Releases: 3011/cfscan
Release list
CF Scanner v2.1.0
Highlights
CF Scanner v2.1.0 standardizes all business workflows on centered dialogs, following the official shadcn/ui component semantics. Side sheets are now reserved for supplemental navigation surfaces such as the mobile sidebar.
Centered business workflows
The following workflows now use centered Dialog components:
- Connect an Agent
- Create a scan job
- Create or edit a scan schedule
- Edit blacklist recheck settings
- Edit source synchronization settings
Long dialogs use a fixed header, scrollable content area, and fixed footer. Mobile layouts remain centered, stay within the viewport, and preserve safe-area spacing.
Permanent UI boundaries
- Business feature code can no longer import the
Sheetprimitive. Sheetremains available for the mobile navigation sidebar and future supplemental read-only panels.- Destructive actions and unsaved-change confirmations continue to use
AlertDialog. - Desktop and mobile browser regression now verifies ten centered-dialog scenarios, viewport containment, and zero page overflow.
Validation
- Go tests and race detector passed.
- Frontend lint, TypeScript, Vitest, and production build passed.
- Desktop routes: 8/8.
- Mobile routes: 8/8.
- Centered dialog checks: 10/10.
- Browser errors: 0.
- Dependency audit: 0 known vulnerabilities.
- Gitleaks history and worktree: 0 findings.
Images
ghcr.io/3011/cfscan-server:v2.1.0
ghcr.io/3011/cfscan-agent:v2.1.0
ghcr.io/3011/cfscan-web:v2.1.0
All three images support linux/amd64 and linux/arm64 and include SBOM and provenance attestations.
CF Scanner v2.0.0
CF Scanner v2.0.0
CF Scanner v2 unifies the Web console, management API, and Agent API behind one public origin, and permanently removes the shared Agent-token compatibility layer.
Highlights
- One public origin configured by
CFSCAN_PUBLIC_URL. - Recommended routing:
/api/*→ Center/healthz→ Center/*→ Web
- Browser-approved Agent pairing and preauthorized deployment remain the only enrollment methods.
- Every Agent uses its own long-term Bearer credential and saved
identity.json. - Go module path is now
github.com/3011/cfscan/v2.
Breaking changes
The following v1 compatibility surfaces were removed:
CFSCAN_AGENT_TOKENshared authentication;POST /api/v1/agent/register;- legacy Agent name, region, and continent registration environment variables;
auth_modein the API and database;agent_idin heartbeat, task-claim, and result-upload request bodies;CFSCAN_PUBLIC_WEB_URLandCFSCAN_PUBLIC_AGENT_URL.
Agents must have a valid per-Agent identity created by connect or join. A v1.1.x Agent that still relies on the shared token must be enrolled before upgrading to v2.
Upgrade guide
- Back up PostgreSQL.
- Confirm every existing Agent already uses a per-Agent
identity.json. - Configure one HTTPS origin with
CFSCAN_PUBLIC_URL. - Route
/apiand/healthzdirectly to Center, and/to Web. - Update each saved identity's
server_urlto the unified origin. - Upgrade Center, Web, and Agents to v2.0.0.
- Remove the old Agent-only Ingress, hostname, certificate, and shared-token Secret.
Existing Agent IDs, credentials, tasks, and scan history remain valid when upgrading from v1.1.x per-Agent identities.
Downloads
Release archives contain the Center, Agent, license, notice, and changelog for Linux amd64 and arm64. Verify downloads with the adjacent SHA-256 files:
sha256sum -c cfscan-linux-amd64.tar.gz.sha256
sha256sum -c cfscan-linux-arm64.tar.gz.sha256Container images
ghcr.io/3011/cfscan-server:v2.0.0
ghcr.io/3011/cfscan-agent:v2.0.0
ghcr.io/3011/cfscan-web:v2.0.0
OCI index digests:
cfscan-server sha256:27c923af2c2fb2dd17cc922edb5e7834860f9d9e9771f072beb0d576d1ab0164
cfscan-agent sha256:513ed7b15a44a03ce930306ac0118abf37d2e2a438943fdb68594f20ead62e66
cfscan-web sha256:84a944d765b39125e07a9adf477c7ca9f5f089aab4fb000c8a27f401dfce336a
Each image includes linux/amd64, linux/arm64, SBOM, and provenance attestations. The latest tag points to the same OCI indexes.
Security and responsible use
Center stores only hashes of pairing keys and Agent secrets. Production Agents should connect only over HTTPS. CF Scanner performs active network measurements; use it only on systems and address ranges you own or are authorized to test.
CF Scanner is an independent open-source project and is not affiliated with, endorsed by, or sponsored by Cloudflare, Inc.
CF Scanner v1.1.1
CF Scanner v1.1.1
Security hardening release following v1.1.0.
Fixed
- Enforced the 10,000-target sampling limit inside the target sampler itself, rather than relying only on API-layer validation.
- Removed request-sized Slice and Map preallocations from target sampling, result pagination, and automation history.
- Closed all four open High-severity
go/uncontrolled-allocation-sizeCodeQL alerts.
The changes do not alter API responses, database schema, Agent protocol, or enrollment behavior.
Upgrade
Upgrade Center to v1.1.1. Web and Agent images are also published with the same immutable release tag for consistent deployments.
ghcr.io/3011/cfscan-server:v1.1.1
ghcr.io/3011/cfscan-agent:v1.1.1
ghcr.io/3011/cfscan-web:v1.1.1
Validation
- Go unit tests and race detector;
- complete frontend checks and production build;
- CodeQL, Gitleaks, Dependency Review, and GitGuardian;
- production dependency audit with no known vulnerabilities;
- Linux amd64/arm64 binaries with clean VCS metadata;
- multi-architecture GHCR images with SBOM and provenance.
CF Scanner v1.1.0
CF Scanner v1.1.0
This release introduces guided Agent enrollment and independent per-node credentials.
Agent enrollment
CF Scanner now provides two onboarding paths that converge on the same long-term Agent protocol:
- Agent-initiated pairing: run a secret-free
connectcommand, open the displayed Web URL, review the node, and approve it. - Preauthorized automation: create an enrollment from the Web console and use the generated one-time token with
joinfor unattended deployments.
A formal Agent record is created only when an enrollment is claimed, so unused automation enrollments do not create permanently offline placeholder nodes.
Independent credentials
Every newly enrolled Agent receives its own identity and long-term Bearer credential:
- pairing tokens are UUID v4 values, short-lived, single-use, and stored by Center only as SHA-256 hashes;
- long-term secrets are generated locally by the Agent and stored by Center only as hashes;
- credentials are bound to one Agent, so request-body
agent_idvalues cannot impersonate another node; - the legacy shared token cannot operate or overwrite independently paired Agents;
- new installations disable legacy shared-token authentication by default.
Existing shared-token Agents remain supported during migration.
Agent CLI
New commands:
cfscan-agent connect --server https://agent.example.com
cfscan-agent join --server https://agent.example.com --token-file /run/secrets/cfscan-enrollment-token
cfscan-agent versionAdditional behavior:
- saves identity atomically to
identity.jsonwith restricted permissions; - reuses an existing identity after restart;
- supports
--token,--token-file, and--token-stdinfor automation; - supports
--pair-onlyfor provisioning workflows; - rejects non-loopback cleartext HTTP unless
--allow-insecure-httpis explicitly supplied; - reports the release version correctly in the approval interface.
Docker images pre-create a writable /var/lib/cfscan-agent identity directory for the non-root Agent user.
Management interface
The Agent page now includes:
- pending and approved enrollment requests;
- a guided Add Agent Sheet;
- Agent-initiated and preauthorized deployment choices;
- generated binary and Docker commands;
- a responsive approval route with pending, approved, connected, rejected, and expired states;
- visible distinction between independent credentials and legacy shared authentication.
Pairing routes are excluded from Web access logs, and Center logs redact pairing UUID path segments.
Configuration
New Center settings:
CFSCAN_PUBLIC_WEB_URL
CFSCAN_PUBLIC_AGENT_URL
CFSCAN_AGENT_IMAGE
CFSCAN_AGENT_VERSION
CFSCAN_AGENT_ENROLLMENT_TTL
CFSCAN_AGENT_ENROLLMENT_POLL_INTERVAL
New Agent setting:
CFSCAN_AGENT_IDENTITY_FILE
See docs/agent-enrollment.md and docs/operations.md for the complete workflow and migration guidance.
Upgrade order
- Back up PostgreSQL.
- Upgrade Center and Web first.
- Keep the legacy shared token configured while old Agents are still running.
- Upgrade each Agent and reconnect it through
connectorjoin. - Confirm the Agent uses independent authentication and is sending heartbeats.
- Disable the legacy shared token after all nodes have migrated.
The schema change is additive. Compatibility testing confirmed that a v1.0.0 Center can still start against a database migrated by v1.1.0.
Validation
- Go vet, unit tests, and race detector;
- frontend UI boundaries, ESLint, TypeScript, Vitest, and production build;
- real PostgreSQL enrollment integration;
- real Agent container pairing, approval, identity persistence, and identity reuse;
- legacy/new authentication isolation;
- desktop and mobile browser regression for enrollment UI;
- CodeQL, Gitleaks, Dependency Review, and GitGuardian;
- Linux amd64/arm64 binary checksums and clean VCS build metadata;
- multi-architecture GHCR images with SBOM and provenance.
Images
ghcr.io/3011/cfscan-server:v1.1.0
ghcr.io/3011/cfscan-agent:v1.1.0
ghcr.io/3011/cfscan-web:v1.1.0
Full changelog: v1.0.0...v1.1.0
CF Scanner v1.0.0
CF Scanner v1.0.0 is the first public release of the distributed Cloudflare Anycast IP scanning, ranking, and monitoring platform.
Highlights
- Central Go service with PostgreSQL-backed task leasing, scheduling, results, authentication, and automation.
- Outbound-only regional Agents for distributed TCP, TLS, TTFB, HTTP, CF-RAY, and colo measurements.
- React management console with result ranking, history, geographic filters, scan jobs, blacklist rechecks, data-source synchronization, schedules, and role-based access control.
- Agent-scoped results and blacklists for Anycast-aware observations.
- Docker Compose quick start and production-ready multi-architecture container images.
Downloads
The release includes statically linked Linux binaries for amd64 and arm64. Each archive contains the Center, Agent, Apache-2.0 license, notice, and changelog.
Verify a downloaded archive from the same directory:
sha256sum -c cfscan-linux-amd64.tar.gz.sha256
sha256sum -c cfscan-linux-arm64.tar.gz.sha256Container images
docker pull ghcr.io/3011/cfscan-server:v1.0.0
docker pull ghcr.io/3011/cfscan-agent:v1.0.0
docker pull ghcr.io/3011/cfscan-web:v1.0.0All three images support Linux amd64 and arm64. The published OCI indexes also include SBOM and provenance attestations.
Security and project trust
- Apache License 2.0.
- Clean public Git history with no internal repository history.
- Full-history and working-tree Gitleaks scans: zero findings.
- GitHub Secret Scanning and Push Protection enabled.
- CodeQL, dependency review, Dependabot, Gitleaks, and protected-branch CI enabled.
- Zero open Dependabot security alerts at release time.
Responsible use
Only scan systems and addresses you are authorized to test. This is an independent open-source project and is not affiliated with, endorsed by, or sponsored by Cloudflare, Inc. Cloudflare is a trademark of Cloudflare, Inc.
See the README, Chinese README, documentation, security policy, and contribution guide.