ScanRook

Quickstart

Get ScanRook installed and running in under two minutes. This guide covers the three installation methods, your first scan, cache setup, and how to read the output.

Installation

Choose the method that fits your environment.

Shell installer (recommended)

Downloads the latest release binary for your platform and places it in your PATH.

Install via shell
curl -fsSL https://scanrook.sh/install | bash

Cargo

Build from source using Rust's package manager. Requires a working Rust toolchain (1.75+).

Install via Cargo
cargo install scanrook

Docker

Run ScanRook as a container without installing anything on the host.

Docker run
docker run --rm -v "$(pwd)":/work ghcr.io/devinshawntripp/scanrook:latest \
  scan --file /work/artifact.tar --format json --out /work/report.json

GitHub Actions

Add ScanRook to your CI pipeline. See the full GitHub Actions integration guide for a complete workflow example.

GitHub Actions step
- name: Install ScanRook
  run: curl -fsSL https://scanrook.sh/install | bash

Your first scan

ScanRook auto-detects the file type: container tar, source archive, ISO, or binary.

Scan a container image
# Save a Docker image to a tar file
docker save myapp:latest -o myapp.tar

# Scan it
scanrook scan --file ./myapp.tar --format json --out report.json
Scan with deep mode (enables YARA rules)
scanrook scan --file ./myapp.tar --mode deep --format json --out report.json
Scan a binary
scanrook bin --path ./myapp --format json --out report.json
Import and scan an SBOM
scanrook sbom import --file ./sbom.cdx.json --format json --out sbom-report.json

Cache setup

ScanRook caches vulnerability API responses locally to speed up repeated scans.

By default, responses are cached under ~/.scanrook/cache/. You can override this with SCANNER_CACHE or --cache-dir. Set SCANNER_SKIP_CACHE=1 to disable caching entirely.

Check cache status
scanrook db check
Pre-warm cache for an artifact
scanrook db update --source all --file ./myapp.tar
Clear the local cache
scanrook db clear

Caching layers

ScanRook checks three caching layers in order:

  1. File cache (~/.scanrook/cache/) -- default, disable with SCANNER_SKIP_CACHE=1
  2. PostgreSQL -- persistent CVE data via DATABASE_URL env variable; schema auto-initialized
  3. Redis -- fast distributed cache for multi-worker deployments

Example output

ScanRook produces structured JSON reports with findings, evidence, and a summary.

Report structure (abbreviated)
{
  "scanner": {
    "name": "scanrook",
    "version": "0.4.2"
  },
  "target": {
    "file": "./myapp.tar",
    "type": "container",
    "sha256": "a1b2c3..."
  },
  "findings": [
    {
      "cve": "CVE-2024-12345",
      "package": { "ecosystem": "npm", "name": "lodash", "version": "4.17.20" },
      "severity": "HIGH",
      "cvss": 7.5,
      "confidence": "ConfirmedInstalled",
      "evidence": [{ "source": "InstalledDb", "path": "/usr/lib/node_modules/..." }],
      "fixed_in": "4.17.21"
    }
  ],
  "summary": {
    "total_findings": 12,
    "critical": 1,
    "high": 3,
    "medium": 5,
    "low": 3,
    "packages_scanned": 142
  }
}

See the Confidence Tiers page to understand what ConfirmedInstalled vs HeuristicUnverified means for your triage workflow.