Skip to content

Latest commit

 

History

History
240 lines (186 loc) · 7.05 KB

README.md

File metadata and controls

240 lines (186 loc) · 7.05 KB

Scanr

Open, privacy-first, self-hostable DevSecOps runtime.

Release NPM Bun Homebrew Cargo License

🔭 Vision

Scanr is a multi-engine security framework built for teams that need deterministic security checks without SaaS lock-in.

It is designed around:

  • sovereignty
  • offline capability
  • transparent local execution
  • engine-first extensibility
  • deterministic CI enforcement

🧱 Architecture

scanr-engine      Unified engine contracts and finding model
scanr-sca         Software composition analysis engine (production-ready)
scanr-cli         CLI + TUI interface
scanr-container   Container engine (planned)
scanr-iac         IaC engine (planned)
scanr-sast        SAST engine (planned)
scanr-secrets     Secret scanning engine (planned)
scanr-server      Self-hosted control plane (future)
scanr-dashboard   Web UI (future)

✅ What Works Today (v0.1.1)

  • Node, Python, and Rust dependency parsing
  • OSV vulnerability matching with CVE + severity data
  • remediation suggestions and upgrade guidance
  • baseline tracking (.scanr/baseline.json)
  • project-local OSV cache (.scanr/cache) with offline/refresh modes
  • policy enforcement in CI via scanr.toml
  • deterministic exit codes (0, 1, 2, 3, 4)
  • CycloneDX SBOM generation and SBOM diff
  • SARIF + JSON + raw JSON structured outputs
  • Node dependency path tracing (scanr trace <package>)
  • full-screen TUI with scan controls

📦 Install Channels

# NPM
npm install -g @openlabs/scanr_cli

# BUN (uses npm package)
bun install -g @openlabs/scanr_cli

# Homebrew
brew install Open-Lab-s/tap/scanr

# Cargo (crates.io)
cargo install scanr-cli --locked

# Curl installer
curl -fsSL https://scanr.dev/install.sh | bash

🧩 Which Rust Crate Should I Use?

  • scanr-cli: use this if you want the scanr command as an end user.
  • scanr-sca: use this if you are building a Rust app and want to embed SCA scanning logic.
  • scanr-engine: use this if you are building your own engine or shared policy/reporting on top of Scanr contracts.

Published crates:

  • https://crates.io/crates/scanr-cli
  • https://crates.io/crates/scanr-sca
  • https://crates.io/crates/scanr-engine

Library integration example:

[dependencies]
scanr-sca = "0.1.1"
scanr-engine = "0.1.1"
use std::path::Path;
use scanr_sca::ScaEngine;

#[tokio::main]
async fn main() -> Result<(), scanr_sca::ScanError> {
    let engine = ScaEngine::new();
    let result = engine.scan_detailed(Path::new(".")).await?;
    println!("dependencies: {}", result.total_dependencies);
    Ok(())
}

🛠️ Run From Source (Clone + Test Locally)

# 1) Clone
git clone https://github.com/Open-Lab-s/Scanr.git
cd Scanr

# 2) Build release workspace
cargo build --workspace --release

# 3) Run without installing (dev run)
cargo run --package scanr-cli --bin scanr -- scan .

# 4) Install local CLI binary for testing (overwrites old local install)
cargo install --path crates/scanr-cli --force

# 5) Verify installed CLI
scanr --version
scanr --help

Optional validation:

cargo test --workspace

⚡ Quick Start

# interactive UI
scanr

# core scanning
scanr scan .
scanr scan . --ci
scanr scan . --json
scanr scan . --sarif

# caching and baseline
scanr scan . --offline
scanr scan . --refresh
scanr baseline save
scanr baseline status
scanr scan . --baseline --ci

# investigation + sbom
scanr trace minimatch
scanr sbom generate
scanr sbom diff old.cdx.json new.cdx.json

🗺️ Release Timeline

Version Theme Highlights
v0.1.0 Foundation CLI skeleton, SCA scanning, OSV integration, recommendations, CI policy, SBOM, SARIF/JSON, TUI, distribution setup
v0.1.1 Enterprise hardening Baseline/security debt tracking, OSV cache + offline mode, dependency tracing, license compliance, engine abstraction (scanr-engine)

📈 Product Timeline

Phase Version Status Outcome
Foundation v0.1.0 Completed Built Scanr CLI + SCA core, CI mode, SBOM, SARIF/JSON outputs, install channels
Hardening v0.1.1 Completed Added baseline, cache/offline, tracing, license enforcement, and engine abstraction
Multi-Engine Expansion v0.2.x Planned Add container engine, then IaC/secrets/SAST engines on the same contract
Security OS Layer v1.x Planned Self-hosted server, dashboard, org policy management, and governance workflows

✅ Phase Checklist (From Roadmap)

  • Phase 1: Engine Stabilization - SCA engine complete (scanr-sca)
  • Phase 1: Engine Stabilization - Container engine (scanr-container)
  • Phase 1: Engine Stabilization - IaC engine (scanr-iac)
  • Phase 1: Engine Stabilization - Secrets engine (scanr-secrets)
  • Phase 1: Engine Stabilization - SAST engine (scanr-sast)
  • Phase 2: Local Security Suite - CLI + TUI foundation complete
  • Phase 2: Local Security Suite - Multi-engine invocation UX
  • Phase 3: Security OS - scanr-server (self-hosted control plane)
  • Phase 3: Security OS - scanr-dashboard (web UI)
  • Phase 3: Security OS - SCM/GitHub integration + org governance

✅ Feature Timeline (What Is Done)

v0.1.0 delivered

  • CLI command system (scan, sbom, trace foundations)
  • dependency parsing for Node/Python/Rust
  • OSV vulnerability lookup with remediation hints
  • risk summary and CI policy checks
  • CycloneDX SBOM generation and SBOM diff
  • JSON/SARIF/raw JSON outputs
  • interactive TUI experience
  • packaging for npm/bun/homebrew/cargo/curl

v0.1.1 delivered

  • baseline save/status/compare workflow
  • security debt delta behavior in CI with baseline mode
  • project-local OSV cache with TTL
  • offline mode and forced refresh mode
  • Node dependency path tracing
  • license policy enforcement with dedicated exit semantics
  • refactor to scanr-engine + scanr-sca architecture

🧠 Workspace

F:\Scanr
├── crates/
│   ├── scanr-engine/
│   ├── scanr-sca/
│   └── scanr-cli/
├── installers/
├── docs/
├── Cargo.toml
└── mkdocs.yml

📚 Docs

Run docs locally:

mkdocs serve