Sometimes you need to get information quickly on what's going into your project. You may not even have the project in a buildable state yet. So, if you're pulling together packages to solve your coding challenges but you're not anywhere near the point of building, how do you get actionable intelligence to help you make smart decisions about what you're putting in this build?
This is where Quick Scan comes in.
Quick Scan is a SourceClear agent update allowing scans that require no build, compilation, or dependency resolution steps. It could be considered a 'light' scan or a simple scan, one that requires no build tools, compilers, or runtimes. All that's required is the SourceClear Agent and a build file or folder.
Quick Scan allows you to do a blinding fast but shallow review of the build contents by merely reviewing the manifest from your package manager. Where a full scan would go deeper into your build, identifying the use of vulnerable methods and such, Quick Scan skips the more time-consuming steps to give you a snapshot of risk before you ever make your first build.
You might be thinking to yourself, why do a full scan then if Quick Scan is so fast? To answer that we'll point you to a previous post where we introduced you to the Evaluation Framework for Dependency Analysis (EFDA). We use this tool ourselves to evaluate the effectiveness of dependency vulnerability analysis between subsequent versions of our scanning engine and have made it free and open source to the community, available on GitHub.
You'll notice from the spreadsheet that we've added a tab for Quick Scan to show the difference in depth of scan results.
Given the results of this analysis, we don't recommend using Quick Scan beyond early stages of development.
Current support is available for Java Jar files, Ruby gemfile.lock, Node Package Manager shrinkwrap and package.lock, Python pipfile.lock, Glide glide.lock, Go Dep Godeps.json, Cocoa podfile.lock, PHP composer.lock, whatever is in your Go project /vendor directory and Trash.
The Quick Scan feature is now available as part of a recent release. Make sure your CLI Agent is up to date then:
Run the Sourceclear CLI with:
$ srcclr scan --quick [directory/url]
So, when you should you use Quick Scan?
We think Quick Scan is a great tool to put in your pocket for getting speedy results.
--quickflag) will always be the most accurate. Our EFDA tool shows a 3x improvement in scan depth and results. A full scan is the best way to go where time allows.