FAQ: Does ScanCode work completely offline? #59
Description
Question:
re: https://aboutcode.org/scancode/
Please consider adding a bullet point that states whether ScanCode requires network access.
That is, does it work completely offline or does it have to send signatures/source code to a third-party system?
We cannot run any tools on our code base without assurance that the code will remain on-prem.
I suspect ScanCode runs completely offline, but it would be great to have that clearly and explicitly stated somewhere
Short answer: Yes
ScanCode does not "phone home", works completely offline and does NOT send signatures/source code to a third-party system.
Long answer:
-
ScanCode Toolkit can query pypi.org (which is not under our control but under Python.org control) to inquire if there is a new version https://github.com/aboutcode-org/scancode-toolkit/blob/f605c083e3ea7262a18f02bdee61b208921d69f6/src/scancode/outdated.py#L136 to alter if so. This can be disabled with CLI flag (https://github.com/aboutcode-org/scancode-toolkit/blob/f605c083e3ea7262a18f02bdee61b208921d69f6/src/scancode/cli.py#L376)
Everything is air-gapped alright. -
ScanCode.io scans code locally on your installation, completely air-gapped. The default installation comes configured for testing to work with the public APIs of :
- VulnerableCode https://public.vulnerablecode.io/
- PurlDB and MatchCode (for actual matching with signatures) https://public.purldb.io/api/
-
A local deployment of VulnerableCode works from continuously importing data from all over the vulnerability databases and the package registries. You can elect not to run the importers and data improvers, but then you get not data and no value. You can import and sync a db from a backup from a network that has access to the internet to an an air-gapped isolated network all right.
-
A local deployment of PurlDB and MatchCode is conceptually similar to VulnerableCode ... but it only looks at the package registries and download packages for fingerprinting (to enable code matching). Same for the sync.
-
DejaCode runs locally too. It integrates with a ScanCode.io deployment, a VulnerableCode deployment and a PurlDB deployment.
If you want to use VulnerableCode, PurlDB and MatchCode features with ScanCode.io or DejaCode, you will need to install these locally and configure them accordingly or else these will not work.