Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ANNOUNCE: Scan is now in maintenance mode #352

Open
prabhu opened this issue Oct 22, 2021 · 3 comments
Open

ANNOUNCE: Scan is now in maintenance mode #352

prabhu opened this issue Oct 22, 2021 · 3 comments

Comments

@prabhu
Copy link
Contributor

prabhu commented Oct 22, 2021

Scan version 2 is now in maintenance mode. Only critical fixes if any would be considered, with no new features planned.

What is the issue?

Scan (formerly AppThreat sast-scan) has served many users including me over these last 2 years. Version 2 brought in lots of exciting new tools and capabilities but demonstrated few limitations which I, personally, am not happy with.

  • Container scanning capability was fiddly. Scan being a container image required extraordinary permissions to the host to scan another container
  • Thanks to large enterprises such as Microsoft, and even ShiftLeft customers using this product, there is realistically no chance of upgrading scan to use python 3.9 or 3.10 (from 3.8), go 1.17 (from 1.16), java 16 (from java 11) and so on for the next few years
  • Scan AppImage doesn't really work outside Ubuntu 20.04
  • Adding SAST scanning to CI, performing findings normalization and SARIF conversions are no longer a problem thanks to GitHub code scanning and the entire community now supporting SARIF output.

Locking this version essentially would give me breathing space to think about the next thing.

Will there be a version 3?

The next evolution of scan would aim to address the question What is a security scan? both technically and philosophically. I no longer believe that producing reports by invoking multiple tools is exciting and useful for developers and AppSec alike. A new version that presumably uses a new architecture to support containers, binaries and other formats would require a serious amount of support time for migrations, which I don't have. Plus, I would like to move away from GitHub to sourcehut for all my open-source work. So, the promise is new product, new tech instead of upgrades.

Possible questions

Should we fork slscan?

Sure, you can fork if there is a legitimate interest to maintain your open-source version. Be mindful of the license, which is GPL-3.0-or-later.

Show we remove slscan from the pipelines?

Not necessary. The container images would continue to be built and published on both docker hub and quay on a daily basis. You could also publish it in your container registry.

Will there be an enterprise version?

No.

I've more questions

Please join our discord

@erichs
Copy link
Contributor

erichs commented Nov 3, 2021

Really appreciate the tremendous work you've consistently put into slscan over the last 2 years, @prabhu! Thanks for making such a useful tool that meets a huge need. Excited you're thinking afresh about this space, and can't wait to see what you dream up next!

@zabbal
Copy link

zabbal commented Jan 21, 2022

Is there particular sourcehut repo(s) worth keeping eye on for new developments?

@prabhu
Copy link
Contributor Author

prabhu commented Jan 21, 2022

@zabbal My new tool, a binary linter called blint can be found here https://git.sr.ht/~prabhu/blint

fussel178 added a commit to wuespace/telestion-client that referenced this issue Dec 27, 2022
Note: The maintainer of Shift Left put the project in maintenance mode.
See ShiftLeftSecurity/sast-scan#352
elrido added a commit to PrivateBin/PrivateBin that referenced this issue Aug 16, 2023
Development on this stopped in 2021 and apart from the (false positive) secret scan, dev suggests CodeQL replaces it, feature wise: ShiftLeftSecurity/sast-scan#352
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants