docs: document data sources and external services (#2457)

Ankitsinghsisodya · cuixq · web-flow · commit 8dec3449fee3 · 2026-01-14T11:04:22.000+11:00
## Overview **Issue:** #1433 This PR adds a "Data Sources and Privacy" section to the README documenting the external services OSV-Scanner communicates with during operation. Fixes #1433 ## Details Added documentation for: - **OSV.dev API** (`/v1/querybatch`, `/v1/determineversion`) - Vulnerability queries and vendored C/C++ detection - **deps.dev API** - License scanning, dependency resolution, and package deprecation - **Package Registries** - Maven Central and npm Registry for native resolution The section also clarifies that `--offline` mode disables network requests, and that no source code is transmitted. ## Testing - [x] Manual review of README formatting and content - [x] Verified documentation renders correctly ## Checklist - [x] I have signed the [Contributor License Agreement](https://cla.developers.google.com/). - [x] I have run the linter using [./scripts/run_lints.sh](cci:7://file:///Users/ankitsinghsisodya/osv-scanner/scripts/run_lints.sh:0:0-0:0). (N/A - docs only) - [x] I have run the unit tests using [./scripts/run_tests.sh](cci:7://file:///Users/ankitsinghsisodya/osv-scanner/scripts/run_tests.sh:0:0-0:0). (N/A - docs only) - [x] I have made my commits and PR title follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification. --------- Co-authored-by: Xueqin Cui <72771658+cuixq@users.noreply.github.com>
diff --git a/README.md b/README.md
@@ -140,6 +140,35 @@ $ osv-scanner fix \
 
 <img src="https://google.github.io/osv-scanner/images/guided-remediation-relock-patches.png" alt="Screenshot of the interactive relock results screen with some relaxation patches selected">
 
+## Data Sources and Privacy
+
+OSV-Scanner communicates with the following external services during operation:
+
+### [OSV.dev API](https://osv.dev/)
+
+The primary data source for vulnerability information. OSV-Scanner queries this API to check packages for known vulnerabilities and to identify vendored C/C++ dependencies. Data sent includes package names, versions, ecosystems, and file hashes. Use [`--offline` mode](https://google.github.io/osv-scanner/usage/offline-mode/) to disable network requests and scan against a local database instead.
+
+### [deps.dev API](https://docs.deps.dev/api/)
+
+Used for supplementary package information:
+
+- **Dependency resolution**: Resolves dependency graphs for vulnerability scanning and remediation
+- **Container image scanning**: Queries container image metadata for vulnerability detection
+- **License scanning** (`--licenses` flag): Retrieves license information for packages
+- **Package deprecation**: Checks if packages are deprecated
+
+Data sent includes package names, versions, and ecosystems. No source code is transmitted.
+
+### Package Registries
+
+When using native registry for dependency resolution (instead of deps.dev), OSV-Scanner may query:
+
+| Registry      | URL                            | Used For                             |
+| ------------- | ------------------------------ | ------------------------------------ |
+| Maven Central | `repo.maven.apache.org/maven2` | Maven package metadata and POM files |
+| npm Registry  | `registry.npmjs.org`           | npm package metadata                 |
+| PyPI          | `pypi.org`                     | Python package metadata              |
+
 ## Contribute
 
 ### Report Problems
