google · Ly-Joey · Dec 30, 2025 · Dec 29, 2025 · Dec 29, 2025 · Dec 29, 2025
diff --git a/cmd/osv-scanner/scan/image/command.go b/cmd/osv-scanner/scan/image/command.go
@@ -13,6 +13,7 @@ import (
 
 	"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/helper"
 	"github.com/google/osv-scanner/v2/internal/cmdlogger"
+	"github.com/google/osv-scanner/v2/internal/version"
 	"github.com/google/osv-scanner/v2/pkg/models"
 	"github.com/google/osv-scanner/v2/pkg/osvscanner"
 	"github.com/urfave/cli/v3"
@@ -76,7 +77,7 @@ func action(_ context.Context, cmd *cli.Command, stdout, stderr io.Writer, clien
 	scannerAction.Image = cmd.Args().First()
 	scannerAction.IsImageArchive = cmd.Bool("archive")
 	scannerAction.ExperimentalScannerActions = helper.GetExperimentalScannerActions(cmd, client)
-
+	scannerAction.RequestUserAgent = "osv-scanner_scan-image/" + version.OSVVersion
 	var vulnResult models.VulnerabilityResults
 	//nolint:contextcheck // passing the context in would be a breaking change
 	vulnResult, err = osvscanner.DoContainerScan(scannerAction)

diff --git a/cmd/osv-scanner/scan/source/command.go b/cmd/osv-scanner/scan/source/command.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/helper"
 	"github.com/google/osv-scanner/v2/internal/cmdlogger"
+	"github.com/google/osv-scanner/v2/internal/version"
 	"github.com/google/osv-scanner/v2/pkg/models"
 	"github.com/google/osv-scanner/v2/pkg/osvscanner"
 	"github.com/urfave/cli/v3"
@@ -107,6 +108,7 @@ func action(_ context.Context, cmd *cli.Command, stdout, stderr io.Writer, clien
 	}
 
 	experimentalScannerActions := helper.GetExperimentalScannerActions(cmd, client)
+	experimentalScannerActions.RequestUserAgent = "osv-scanner_scan-source/" + version.OSVVersion
 	// Add `source` specific experimental configs
 	experimentalScannerActions.TransitiveScanningActions = osvscanner.TransitiveScanningActions{
 		Disabled:         cmd.Bool("no-resolve"),

diff --git a/docs/index.md b/docs/index.md
@@ -15,7 +15,14 @@ nav_order: 1
 
 Use OSV-Scanner to find existing vulnerabilities affecting your project's dependencies.
 
-OSV-Scanner provides an officially supported frontend to the [OSV database](https://osv.dev/) that connects a project’s list of dependencies with the vulnerabilities that affect them. Since the OSV.dev database is open source and distributed, it has several benefits in comparison with closed source advisory databases and scanners:
+OSV-Scanner provides an officially supported frontend to the [OSV database](https://osv.dev/) that connects a project’s list of dependencies with the vulnerabilities that affect them.
+
+You can use OSV-scanner in two ways:
+
+1. **As a CLI tool:** Run directly in a terminal or CI/CD pipeline to scan projects. See the [Installation Guide](./installation.md) to get started.
+2. **As a Go library:** Import the [Go package](https://pkg.go.dev/github.com/google/osv-scanner/v2/pkg/osvscanner) to integrate vulnerability scanning logic into Go applications.
+
+Since the OSV.dev database is open source and distributed, it has several benefits in comparison with closed source advisory databases and scanners:
 
 - Each advisory comes from an open and authoritative source (e.g. the [RustSec Advisory Database](https://github.com/rustsec/advisory-db))
 - Anyone can suggest improvements to advisories, resulting in a very high quality database

diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go
@@ -35,7 +35,6 @@ import (
 	"github.com/google/osv-scanner/v2/internal/imodels"
 	"github.com/google/osv-scanner/v2/internal/imodels/results"
 	"github.com/google/osv-scanner/v2/internal/output"
-	"github.com/google/osv-scanner/v2/internal/version"
 	"github.com/google/osv-scanner/v2/pkg/models"
 	"github.com/google/osv-scanner/v2/pkg/osvscanner/internal/imagehelpers"
 	"github.com/ossf/osv-schema/bindings/go/osvconstants"
@@ -86,6 +85,9 @@ type ExperimentalScannerActions struct {
 
 	// Report deprecated packages as findings
 	FlagDeprecatedPackages bool
+
+	// Allows specifying user agent
+	RequestUserAgent string
 }
 
 type TransitiveScanningActions struct {
@@ -128,13 +130,18 @@ func initializeExternalAccessors(actions ScannerActions) (ExternalAccessors, err
 	}
 	var err error
 
+	userAgent := "osv-scanner-api"
+	if actions.RequestUserAgent != "" {
+		userAgent = actions.RequestUserAgent
+	}
+
 	// Offline Mode
 	// ------------
 	if actions.CompareOffline {
 		// --- Vulnerability Matcher ---
 		externalAccessors.VulnMatcher, err =
 			localmatcher.NewLocalMatcher(actions.LocalDBPath,
-				"osv-scanner_scan/"+version.OSVVersion, actions.DownloadDatabases)
+				userAgent, actions.DownloadDatabases)
 		if err != nil {
 			return ExternalAccessors{}, err
 		}
@@ -145,11 +152,11 @@ func initializeExternalAccessors(actions ScannerActions) (ExternalAccessors, err
 	// Online Mode
 	// -----------
 	// --- Vulnerability Matcher ---
-	externalAccessors.VulnMatcher = osvmatcher.New(5*time.Minute, "osv-scanner_scan/"+version.OSVVersion, actions.HTTPClient)
+	externalAccessors.VulnMatcher = osvmatcher.New(5*time.Minute, userAgent, actions.HTTPClient)
 
 	// --- License Matcher ---
 	if len(actions.ScanLicensesAllowlist) > 0 || actions.ScanLicensesSummary {
-		depsDevAPIClient, err := datasource.NewCachedInsightsClient(depsdev.DepsdevAPI, "osv-scanner_scan/"+version.OSVVersion)
+		depsDevAPIClient, err := datasource.NewCachedInsightsClient(depsdev.DepsdevAPI, userAgent)
 		if err != nil {
 			return ExternalAccessors{}, err
 		}
@@ -162,6 +169,7 @@ func initializeExternalAccessors(actions ScannerActions) (ExternalAccessors, err
 	// --- OSV.dev Client ---
 	// We create a separate client from VulnMatcher to keep things clean.
 	externalAccessors.OSVDevClient = osvdev.DefaultClient()
+	externalAccessors.OSVDevClient.Config.UserAgent = userAgent
 
 	// --- No Transitive Scanning ---
 	if actions.Disabled {
@@ -179,7 +187,7 @@ func initializeExternalAccessors(actions ScannerActions) (ExternalAccessors, err
 	}
 
 	if !actions.NativeDataSource {
-		externalAccessors.DependencyClients[osvconstants.EcosystemMaven], err = resolution.NewDepsDevClient(depsdev.DepsdevAPI, "osv-scanner_scan/"+version.OSVVersion)
+		externalAccessors.DependencyClients[osvconstants.EcosystemMaven], err = resolution.NewDepsDevClient(depsdev.DepsdevAPI, userAgent)
 	} else {
 		externalAccessors.DependencyClients[osvconstants.EcosystemMaven], err = resolution.NewMavenRegistryClient(ctx, actions.MavenRegistry, "", false)
 	}