Scanr - Open DevSecOps Risk Engine
A fully open-source Rust-based DevSecOps security engine that scans dependencies, containers, Infrastructure as Code, and runtime behavior to detect vulnerabilities, license risks, and security misconfigurations directly within developer workflows.
Product Description
Scanr is a fully open-source, Rust-based DevSecOps security engine designed to provide comprehensive risk visibility across modern software projects. It enables developers and open-source teams to identify vulnerabilities, license risks, infrastructure misconfigurations, and runtime anomalies without relying on proprietary SaaS platforms.
Scanr performs multi-layer security analysis across the application stack. It scans dependencies across ecosystems such as Node.js, Python, Go, and Rust, detecting both direct and transitive packages and matching them against public vulnerability databases including OSV and NVD. It generates standards-compliant Software Bill of Materials (SBOM) files in CycloneDX and SPDX formats and supports SBOM comparison to identify newly introduced dependencies or version changes.
In addition to dependency analysis, Scanr scans container images to detect vulnerable operating system packages and misconfigurations within Docker layers. It also analyzes Infrastructure as Code files, including Terraform, Dockerfiles, and Kubernetes manifests, to identify insecure configurations such as exposed ports, privileged containers, root execution, and hardcoded secrets.
Scanr includes a license compliance engine that detects open-source licenses across dependencies and flags potential compatibility and copyleft risks. A unified risk scoring system aggregates findings from dependencies, containers, IaC, and runtime monitoring into a clear, actionable security risk index.
Designed for integration into developer workflows, Scanr provides a production-ready CLI for local use and CI/CD pipelines, along with GitHub Action support for pull request analysis and policy enforcement. A desktop interface built with Tauri offers visual insights, including dependency graphs, vulnerability breakdowns, and risk dashboards.
Scanr delivers a transparent, extensible, and vendor-independent security platform that empowers developers and open-source communities to maintain secure software supply chains.