🔐 Privacy-first, self-hostable, open-source security platform.
Scanr is evolving into an open Security OS for private infrastructure:
- fully local and deterministic by default
- no mandatory SaaS dependency
- unified engine architecture
- CI-native policy enforcement
- composable, extensible security workflow
scanr-engine Unified abstraction layer for findings and engine contracts
scanr-sca Software composition analysis engine (current production engine)
scanr-cli Local interface (CLI + TUI)
scanr-container Planned container engine
scanr-iac Planned IaC engine
scanr-sast Planned static analysis engine
scanr-secrets Planned secret scanning engine
- dependency scanning (Node, Python, Rust)
- OSV vulnerability matching with CVE/severity/remediation
- risk summary + CI policy enforcement
- baseline and security debt tracking
- project-local cache + offline mode
- license compliance enforcement
- CycloneDX SBOM generation and SBOM diff
- JSON and SARIF outputs for automation
- dependency path tracing for Node lockfiles
- clean full-screen TUI flow
NPM:npm install -g @openlabs/scanr_cliBUN:bun install -g @openlabs/scanr_cliHomebrew:brew install Open-Lab-s/tap/scanrCargo:cargo install scanr-cli --lockedCurl:curl -fsSL https://scanr.dev/install.sh | bash
scanr-cli: for CLI/TUI users who want thescanrbinary.scanr-sca: for Rust integrators embedding dependency and vulnerability scanning.scanr-engine: for custom engine development with sharedFinding/ScanResultcontracts.
Published crates:
https://crates.io/crates/scanr-clihttps://crates.io/crates/scanr-scahttps://crates.io/crates/scanr-engine
git clone https://github.com/Open-Lab-s/Scanr.git
cd Scanr
cargo build --workspace --release
cargo run --package scanr-cli --bin scanr -- scan .
# install local binary for repeated manual testing
cargo install --path crates/scanr-cli --force
scanr --versionscanr
scanr scan .
scanr scan . --ci
scanr scan . --json
scanr scan . --sarif
scanr baseline save
scanr trace minimatch
scanr sbom generate| Version | Scope | Key outcomes |
|---|---|---|
v0.1.0 |
Foundation | Core CLI, SCA, OSV, recommendations, CI mode, SBOM, SARIF/JSON, packaging channels |
v0.1.1 |
Hardening + framework | Baseline, cache/offline, trace, license policy, engine abstraction and multi-engine-ready architecture |
| Phase | Version | Status | Outcome |
|---|---|---|---|
| Foundation | v0.1.0 |
Completed | Production-ready SCA CLI baseline with CI and reporting outputs |
| Hardening | v0.1.1 |
Completed | Baseline + cache/offline + trace + license + engine abstraction |
| Multi-Engine Expansion | v0.2.x |
Planned | Container engine first, then IaC/secrets/SAST |
| Security OS | v1.x |
Planned | Self-hosted server, dashboard, org governance and historical analytics |
- Phase 1: SCA engine stabilized and production-ready
- Phase 1: Container engine implementation
- Phase 1: IaC engine implementation
- Phase 1: Secrets engine implementation
- Phase 1: SAST engine implementation
- Phase 2: Local suite foundation (CLI + TUI + CI outputs)
- Phase 2: Full multi-engine local orchestration
- Phase 3: Security OS (
scanr-server+scanr-dashboard) - Phase 3: SCM integrations and org-level governance
- dependency parsing (Node/Python/Rust)
- OSV vulnerability investigation and remediation hints
- CI policy checks and risk classification
- CycloneDX SBOM generation + SBOM diff
- JSON and SARIF output modes
- interactive TUI
- install channels (npm, bun, brew, cargo, curl)
- baseline tracking and baseline-aware CI behavior
- local OSV caching with TTL and refresh control
- offline scan mode
- dependency path tracing (Node lockfile)
- license compliance policy enforcement
- engine-layer refactor to
scanr-engine+scanr-sca