Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Introduction

OPPSY is an open-source vulnerability management platform. It watches your project’s dependency lock files, continuously checks them against the OSV database, and notifies you whenever a vulnerability is found or updated. The goal is simple: keep your team informed about security issues in the libraries you depend on, without requiring manual effort.

Core concepts

There are three things you work with in OPPSY:

Workspace — a logical container for a project. Each workspace holds the dependency manifests you want to monitor and the notification channels that should receive alerts for that project.

Manifest — a dependency lock file uploaded into a workspace. OPPSY parses it, identifies every package it declares, and matches those packages against the OSV vulnerability database. You can upload as many manifests as you like into a single workspace — useful when a project spans multiple language ecosystems.

Notification channel — a configured destination that receives vulnerability alerts. A channel can be a webhook endpoint, a Discord channel, or an email address. Channels are created independently and then linked to one or more workspaces.

How it works

  1. Create a workspace for your project.
  2. Upload one or more dependency lock files into that workspace.
  3. Create a notification channel and link it to the workspace.
  4. OPPSY scans the manifests, matches packages against OSV, and delivers alerts to your channel.
  5. In the background, OPPSY keeps the OSV database in sync. When a new vulnerability is published or an existing one is updated, any affected workspaces are notified automatically.

Supported ecosystems

OPPSY can parse lock files from five package ecosystems. When creating a manifest you specify the manifest_type value that tells the backend which parser to use.

Ecosystemmanifest_typeLock file
RustCargoCargo.lock — generated automatically by Cargo on every build.
Node.js (npm)Npmpackage-lock.json — committed alongside package.json in npm projects.
Python (uv)Uvuv.lock — generated by the uv package manager.
Python (Poetry)Poetrypoetry.lock — generated by Poetry.
GoGoJSON produced by running go list -m -json all | jq -s '.'. Unlike the others this is not a committed file — you generate it on demand.

Manifest upload

A manifest is a dependency lock file attached to a workspace. Once uploaded, OPPSY parses it, identifies every package it declares, and runs a vulnerability scan against the OSV database.

Install oppsy-cli

Pre-built binaries for Linux, macOS, and Windows are available on the GitHub Releases page.

From source (requires Go 1.24+):

go install github.com/oppsy-dev/oppsy-dev/oppsy-cli@latest

Publish a manifest

oppsy-cli publish \
  --host-url     http://localhost:3030/api \
  --workspace-id <workspace-id> \
  --lockfile     ./Cargo.lock \
  --name         my-service \
  --tag          v0.1.0

Build and run OPPSY

Run Docker

docker run --name oppsy -p 3030:3030 -v oppsy-data:/data ghcr.io/oppsy-dev/oppsy:latest

Mount a volume at /data so the SQLite database persists across restarts. The service will be available at http://localhost:3030.

Build from source

Dagger runs the build pipelines inside containers — no local Rust or Node toolchain required beyond having the Dagger CLI installed.

First-time setup (generates SDK bindings and project files):

dagger develop

Builds the full image (Rust binary + frontend assets + Atlas migrations) and loads it directly into Docker:

dagger call oppsy-build --src=. export-image --name oppsy:latest

Then run it:

docker run -p 3030:3030 -v oppsy-data:/data oppsy:latest

API Reference

OPPSY API Reference