/dec 4, 2017

Introducing Quick Scan

By Jet Anderson

Sometimes you need to get information quickly on what's going into your project. You may not even have the project in a buildable state yet. So, if you're pulling together packages to solve your coding challenges but you're not anywhere near the point of building, how do you get actionable intelligence to help you make smart decisions about what you're putting in this build?

This is where Quick Scan comes in.

What is Quick Scan?

Quick Scan is a SourceClear agent update allowing scans that require no build, compilation, or dependency resolution steps. It could be considered a 'light' scan or a simple scan, one that requires no build tools, compilers, or runtimes. All that's required is the SourceClear Agent and a build file or folder.

Quick Scan allows you to do a blinding fast but shallow review of the build contents by merely reviewing the manifest from your package manager. Where a full scan would go deeper into your build, identifying the use of vulnerable methods and such, Quick Scan skips the more time-consuming steps to give you a snapshot of risk before you ever make your first build.

Benchmarking Quick Scan with EFDA

You might be thinking to yourself, why do a full scan then if Quick Scan is so fast? To answer that we'll point you to a previous post where we introduced you to the Evaluation Framework for Dependency Analysis (EFDA). We use this tool ourselves to evaluate the effectiveness of dependency vulnerability analysis between subsequent versions of our scanning engine and have made it free and open source to the community, available on GitHub.

You'll notice from the spreadsheet that we've added a tab for Quick Scan to show the difference in depth of scan results.

Given the results of this analysis, we don't recommend using Quick Scan beyond early stages of development.

Using Quick Scan

Current support is available for Java Jar files, Ruby gemfile.lock, Node Package Manager shrinkwrap and package.lock, Python pipfile.lock, Glide glide.lock, Go Dep Godeps.json, Cocoa podfile.lock, PHP composer.lock, whatever is in your Go project /vendor directory and Trash.

Enabling Quick Scan

The Quick Scan feature is now available as part of a recent release. Make sure your CLI Agent is up to date then:

Run the Sourceclear CLI with:

$ srcclr scan --quick [directory/url]

Full Scan Vs. Quick Scan

So, when you should you use Quick Scan?

Use Quick Scan

  • When the speed of results is more important than scan depth
  • Early in the SDLC, especially on the desktop or on dev builds
  • During prototyping for quick results on as yet unbuildable projects

Use Full Scan (without --quick)

  • On the desktop when you need greater detail, like during defect mitigation
  • In later stage pipeline builds, especially candidates for production release


We think Quick Scan is a great tool to put in your pocket for getting speedy results.

To recap,

  • Quick Scan is what many of our competitors do: we just make a list of what's in the build then show you what we know about it.
  • A "full" scan (without the --quick flag) will always be the most accurate. Our EFDA tool shows a 3x improvement in scan depth and results. A full scan is the best way to go where time allows.

Related Posts

By Jet Anderson

Jet is a technical evanglist at Veracode. He likes talking to customers and helping them with their DevSecOps journey.