vulnerability/GHSA-29mw-wpgm-hmr9" } ``` ### Why Use This Generic CVE feeds are awkward when the input you actually have is a package list. This Actor uses package-first OSV lookups and returns fixed-version hints that are easier to route into dependency remediation workflows. ### Pricing Recommended Apify pricing is pay per event: - `osv-vulnerability-match`: `$0.003` per emitted vulnerability record - Dry runs are free - Free-plan users get the first 25 live records without this Actor's custom event charge ### Compliance Notes This Actor uses public OSV.dev data. Results should be verified against your lockfiles, SBOMs, deployed versions, vendor advisories, and internal remediation policy. # Actor input Schema ## `packages` (type: `array`): Package watchlist with name, ecosystem, and optional version. Supports OSV ecosystems such as npm, PyPI, Go, Maven, crates.io, and RubyGems. ## `maxVulnerabilitiesPerPackage` (type: `integer`): Maximum OSV records to emit for each package. ## `includeWithdrawn` (type: `boolean`): Emit withdrawn OSV records. Usually leave this off for active remediation queues. ## `includeUnchanged` (type: `boolean`): Emit unchanged package vulnerability rows. Usually leave this off for scheduled alerting workflows. ## `compareToPreviousRun` (type: `boolean`): Store OSV signatures and mark new, modified, or unchanged vulnerabilities on later scheduled runs. ## `snapshotStoreName` (type: `string`): Key-value store name for previous OSV vulnerability signatures. ## `dryRun` (type: `boolean`): Emit deterministic demo records without calling OSV or charging custom pay-per-event events. ## Actor input object example ```json { "packages": [ { "name": "lodash", "ecosystem": "npm" }, { "name": "django", "ecosystem": "PyPI" }, { "name": "org.apache.logging.log4j:log4j-core", "ecosystem": "Maven" } ], "maxVulnerabilitiesPerPackage": 25, "includeWithdrawn": false, "includeUnchanged": false, "compareToPreviousRun": true, "snapshotStoreName": "osv-package-vulnerability-monitor-snapshots", "dryRun": true } ``` # Actor output Schema ## `results` (type: `string`): No description ## `osvExport` (type: `string`): No description ## `highPriorityOnly` (type: `string`): No description ## `buyerBrief` (type: `string`): No description ## `runSummary` (type: `string`): No description # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = {}; // Run the Actor and wait for it to finish const run = await client.actor("orbiscribe/osv-package-vulnerability-monitor").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = {} # Run the Actor and wait for it to finish run = client.actor("orbiscribe/osv-package-vulnerability-monitor").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{}' | apify call orbiscribe/osv-package-vulnerability-monitor --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=orbiscribe/osv-package-vulnerability-monitor", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "OSV Package Vulnerability Monitor", "description": "Monitor package vulnerability records from OSV.dev for npm, PyPI, Go, Maven, crates.io, RubyGems, and SBOM-derived package lists.", "version": "0.1", "x-build-id": "oRO6nK53jLihF5oG1" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/orbiscribe~osv-package-vulnerability-monitor/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-orbiscribe-osv-package-vulnerability-monitor", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/orbiscribe~osv-package-vulnerability-monitor/runs": { "post": { "operationId": "runs-sync-orbiscribe-osv-package-vulnerability-monitor", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/orbiscribe~osv-package-vulnerability-monitor/run-sync": { "post": { "operationId": "run-sync-orbiscribe-osv-package-vulnerability-monitor", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "packages": { "title": "Packages", "type": "array", "description": "Package watchlist with name, ecosystem, and optional version. Supports OSV ecosystems such as npm, PyPI, Go, Maven, crates.io, and RubyGems.", "default": [ { "name": "lodash", "ecosystem": "npm" }, { "name": "django", "ecosystem": "PyPI" }, { "name": "org.apache.logging.log4j:log4j-core", "ecosystem": "Maven" } ] }, "maxVulnerabilitiesPerPackage": { "title": "Max vulnerabilities per package", "minimum": 1, "maximum": 100, "type": "integer", "description": "Maximum OSV records to emit for each package.", "default": 25 }, "includeWithdrawn": { "title": "Include withdrawn", "type": "boolean", "description": "Emit withdrawn OSV records. Usually leave this off for active remediation queues.", "default": false }, "includeUnchanged": { "title": "Include unchanged", "type": "boolean", "description": "Emit unchanged package vulnerability rows. Usually leave this off for scheduled alerting workflows.", "default": false }, "compareToPreviousRun": { "title": "Compare to previous run", "type": "boolean", "description": "Store OSV signatures and mark new, modified, or unchanged vulnerabilities on later scheduled runs.", "default": true }, "snapshotStoreName": { "title": "Snapshot store name", "type": "string", "description": "Key-value store name for previous OSV vulnerability signatures.", "default": "osv-package-vulnerability-monitor-snapshots" }, "dryRun": { "title": "Dry run", "type": "boolean", "description": "Emit deterministic demo records without calling OSV or charging custom pay-per-event events.", "default": true } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```