Sonatype OSS INDEX

Ready for More? Upgrade to Sonatype Guide for free

Keep the data you trust and unlock more with the Sonatype Guide's API and MCP server such as vulnerability info, version data, package licensing, and more.

Sign up for Guide today!

Get Access to:

  • OSS intelligence with integrated security insights and fix guidance
  • Vulnerability analysis and remediation recommendations
  • MCP server for AI-powered IDE workflows
  • OSS Index and Sonatype platform APIs
Register for free
Search for components Scan your dependencies

Search millions of components to find any known, publicly disclosed vulnerabilities across a wide range of ecosystems.

Search by name or by coordinates.

Ecosystems
Maven
npm
Go
PyPI
NuGet
RubyGems
Cargo
CocoaPods
Composer
Conan
Conda
CRAN
RPM
Swift

Scan your projects for open source vulnerabilities, and build security into your development toolchain with native tools and integrations. The following scan tools all utilize the OSS Index public REST API.

SCA Platforms

OWASP Dependency-Check is an SCA utility for scanning project dependencies Set up with your token
OWASP Dependency-Track is a component analysis platform Set up with your token
OSS Review Toolkit is a suite of tools to assist with reviewing dependencies Setup guide coming soon

Java / JVM

Maven plugin Setup guide coming soon
Gradle plugin Setup guide coming soon
Maven Enforcer rules Setup guide coming soon

JavaScript

AuditJS scans npm projects Set up with your token
VS Code plugin Setup guide coming soon

Go

Nancy scans Golang projects Setup guide coming soon

C/C++

Cheque scans C/C++ projects Setup guide coming soon

.NET

Audit.NET scans NuGet projects Setup guide coming soon
DevAudit is a cross-platform security auditing tool Setup guide coming soon

Python

ossaudit scans Python projects Setup guide coming soon
Jake scans Python and Conda projects Setup guide coming soon

PHP

Bach scans Composer projects Setup guide coming soon

Ruby

Chelsea scans RubyGem projects Setup guide coming soon

Rust

Cargo Pants scans Cargo projects Setup guide coming soon

R

oysteR scans R projects Setup guide coming soon

Other

Ahab scans apt and yum operating systems Setup guide coming soon

Need DevSecOps at scale?

OSS Index and the associated tools are and always will be free to the community. The data we gather is derived from public sources, and does not include human curated intelligence nor expert remediation guidance.

Software development teams who want to scale with precise, curated, and highly actionable intelligence across their entire SDLC should check out the Sonatype Platform. Release faster while controlling open source risk.

Sonatype Repository Firewall

Vet parts early and automatically stop defective open source components from entering your software supply chain

Learn More
Sonatype Nexus Repository

Manage libraries and store artifacts in a universal repository and share them across development teams

Learn More
Sonatype Lifecycle

Empower teams with precise component intelligence to enforce policies and continuously remediate risk

Learn More
Sonatype Lifecycle Foundation
sonatype
lifecycle
foundation

Identify open source risk and remediate vulnerabilities with precise component intelligence at CI and deployment

Learn More