Skip to content

Releases: 3011/cfscan

CF Scanner v2.1.0

Choose a tag to compare

@github-actions github-actions released this 19 Jul 15:51
686022d

Highlights

CF Scanner v2.1.0 standardizes all business workflows on centered dialogs, following the official shadcn/ui component semantics. Side sheets are now reserved for supplemental navigation surfaces such as the mobile sidebar.

Centered business workflows

The following workflows now use centered Dialog components:

  • Connect an Agent
  • Create a scan job
  • Create or edit a scan schedule
  • Edit blacklist recheck settings
  • Edit source synchronization settings

Long dialogs use a fixed header, scrollable content area, and fixed footer. Mobile layouts remain centered, stay within the viewport, and preserve safe-area spacing.

Permanent UI boundaries

  • Business feature code can no longer import the Sheet primitive.
  • Sheet remains available for the mobile navigation sidebar and future supplemental read-only panels.
  • Destructive actions and unsaved-change confirmations continue to use AlertDialog.
  • Desktop and mobile browser regression now verifies ten centered-dialog scenarios, viewport containment, and zero page overflow.

Validation

  • Go tests and race detector passed.
  • Frontend lint, TypeScript, Vitest, and production build passed.
  • Desktop routes: 8/8.
  • Mobile routes: 8/8.
  • Centered dialog checks: 10/10.
  • Browser errors: 0.
  • Dependency audit: 0 known vulnerabilities.
  • Gitleaks history and worktree: 0 findings.

Images

ghcr.io/3011/cfscan-server:v2.1.0
ghcr.io/3011/cfscan-agent:v2.1.0
ghcr.io/3011/cfscan-web:v2.1.0

All three images support linux/amd64 and linux/arm64 and include SBOM and provenance attestations.

CF Scanner v2.0.0

Choose a tag to compare

@github-actions github-actions released this 18 Jul 03:36
80f7114

CF Scanner v2.0.0

CF Scanner v2 unifies the Web console, management API, and Agent API behind one public origin, and permanently removes the shared Agent-token compatibility layer.

Highlights

  • One public origin configured by CFSCAN_PUBLIC_URL.
  • Recommended routing:
    • /api/* → Center
    • /healthz → Center
    • /* → Web
  • Browser-approved Agent pairing and preauthorized deployment remain the only enrollment methods.
  • Every Agent uses its own long-term Bearer credential and saved identity.json.
  • Go module path is now github.com/3011/cfscan/v2.

Breaking changes

The following v1 compatibility surfaces were removed:

  • CFSCAN_AGENT_TOKEN shared authentication;
  • POST /api/v1/agent/register;
  • legacy Agent name, region, and continent registration environment variables;
  • auth_mode in the API and database;
  • agent_id in heartbeat, task-claim, and result-upload request bodies;
  • CFSCAN_PUBLIC_WEB_URL and CFSCAN_PUBLIC_AGENT_URL.

Agents must have a valid per-Agent identity created by connect or join. A v1.1.x Agent that still relies on the shared token must be enrolled before upgrading to v2.

Upgrade guide

  1. Back up PostgreSQL.
  2. Confirm every existing Agent already uses a per-Agent identity.json.
  3. Configure one HTTPS origin with CFSCAN_PUBLIC_URL.
  4. Route /api and /healthz directly to Center, and / to Web.
  5. Update each saved identity's server_url to the unified origin.
  6. Upgrade Center, Web, and Agents to v2.0.0.
  7. Remove the old Agent-only Ingress, hostname, certificate, and shared-token Secret.

Existing Agent IDs, credentials, tasks, and scan history remain valid when upgrading from v1.1.x per-Agent identities.

Downloads

Release archives contain the Center, Agent, license, notice, and changelog for Linux amd64 and arm64. Verify downloads with the adjacent SHA-256 files:

sha256sum -c cfscan-linux-amd64.tar.gz.sha256
sha256sum -c cfscan-linux-arm64.tar.gz.sha256

Container images

ghcr.io/3011/cfscan-server:v2.0.0
ghcr.io/3011/cfscan-agent:v2.0.0
ghcr.io/3011/cfscan-web:v2.0.0

OCI index digests:

cfscan-server  sha256:27c923af2c2fb2dd17cc922edb5e7834860f9d9e9771f072beb0d576d1ab0164
cfscan-agent   sha256:513ed7b15a44a03ce930306ac0118abf37d2e2a438943fdb68594f20ead62e66
cfscan-web     sha256:84a944d765b39125e07a9adf477c7ca9f5f089aab4fb000c8a27f401dfce336a

Each image includes linux/amd64, linux/arm64, SBOM, and provenance attestations. The latest tag points to the same OCI indexes.

Security and responsible use

Center stores only hashes of pairing keys and Agent secrets. Production Agents should connect only over HTTPS. CF Scanner performs active network measurements; use it only on systems and address ranges you own or are authorized to test.

CF Scanner is an independent open-source project and is not affiliated with, endorsed by, or sponsored by Cloudflare, Inc.

CF Scanner v1.1.1

Choose a tag to compare

@github-actions github-actions released this 17 Jul 14:45
e67c677

CF Scanner v1.1.1

Security hardening release following v1.1.0.

Fixed

  • Enforced the 10,000-target sampling limit inside the target sampler itself, rather than relying only on API-layer validation.
  • Removed request-sized Slice and Map preallocations from target sampling, result pagination, and automation history.
  • Closed all four open High-severity go/uncontrolled-allocation-size CodeQL alerts.

The changes do not alter API responses, database schema, Agent protocol, or enrollment behavior.

Upgrade

Upgrade Center to v1.1.1. Web and Agent images are also published with the same immutable release tag for consistent deployments.

ghcr.io/3011/cfscan-server:v1.1.1
ghcr.io/3011/cfscan-agent:v1.1.1
ghcr.io/3011/cfscan-web:v1.1.1

Validation

  • Go unit tests and race detector;
  • complete frontend checks and production build;
  • CodeQL, Gitleaks, Dependency Review, and GitGuardian;
  • production dependency audit with no known vulnerabilities;
  • Linux amd64/arm64 binaries with clean VCS metadata;
  • multi-architecture GHCR images with SBOM and provenance.

CF Scanner v1.1.0

Choose a tag to compare

@github-actions github-actions released this 17 Jul 14:20
856df93

CF Scanner v1.1.0

This release introduces guided Agent enrollment and independent per-node credentials.

Agent enrollment

CF Scanner now provides two onboarding paths that converge on the same long-term Agent protocol:

  • Agent-initiated pairing: run a secret-free connect command, open the displayed Web URL, review the node, and approve it.
  • Preauthorized automation: create an enrollment from the Web console and use the generated one-time token with join for unattended deployments.

A formal Agent record is created only when an enrollment is claimed, so unused automation enrollments do not create permanently offline placeholder nodes.

Independent credentials

Every newly enrolled Agent receives its own identity and long-term Bearer credential:

  • pairing tokens are UUID v4 values, short-lived, single-use, and stored by Center only as SHA-256 hashes;
  • long-term secrets are generated locally by the Agent and stored by Center only as hashes;
  • credentials are bound to one Agent, so request-body agent_id values cannot impersonate another node;
  • the legacy shared token cannot operate or overwrite independently paired Agents;
  • new installations disable legacy shared-token authentication by default.

Existing shared-token Agents remain supported during migration.

Agent CLI

New commands:

cfscan-agent connect --server https://agent.example.com
cfscan-agent join --server https://agent.example.com --token-file /run/secrets/cfscan-enrollment-token
cfscan-agent version

Additional behavior:

  • saves identity atomically to identity.json with restricted permissions;
  • reuses an existing identity after restart;
  • supports --token, --token-file, and --token-stdin for automation;
  • supports --pair-only for provisioning workflows;
  • rejects non-loopback cleartext HTTP unless --allow-insecure-http is explicitly supplied;
  • reports the release version correctly in the approval interface.

Docker images pre-create a writable /var/lib/cfscan-agent identity directory for the non-root Agent user.

Management interface

The Agent page now includes:

  • pending and approved enrollment requests;
  • a guided Add Agent Sheet;
  • Agent-initiated and preauthorized deployment choices;
  • generated binary and Docker commands;
  • a responsive approval route with pending, approved, connected, rejected, and expired states;
  • visible distinction between independent credentials and legacy shared authentication.

Pairing routes are excluded from Web access logs, and Center logs redact pairing UUID path segments.

Configuration

New Center settings:

CFSCAN_PUBLIC_WEB_URL
CFSCAN_PUBLIC_AGENT_URL
CFSCAN_AGENT_IMAGE
CFSCAN_AGENT_VERSION
CFSCAN_AGENT_ENROLLMENT_TTL
CFSCAN_AGENT_ENROLLMENT_POLL_INTERVAL

New Agent setting:

CFSCAN_AGENT_IDENTITY_FILE

See docs/agent-enrollment.md and docs/operations.md for the complete workflow and migration guidance.

Upgrade order

  1. Back up PostgreSQL.
  2. Upgrade Center and Web first.
  3. Keep the legacy shared token configured while old Agents are still running.
  4. Upgrade each Agent and reconnect it through connect or join.
  5. Confirm the Agent uses independent authentication and is sending heartbeats.
  6. Disable the legacy shared token after all nodes have migrated.

The schema change is additive. Compatibility testing confirmed that a v1.0.0 Center can still start against a database migrated by v1.1.0.

Validation

  • Go vet, unit tests, and race detector;
  • frontend UI boundaries, ESLint, TypeScript, Vitest, and production build;
  • real PostgreSQL enrollment integration;
  • real Agent container pairing, approval, identity persistence, and identity reuse;
  • legacy/new authentication isolation;
  • desktop and mobile browser regression for enrollment UI;
  • CodeQL, Gitleaks, Dependency Review, and GitGuardian;
  • Linux amd64/arm64 binary checksums and clean VCS build metadata;
  • multi-architecture GHCR images with SBOM and provenance.

Images

ghcr.io/3011/cfscan-server:v1.1.0
ghcr.io/3011/cfscan-agent:v1.1.0
ghcr.io/3011/cfscan-web:v1.1.0

Full changelog: v1.0.0...v1.1.0

CF Scanner v1.0.0

Choose a tag to compare

@github-actions github-actions released this 17 Jul 10:05
294e3f6

CF Scanner v1.0.0 is the first public release of the distributed Cloudflare Anycast IP scanning, ranking, and monitoring platform.

Highlights

  • Central Go service with PostgreSQL-backed task leasing, scheduling, results, authentication, and automation.
  • Outbound-only regional Agents for distributed TCP, TLS, TTFB, HTTP, CF-RAY, and colo measurements.
  • React management console with result ranking, history, geographic filters, scan jobs, blacklist rechecks, data-source synchronization, schedules, and role-based access control.
  • Agent-scoped results and blacklists for Anycast-aware observations.
  • Docker Compose quick start and production-ready multi-architecture container images.

Downloads

The release includes statically linked Linux binaries for amd64 and arm64. Each archive contains the Center, Agent, Apache-2.0 license, notice, and changelog.

Verify a downloaded archive from the same directory:

sha256sum -c cfscan-linux-amd64.tar.gz.sha256
sha256sum -c cfscan-linux-arm64.tar.gz.sha256

Container images

docker pull ghcr.io/3011/cfscan-server:v1.0.0
docker pull ghcr.io/3011/cfscan-agent:v1.0.0
docker pull ghcr.io/3011/cfscan-web:v1.0.0

All three images support Linux amd64 and arm64. The published OCI indexes also include SBOM and provenance attestations.

Security and project trust

  • Apache License 2.0.
  • Clean public Git history with no internal repository history.
  • Full-history and working-tree Gitleaks scans: zero findings.
  • GitHub Secret Scanning and Push Protection enabled.
  • CodeQL, dependency review, Dependabot, Gitleaks, and protected-branch CI enabled.
  • Zero open Dependabot security alerts at release time.

Responsible use

Only scan systems and addresses you are authorized to test. This is an independent open-source project and is not affiliated with, endorsed by, or sponsored by Cloudflare, Inc. Cloudflare is a trademark of Cloudflare, Inc.

See the README, Chinese README, documentation, security policy, and contribution guide.