Pre-compiled Vulnerability Database
ScanRook can download a pre-compiled SQLite database containing vulnerability data from 7 bulk sources. With the database installed, cold scans complete in seconds instead of minutes — no API calls needed for the vast majority of CVEs.
How It Works
The database is rebuilt daily and served from ScanRook's infrastructure.
A Kubernetes CronJob runs daily at 6 AM UTC, downloading all bulk vulnerability sources and compiling them into a single SQLite file. The compressed database (~150 MB) is uploaded to S3-compatible storage and made available via the GET /api/db/latest endpoint.
When the CLI runs scanrook db fetch, it queries this endpoint to get a presigned download URL, then decompresses and installs the database at ~/.scanrook/db/scanrook.db.
During scans, the enrichment pipeline checks the local SQLite database first, before any file cache, PostgreSQL cache, or live API calls. If a CVE is found in the database, the network call is skipped entirely.
Cache Layer Priority
SQLite is checked first — downstream layers are only hit on misses.
All existing cache layers remain untouched. The SQLite database is purely additive — if it's missing or out of date, the scanner falls back seamlessly to the existing pipeline.
CLI Commands
Download, check, or build the vulnerability database.
Download the latest database
scanrook db fetch
Downloads and installs the latest pre-compiled database (~150 MB compressed). Skips download if the local database is already up to date. Use --force to re-download regardless.
Check database status
scanrook db status
Shows the local cache directory stats and vulnerability database path, size, build date, and source counts.
Build your own database
scanrook db build --output scanrook-db.sqlite
Downloads all bulk sources and builds a local database. Requires an NVD_API_KEY environment variable for reasonable NVD download speeds. Takes 60-90 minutes depending on NVD rate limits.
What's in the Database
Seven bulk-downloadable vulnerability sources covering ~1.26 million entries.
| Source | Bulk Format | Update Freq | Rows | Size |
|---|---|---|---|---|
| OSV (all ecosystems) | Yes (GCS zips) | Continuous | ~500K | ~120 MB |
| NVD (all CVEs) | Yes (paginated API) | Hourly | ~250K | ~200 MB |
| EPSS scores | Yes (full CSV) | Daily | ~250K | ~5 MB |
| CISA KEV | Yes (full JSON) | Weekly | ~1.2K | <0.1 MB |
| Debian Tracker | Yes (full JSON) | Daily | ~200K | ~15 MB |
| Ubuntu USN | Yes (full JSON) | Daily | ~50K | ~5 MB |
| Alpine SecDB | Yes (per-branch) | Daily | ~10K | ~2 MB |
What's NOT in the Database
API-only sources that are queried live during scans.
These Red Hat sources are queried at scan time and cached via the existing file/PostgreSQL cache layers. CVEs published between database builds are caught by the live API fallback.
Comparison with Other Scanners
How ScanRook's approach compares to Trivy and Grype.
| Feature | ScanRook | Trivy | Grype |
|---|---|---|---|
| DB format | SQLite | BoltDB | SQLite |
| DB size | ~350 MB | ~400 MB | ~150 MB |
| Update frequency | Daily | Every 6 hours | Every 2 hours |
| Live API fallback | Yes | No | No |
| Works without DB | Yes (live APIs) | No | No |
Unlike Trivy and Grype, ScanRook works without a pre-compiled database — it falls back to live API queries. The database is purely an optimization layer that eliminates cold-scan latency.
Environment Variables
Control database path and behavior.
| Variable | Default | Description |
|---|---|---|
| SCANROOK_DB | ~/.scanrook/db/scanrook.db | Override the SQLite database path. |
| SCANROOK_API_BASE | https://scanrook.io | Override the API base URL for db fetch. |
| NVD_API_KEY | (unset) | Required for db build to download NVD data at reasonable speed. |