ScanRook Roadmap

Batch queries against the OSV API, NVD CPE matching, and Red Hat OVAL XML filtering. Three complementary data sources for broad CVE coverage.

Every finding is annotated with its EPSS probability and percentile from the FIRST.org EPSS feed, enabling exploit-likelihood-based prioritization.

Findings matching the CISA Known Exploited Vulnerabilities catalog are flagged automatically, surfacing actively exploited CVEs for immediate attention.

Full extraction and inventory of container image tars with support for RPM, APK, dpkg, npm, pip, Go modules, and more. OCI manifest and layer ordering handled automatically.

Static analysis of compiled binaries via goblin with memory-mapped I/O. Extracts linked libraries, Go build info, and Rust panic strings for vulnerability correlation.

Import existing SBOMs in CycloneDX, SPDX, and Syft JSON formats. Components are enriched through the full vulnerability pipeline automatically.

Compare two SBOM snapshots to identify added, removed, and changed components. Useful for tracking supply chain drift across releases.

AlmaLinux, Rocky Linux, SUSE, Fedora, Amazon Linux, Oracle Linux, Chainguard, and Wolfi. Distro-specific advisory filtering reduces false positives.

Findings are classified as ConfirmedInstalled or HeuristicUnverified based on evidence source. Installed-state packages are prioritized over heuristic matches.

Connect any OCI-compliant registry (Docker Hub, GHCR, ECR, GCR, self-hosted). Browse repositories and tags, scan images on demand, and manage registry credentials per organization with AES-256-GCM encryption.

Scanner and worker metrics exposed via Prometheus endpoints. Pre-built Grafana dashboards for scan throughput, queue depth, enrichment latency, and error rates.

Logs from all services aggregated into Grafana Loki via Promtail with unified search, alerting, and correlation across the UI, Dispatcher, and Scanner.

Bitwise role-based access control with eight granular roles from Viewer to Org Owner. API key authentication with scoped permissions and per-org billing quota enforcement.

Live scan progress streaming via PostgreSQL NOTIFY/LISTEN and Server-Sent Events. No polling — the browser receives stage updates, severity counts, and SBOM status in real time.

Structured documentation covering CLI quickstart, SBOM guide, CI/CD integration, architecture, data sources, benchmarks, FAQ, and self-hosted deployment.

Benchmarks across 10 container images comparing ScanRook against Trivy and Grype. Published with warm-cache times, finding counts, and methodology transparency.

Two pre-compiled vulnerability databases: a free tier with OSV + basic NVD (comparable to Trivy/Grype), and a paid tier adding EPSS, CISA KEV, Red Hat OVAL, confidence tiers, and distro tracker cross-references.

CLI authenticates via API key to determine plan tier. Free users get OSV-only enrichment. Paid plans unlock full multi-source enrichment, JSON output, and the premium vulnerability database.

Payment processing for Developer, Team, and Enterprise tiers. Per-developer pricing with self-serve checkout via Stripe, subscription management, and usage-based quota enforcement.

Official GitHub Action that runs ScanRook in CI/CD pipelines. Posts findings as PR review comments with severity badges, and can block merges based on configurable policy thresholds. Supports Docker image and artifact scanning.

Cron-based scan schedules for registry images. Automatically re-scan images on a configurable cadence and alert on newly disclosed vulnerabilities. Managed via the dashboard with inline editing.

Configurable notification channels that fire on scan completion. Supports Slack, Discord, generic HTTP webhooks with HMAC signing, and email. Test notifications from the dashboard.

Export audit-ready CSV and JSON reports with framework-specific headers. SOC 2 includes CC7.1 controls, ISO 27001 includes A.12.6 annex references, FedRAMP uses POA&M format with NIST categories.

Historical stacked bar charts showing severity distribution over time. Summary cards for total scans, average findings, trend direction, and most-scanned images.

Extracts licenses from RPM headers, APK metadata, dpkg copyright files, npm package.json, pip METADATA, and Cargo.toml. Classifies 22+ SPDX license types with risk tiers (Critical/High/Medium/Low/None). Flags copyleft and non-commercial licenses.

Configurable policy engine in the dashboard with inline rule builder. Supports severity thresholds, license blocklists, package blocklists, and scan age rules. Evaluate policies against any completed scan.

The `scanrook k8s` subcommand connects to a cluster via kubeconfig, discovers all running workloads, pulls their container images, and scans each one. Reports per-image findings with workload mapping.

Go-based operator that watches Deployments, StatefulSets, and DaemonSets. Creates ImageScan CRDs for each container image. Optional validating admission webhook blocks pods with critical vulnerabilities. Installable via Helm chart.

SBOM diff now compares across versions of the same image (e.g., myapp:v1.2 vs myapp:v1.3) instead of requiring exact tag matches. Shows added, removed, and changed packages between builds.

Collapsible left sidebar with grouped sections (Scanning, Security, Infrastructure, Organization, Admin). SVG icons for each item. Mobile overlay with backdrop. Collapse state persists via localStorage.

Building a code fingerprint database from the top 100K packages per ecosystem (npm, PyPI, Maven, Go, Cargo). MinHash signatures for fuzzy snippet matching to detect copied/modified open source code and identify its license.

Fallback license lookup via the ClearlyDefined API for packages where local metadata extraction doesn't provide license info (Go modules, some pip packages, Maven JARs).

Map each SPDX license to its specific legal obligations: attribution requirements, source disclosure, patent grants, network use triggers. Track compliance status per component.

Rule engine that identifies incompatible license combinations in a project's dependency tree (e.g., GPL + proprietary, AGPL in SaaS without disclosure).

Accept git repo URLs or zip uploads. Parse all dependency manifests (package.json, requirements.txt, go.mod, Cargo.toml, pom.xml). Resolve full dependency trees including transitive deps. License detection for every dependency.

Scan extracted containers and source repos for LICENSE, COPYING, and NOTICE files. Parse both machine-readable DEP-5 format and free-text license declarations using ScanCode-compatible patterns.

Dashboard workflow for reviewing and approving open source components. Lawyers and compliance officers can approve, reject, or flag packages. Full audit trail of decisions.

Hash binary segments (ELF sections, PE resources) and match against a database of known open source components to identify embedded libraries and their licenses.

Actionable fix recommendations per finding including the minimum patched version, upgrade commands, and links to vendor advisories.

Side-by-side diff of two scan results showing new, resolved, and unchanged findings between any two scans. Works across versions, tags, and time periods.

Native integration with SUSE Security OVAL feeds for SLES and openSUSE. Distro-specific advisory filtering for SUSE-based container images.

Direct consumption of Oracle Linux OVAL data for accurate RPM advisory matching on Oracle Linux containers.

Determine whether a vulnerable dependency is actually reachable in the application's call graph, reducing false positives from unused transitive dependencies.

Automatically generate PRs that bump vulnerable dependencies to the minimum patched version.

Real-time vulnerability scanning in the editor with inline severity annotations and quick-fix suggestions.

Scan artifacts for hardcoded API keys, tokens, passwords, and other sensitive credentials.

GitLab CI integration with merge request comments and security dashboard reporting.

Cryptographic verification of SBOM provenance and integrity.

A rich terminal interface for interactive scan monitoring and result browsing.

Pre-built container images for ARM64 in addition to AMD64.