Sonatype OSS INDEX

Find Safe Components

OSS Index is a free catalogue of open source components and scanning tools to help developers identify vulnerabilities, understand risk, and keep their software safe.

Sign up today!

Get access to:

  • Vulnerability details for your components
  • Remediation insights
  • Higher rate limits for API and scans
Register for free

Search millions of components to find any known, publicly disclosed vulnerabilities across a wide range of ecosystems.

Search by name or by coordinates.


Scan your projects for open source vulnerabilities, and build security into your development toolchain with native tools and integrations. The following scan tools all utilize the OSS Index public REST API.



  • Nancy scans Golang projects




  • ossaudit scans Python projects
  • Jake scans Python and Conda projects


  • Bach scans Composer projects





Identifying risk during development is critical, but what about the applications you’ve already built?

Run the Nexus Vulnerability scanner on any existing or legacy applications to understand everything they contain and get a complete Software Bill of Materials (SBOM).

Need DevSecOps at scale?

OSS Index and the associated tools are and always will be free to the community. The data we gather is derived from public sources, and does not include human curated intelligence nor expert remediation guidance.

Software development teams who want to scale this information, and automate open source governance with precise, curated, and highly actionable intelligence across their entire SDLC should check out the Nexus Platform. Release faster while controlling open source risk.

Nexus Firewall

Vet parts early and automatically stop defective open source components from entering your software supply chain

Nexus Repository

Manage libraries and store artifacts in a universal repository and share them across development teams

Nexus Lifecycle

Empower teams with precise component intelligence to enforce policies and continuously remediate risk

Nexus Lifecycle Foundation

Identify open source risk and remediate vulnerabilities with precise component intelligence at CI and deployment