-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ANNOUNCE: Scan is now in maintenance mode #352
Comments
Really appreciate the tremendous work you've consistently put into slscan over the last 2 years, @prabhu! Thanks for making such a useful tool that meets a huge need. Excited you're thinking afresh about this space, and can't wait to see what you dream up next! |
Is there particular sourcehut repo(s) worth keeping eye on for new developments? |
@zabbal My new tool, a binary linter called blint can be found here https://git.sr.ht/~prabhu/blint |
Note: The maintainer of Shift Left put the project in maintenance mode. See ShiftLeftSecurity/sast-scan#352
Development on this stopped in 2021 and apart from the (false positive) secret scan, dev suggests CodeQL replaces it, feature wise: ShiftLeftSecurity/sast-scan#352
Scan version 2 is now in maintenance mode. Only critical fixes if any would be considered, with no new features planned.
What is the issue?
Scan (formerly AppThreat sast-scan) has served many users including me over these last 2 years. Version 2 brought in lots of exciting new tools and capabilities but demonstrated few limitations which I, personally, am not happy with.
Locking this version essentially would give me breathing space to think about the next thing.
Will there be a version 3?
The next evolution of scan would aim to address the question
What is a security scan?
both technically and philosophically. I no longer believe that producing reports by invoking multiple tools is exciting and useful for developers and AppSec alike. A new version that presumably uses a new architecture to support containers, binaries and other formats would require a serious amount of support time for migrations, which I don't have. Plus, I would like to move away from GitHub to sourcehut for all my open-source work. So, the promise is new product, new tech instead of upgrades.Possible questions
Should we fork slscan?
Sure, you can fork if there is a legitimate interest to maintain your open-source version. Be mindful of the license, which is GPL-3.0-or-later.
Show we remove slscan from the pipelines?
Not necessary. The container images would continue to be built and published on both docker hub and quay on a daily basis. You could also publish it in your container registry.
Will there be an enterprise version?
No.
I've more questions
Please join our discord
The text was updated successfully, but these errors were encountered: