Drupal advisories are now being ingested into osv.dev as part of the Packagist ecosystem, making it possible for tools like OSV-Scanner to spot known vulnerabilities in Drupal projects using modern security tools.

This move, led by Ackama in collaboration with the OSV team and Drupal Security Team, brings Drupal in line with other major ecosystems like Python, Rust, npm, and Ubuntu. Security tools like OSV-scanner can now surface Drupal vulnerabilities just like they already do for thousands of other packages.

It’s a technical milestone, one that opens up benefits for the broader Drupal and open-source community.

Why this needed to happen

Drupal has long treated security as a core responsibility, with a dedicated security team and mature processes for the disclosure and publishing of advisories being established early, and the creation of tools and features like the built-in update checker to alert site owners to vulnerable modules.

While these tools have worked well for Drupalists and those using composer, they are platform specific in a way that makes it harder to scale security workflows beyond single sites, especially at an enterprise level.

Having the advisories available in the OSV format solves this by providing a standardized format to describe vulnerabilities across ecosystems and is built for machines to understand. It powers services like osv.dev, feeds into GitHub’s advisory tooling, and underpins integrations across Google’s open source security efforts.

But until now, Drupal wasn’t part of that ecosystem. The community saw the gap and decided to help close it. Ackama had an opportunity to help the Drupal community by leveraging their existing relationship with the OSV team, read more about our previous work on the OSV-scanner here.

The path to production

Earlier this year, Ackama created the drupal advisory database, an open-source project that pulls in Drupal advisories and publishes them in OSV format. The work started as a proof of concept and quickly evolved into a full production pipeline.

The database:

• Tracks Drupal Core and contributed project advisories,
• Converts them into OSV-compliant entries with package name, affected versions, and patch details,
• Updates automatically through CI pipelines,
• Is already in use by Ackama using osv-detector
  

After several months of refinement and staging with the OSV team, the database was officially transferred to the Drupal Security Team and is now being ingested into the production osv.dev platform.

“I see osv format as being really helpful to large enterprises where Drupal is part of a mix of many different technologies. The SOC or CISO’s office or a compliance auditor can run one tool and identify problems in all the repositories. Currently they’d have to use a patchwork of different tools or manual processes to get complete information about Drupal sites.”

Greg Knaddison, Drupal security team

What changes today

With the database being ingested into production, developers can now scan their projects using tools like the Google OSV-scanner and get results that include Drupal vulnerabilities. 

Security platforms and CI pipelines that already support OSV can now use Drupal data the same way they use data from Python or Rust or npm. This helps reduce manual triage, shortens response times, and makes it easier to keep Drupal projects secure.

It also opens the door for better automation in the future. Tools like Dependabot or Renovate that already support OSV advisories could eventually use this new database to do automatic security updates of Drupal packages.

The role of open collaboration

This project came together through open collaboration. It was shaped by the Drupal community, built by Ackama, supported by the OSV team at Google, and released under an open licence. It’s the kind of technical infrastructure that doesn’t just benefit one group, it strengthens the ecosystem for everyone. Major contributors from the folks at Google, Ackama, the Drupal Association and members of the Drupal Security Team include Gold, Gareth Jones, Greg Knaddison, Dave Long, Peter Wolanin, and Neil Drumm.

“It’s been awesome working hand-in-hand with both the Drupal Security and OSV teams to make this happen, and to be doing so in an open-source space meaning anyone can contribute”

– Gareth Jones, Head of Operations

Ackama continues to contribute to projects like these across the open source security space. We believe developer tooling should be more accessible and security shouldn’t be an afterthought.

Now that Drupal is part of the OSV ecosystem, we’re proud to have helped close a gap that benefits developers across agencies, enterprise teams, and community contributors alike.