ANNOUNCE: Scan is now in maintenance mode

[prabhu]

Scan version 2 is now in maintenance mode. Only critical fixes if any would be considered, with no new features planned.

What is the issue?

Scan (formerly AppThreat sast-scan) has served many users including me over these last 2 years. Version 2 brought in lots of exciting new tools and capabilities but demonstrated few limitations which I, personally, am not happy with.

• Container scanning capability was fiddly. Scan being a container image required extraordinary permissions to the host to scan another container
• Thanks to large enterprises such as Microsoft, and even ShiftLeft customers using this product, there is realistically no chance of upgrading scan to use python 3.9 or 3.10 (from 3.8), go 1.17 (from 1.16), java 16 (from java 11) and so on for the next few years
• Scan AppImage doesn't really work outside Ubuntu 20.04
• Adding SAST scanning to CI, performing findings normalization and SARIF conversions are no longer a problem thanks to GitHub code scanning and the entire community now supporting SARIF output.

Locking this version essentially would give me breathing space to think about the next thing.

Will there be a version 3?

The next evolution of scan would aim to address the question What is a security scan? both technically and philosophically. I no longer believe that producing reports by invoking multiple tools is exciting and useful for developers and AppSec alike. A new version that presumably uses a new architecture to support containers, binaries and other formats would require a serious amount of support time for migrations, which I don't have. Plus, I would like to move away from GitHub to sourcehut for all my open-source work. So, the promise is new product, new tech instead of upgrades.

Possible questions

Should we fork slscan?

Sure, you can fork if there is a legitimate interest to maintain your open-source version. Be mindful of the license, which is GPL-3.0-or-later.

Show we remove slscan from the pipelines?

Not necessary. The container images would continue to be built and published on both docker hub and quay on a daily basis. You could also publish it in your container registry.

Will there be an enterprise version?

No.

I've more questions

Please join our discord

[erichs]

Really appreciate the tremendous work you've consistently put into slscan over the last 2 years, @prabhu! Thanks for making such a useful tool that meets a huge need. Excited you're thinking afresh about this space, and can't wait to see what you dream up next!

[zabbal]

Is there particular sourcehut repo(s) worth keeping eye on for new developments?

[prabhu]

@zabbal My new tool, a binary linter called blint can be found here https://git.sr.ht/~prabhu/blint