Free, open-source vulnerability scanning and reporting for GitHub repositories.
VISaR (Vulnerability Identification, Scanning and Reporting) is a free, open-source Python tool that automatically scans GitHub repositories for known vulnerabilities and generates detailed, actionable reports. Output is available in CSV, JSON, or as a self-contained interactive HTML dashboard, making it easy to review, share, and act on findings.
VISaR uses best-in-class open-source components: the OSSF Scorecard for vulnerability identification and the OSV Database for vulnerability enrichment (severity, description, and aliases).
Figure 1: Interactive HTML Dashboard
Who is VISaR for?
VISaR is built first for data engineers and data-platform teams who must rigorously evaluate open-source software before bringing it into their environment — particularly in regulated domains such as defence, aviation, and healthcare, where software ingestion carries compliance and audit obligations.
- Data Engineers & data-platform teams: Evaluate open-source libraries and frameworks before adding them to an approved-software list or integrating them into your platform.
- Software Engineers: Assess your own codebase for known vulnerabilities before a release or production deployment.
Individual developers and hobbyists are welcome too — VISaR is free and open source, and works just as well for vetting a single project or code sourced from the community or AI assistants.
# 1. Clone and install
git clone https://github.com/AtLongLastAnalytics/visar.git && cd visar
uv sync
# 2. Add your GitHub token
cp .env.example .env # then paste your token into .env
# 3. Scan a repo (writes CSV to data/)
uv run visar https://github.com/owner/repo
# 4. Build the interactive HTML dashboard from your scans
uv run visar-dashboard # writes data/visar_dashboard.htmlFull prerequisites, options, and batch scanning in Section 1.
Prerequisites & system requirements
To use VISaR, ensure you have the following installed and configured:
-
uv — Python package and environment manager. uv will automatically download Python 3.12+ if needed.
-
Docker Desktop — required to run the OSSF Scorecard container.
-
The OSSF Scorecard Docker image, pulled locally:
docker pull gcr.io/openssf/scorecard:stable -
A classic GitHub personal access token (Settings > Developer Settings > Personal access tokens > Tokens (classic)) with the
public_reposcope. This is stored in a.envfile at the project root (never committed to version control). Thepublic_reposcope grants read-only API access for authenticated rate limiting — it does not allow VISaR to modify, write to, or delete any repository.
System requirements
- Python 3.12+ (managed automatically by uv)
- Docker Desktop with at least 2 GB of available memory
- Network access to the GitHub API (
api.github.com) and the OSV API (api.osv.dev) - Approximately 1 GB of free disk space for the OSSF Scorecard Docker image
Scan duration: A typical scan takes 2–5 minutes per repository, depending on repo size and network speed. Batch scans run sequentially, so plan accordingly.
Install uv (skip if already installed)
Windows (PowerShell):
powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
Mac / Linux:
curl -LsSf https://astral.sh/uv/install.sh | sh
Step-by-step instructions
-
Clone this repository.
-
Create a
.envfile in the root directory and add your GitHub token:VISAR_AUTH_TOKEN = "<your-github-personal-access-token>"A
.env.exampletemplate is included at the project root for reference. -
From the root directory, install dependencies. This creates
.venvand installs everything frompyproject.tomlin one step:uv sync -
From the root directory, run the test suite to verify everything is working:
uv run python -m unittest discover -s testsAll tests should pass. If any fail, check the error message and ensure Docker Desktop is running and the OSSF Scorecard image has been pulled.
-
Run the application from the project root.
uv syncinstalls VISaR's two console commands,visar(scan) andvisar-dashboard(HTML report), so there is no need to change directories or use Python's-mmodule flag:Single repository scan (default CSV output):
uv run visar <full-github-repo-url>Single repository scan with JSON output:
uv run visar <full-github-repo-url> --output-format jsonBatch scan — scan multiple repositories from a text file:
uv run visar --batch repos.txt uv run visar --batch repos.txt --output-format jsonThe batch file should contain one GitHub repository URL per line. Lines starting with
#and blank lines are ignored. Arepos.txt.examplefile is provided as a template — copy it torepos.txtand replace the contents with your own repos (repos.txtis gitignored).Generate an HTML dashboard from all scan outputs in a directory:
uv run visar-dashboardOr point to a specific data directory:
uv run visar-dashboard <path-to-data-dir>Want to see the dashboard before running your own scan? Point it at the bundled example datasets in
examples/:uv run visar-dashboard examplesPrefer module form? The package can still be launched directly with
uv run python -m visar.main/uv run python -m visar.dashboardfrom thesrc/directory.The dashboard is an ad-hoc step — run scans as many times as needed first, then generate the HTML report when you are ready to review. A single self-contained
visar_dashboard.htmlis written to the chosen directory (data/by default), embedding all scan datasets. Real scans live indata/; the bundled example datasets live inexamples/, so they never get mixed into a dashboard of your real findings. Use the dropdown to switch between scans, the date filter to narrow by scan date, and the severity pills to focus on the most critical findings. Rows can be expanded to read the full vulnerability detail.
Output
The output file generated by a successful run is placed in the data/ directory. The default CSV format is ready to open in Microsoft Excel or any spreadsheet tool — see Figure 2. The key columns for decision-making are Severity and Details, which together describe each finding.
Figure 2: Example VISaR Output (CSV)
Running with --output-format json produces the same findings as an array of objects with identical fields (VulnerabilityID, Severity, Details) — convenient for piping into other tooling:
[
{
"VulnerabilityID": "GHSA-0000-1111-aaaa",
"Severity": "CRITICAL",
"Details": "Remote code execution via deserialization of untrusted data. An attacker who controls input to the load() function can execute arbitrary Python code on the host system."
},
{
"VulnerabilityID": "GHSA-0000-6666-ffff",
"Severity": "NOT AVAILABLE",
"Details": "Dependency flagged by the scanner but severity data is not yet available in the OSV database. Monitor the OSV entry for updates."
}
]Example logs for a successful run and a failed run are provided in the logs directory. Example scan output files (CSV and JSON) are provided in the examples directory; these show the format a real scan produces and can be used to generate a dashboard without running a full scan.
CLI reference
| Argument | Type | Default | Description |
|---|---|---|---|
repo_url |
positional | — | Full GitHub repository URL. Required unless --batch is used. |
--batch FILE |
optional | — | Path to a text file containing one URL per line. Use instead of repo_url. |
--output-format FORMAT |
optional | csv |
Output format: csv or json. |
-h / --help |
flag | — | Display help message and exit. |
Exit codes: 0 — completed successfully (including when no vulnerabilities are found). 1 — scan failed; see the logs/ directory for details.
The user provides a GitHub repository URL to VISaR, which automatically performs a vulnerability scan, queries the OSV API to enrich findings, and writes a structured report in the chosen format.
How VISaR works:
The workflow below aligns with the architecture diagram shown in Figure 3.
- OSSF Scorecard scans the repository and generates a summary file.
- A second OSSF Scorecard scan generates a file of known vulnerabilities (saved temporarily).
- A list of vulnerability IDs is extracted from the temporary file.
- Vulnerability IDs are sent to the OSV API to retrieve severity ratings and plain-text descriptions.
- Key vulnerability information is extracted from the API response.
- The vulnerability IDs, severity, and descriptions are compiled into a structured report (CSV or JSON, depending on the
--output-formatflag).
Figure 3: VISaR Architecture Diagram
Project structure
The VISaR codebase follows a standard src/ layout.
-
The application code is the
visarpackage insrc/visar/.main.pyis the scan entry point (exposed as thevisarcommand) anddashboard.pyis the HTML report entry point (exposed as thevisar-dashboardcommand). Both console scripts are declared under[project.scripts]inpyproject.toml. -
The
helpers/package is a collection of modules, each containing a logical grouping of functions used in the main pipeline.dashboard_funcs.pyhandles all HTML generation and is intentionally separate from the scan pipeline. -
Each module in
helpers/has an associated test file intests/. Within each test script, all tests for a given function are grouped into their own class. We aim for close to 100% test coverage. -
Run details are captured in a
.logfile in thelogs/directory. If a run fails, this is the first place to look. -
The
data/directory contains scan output files, named by date and repository (e.g.20260320-owner-repo_vulnids.csv). The suffix depends on the chosen format:_vulnids.csv(default) or_vulnids.json. Runningpython -m visar.dashboardwrites a singlevisar_dashboard.htmlto this directory, embedding all scan datasets. Its contents are gitignored (a.gitkeeppreserves the empty folder on a fresh clone) so your real findings are never committed. -
The
examples/directory holds the bundled example datasets (example-owner-repo_vulnids.csv/.json). These are kept separate fromdata/so they never get mixed into a dashboard of real scan results; pointpython -m visar.dashboardat this folder to preview the report without running a scan. -
Project dependencies are declared in
pyproject.tomlat the root. Runninguv synccreates.venvand installs everything. Thescripts/directory containssetup.ps1(Windows) andsetup.sh(Mac/Linux) as convenience wrappers arounduv sync.
- GitHub only: VISaR currently supports public GitHub repositories. GitLab and Bitbucket support is planned — see the roadmap.
- Public repos only: Private repository scanning is not yet supported.
- Docker required: Docker Desktop must be running before executing a scan.
- Sequential batch scans: Repositories in
repos.txtare scanned one at a time; large batches will take proportionally longer.
- Roadmap — planned features and future direction: docs/ROADMAP.md
- Changelog — version history: docs/CHANGELOG.md
- Contributing — contributions are welcome. Please read .github/CONTRIBUTING.md (code style, linting, testing) before opening a PR; contributions are licensed under Apache-2.0.
- Security — to report a vulnerability, see .github/SECURITY.md.
- License — VISaR is free and open-source under the Apache-2.0 License.



