# Scanr
> Open, privacy-first, self-hostable DevSecOps runtime.
[](https://github.com/Open-Lab-s/Scanr/releases)
[](https://www.npmjs.com/package/@openlabs/scanr_cli)
[](https://www.npmjs.com/package/@openlabs/scanr_cli)
[](https://github.com/Open-Lab-s/homebrew-tap)
[](https://github.com/Open-Lab-s/Scanr)
[](LICENSE)
## π Vision
Scanr is a multi-engine security framework built for teams that need deterministic security checks without SaaS lock-in.
It is designed around:
- sovereignty
- offline capability
- transparent local execution
- engine-first extensibility
- deterministic CI enforcement
## 𧱠Architecture
```text
scanr-engine Unified engine contracts and finding model
scanr-sca Software composition analysis engine (production-ready)
scanr-cli CLI + TUI interface
scanr-container Container engine (planned)
scanr-iac IaC engine (planned)
scanr-sast SAST engine (planned)
scanr-secrets Secret scanning engine (planned)
scanr-server Self-hosted control plane (future)
scanr-dashboard Web UI (future)
```
## β
What Works Today (v0.1.1)
- Node, Python, and Rust dependency parsing
- OSV vulnerability matching with CVE + severity data
- remediation suggestions and upgrade guidance
- baseline tracking (`.scanr/baseline.json`)
- project-local OSV cache (`.scanr/cache`) with offline/refresh modes
- policy enforcement in CI via `scanr.toml`
- deterministic exit codes (`0`, `1`, `2`, `3`, `4`)
- CycloneDX SBOM generation and SBOM diff
- SARIF + JSON + raw JSON structured outputs
- Node dependency path tracing (`scanr trace <package>`)
- full-screen TUI with scan controls
## π¦ Install Channels
```bash
# NPM
npm install -g @openlabs/scanr_cli
# BUN (uses npm package)
bun install -g @openlabs/scanr_cli
# Homebrew
brew install Open-Lab-s/tap/scanr
# Cargo (from source workspace)
cargo install --path crates/scanr-cli
# Curl installer
## π οΈ Run From Source (Clone + Test Locally)
```bash
# 1) Clone
git clone https://github.com/Open-Lab-s/Scanr.git
cd Scanr
# 2) Build release workspace
cargo build --workspace --release
# 3) Run without installing (dev run)
cargo run --package scanr-cli --bin scanr -- scan .
# 4) Install local CLI binary for testing (overwrites old local install)
cargo install --path crates/scanr-cli --force
# 5) Verify installed CLI
scanr --version
scanr --help
```
Optional validation:
```bash
cargo test --workspace
```
## β‘ Quick Start
```bash
# interactive UI
scanr
# core scanning
scanr scan .
scanr scan . --ci
scanr scan . --json
scanr scan . --sarif
# caching and baseline
scanr scan . --offline
scanr scan . --refresh
scanr baseline save
scanr baseline status
scanr scan . --baseline --ci
# investigation + sbom
scanr trace minimatch
scanr sbom generate
scanr sbom diff old.cdx.json new.cdx.json
```
## πΊοΈ Release Timeline
| `v0.1.0` | Foundation | CLI skeleton, SCA scanning, OSV integration, recommendations, CI policy, SBOM, SARIF/JSON, TUI, distribution setup |
| `v0.1.1` | Enterprise hardening | Baseline/security debt tracking, OSV cache + offline mode, dependency tracing, license compliance, engine abstraction (`scanr-engine`) |
## π Product Timeline
| Foundation | `v0.1.0` | Completed | Built Scanr CLI + SCA core, CI mode, SBOM, SARIF/JSON outputs, install channels |
| Hardening | `v0.1.1` | Completed | Added baseline, cache/offline, tracing, license enforcement, and engine abstraction |
| Multi-Engine Expansion | `v0.2.x` | Planned | Add container engine, then IaC/secrets/SAST engines on the same contract |
| Security OS Layer | `v1.x` | Planned | Self-hosted server, dashboard, org policy management, and governance workflows |
## β
Phase Checklist (From Roadmap)
- [x] Phase 1: Engine Stabilization - SCA engine complete (`scanr-sca`)
- [ ] Phase 1: Engine Stabilization - Container engine (`scanr-container`)
- [ ] Phase 1: Engine Stabilization - IaC engine (`scanr-iac`)
- [ ] Phase 1: Engine Stabilization - Secrets engine (`scanr-secrets`)
- [ ] Phase 1: Engine Stabilization - SAST engine (`scanr-sast`)
- [x] Phase 2: Local Security Suite - CLI + TUI foundation complete
- [ ] Phase 2: Local Security Suite - Multi-engine invocation UX
- [ ] Phase 3: Security OS - `scanr-server` (self-hosted control plane)
- [ ] Phase 3: Security OS - `scanr-dashboard` (web UI)
- [ ] Phase 3: Security OS - SCM/GitHub integration + org governance
## β
Feature Timeline (What Is Done)
### `v0.1.0` delivered
- CLI command system (`scan`, `sbom`, `trace` foundations)
- dependency parsing for Node/Python/Rust
- OSV vulnerability lookup with remediation hints
- risk summary and CI policy checks
- CycloneDX SBOM generation and SBOM diff
- JSON/SARIF/raw JSON outputs
- interactive TUI experience
- packaging for npm/bun/homebrew/cargo/curl
### `v0.1.1` delivered
- baseline save/status/compare workflow
- security debt delta behavior in CI with baseline mode
- project-local OSV cache with TTL
- offline mode and forced refresh mode
- Node dependency path tracing
- license policy enforcement with dedicated exit semantics
- refactor to `scanr-engine` + `scanr-sca` architecture
## π§ Workspace
```text
F:\Scanr
βββ crates/
β βββ scanr-engine/
β βββ scanr-sca/
β βββ scanr-cli/
βββ installers/
βββ docs/
βββ Cargo.toml
βββ mkdocs.yml
```
## π Docs
- [Documentation index](docs/index.md)
- [Installation](docs/installation.md)
- [Scanr CLI](docs/cli.md)
- [Scanr SCA](docs/core.md)
- [Output formats](docs/output-formats.md)
- [CI policy](docs/ci-policy.md)
- [Baseline](docs/baseline.md)
- [Cache](docs/cache.md)
- [SBOM](docs/sbom.md)
- [TUI](docs/tui.md)
- [Changelog](docs/changelog.md)
Run docs locally:
```bash
mkdocs serve
```