Self-hosted, enterprise-grade security and code quality scanning platform
CloudScan is a free, open-source alternative to expensive commercial security scanning tools (SonarQube Enterprise, Snyk, Checkmarx). It provides:
- β Multiple scan types: SAST, SCA, Secrets Detection, License Compliance
- β Beautiful web UI with real-time progress updates
- β Self-hosted on your Kubernetes cluster (full data privacy)
- β Multi-tenant architecture for organizations
- β Easy deployment via Helm chart (5-minute setup)
- β Extensible plugin architecture for custom scanners
Cost Comparison:
- SonarQube Enterprise: $150,000+/year
- Snyk Enterprise: $50,000+/year
- Checkmarx: $100,000+/year
- CloudScan: FREE β¨
CloudScan is built as a distributed microservices platform:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β React UI β
β (Upload, View Results) β
ββββββ¬ββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββ¬βββββ
β β β
β 1. Create scan β 2. Upload source β 3. Watch logs
βΌ βΌ βΌ
ββββββββββββββββ βββββββββββββββββββ ββββββββββββββββββββ
β API Gateway β β Storage Service β β WebSocket Serviceβ
β (REST/gRPC) β β (gRPC) β β (Live updates) β
ββββββββ¬ββββββββ ββββββββββ¬βββββββββ ββββββββββ¬ββββββββββ
β β β
β CreateScan(artifact_id)β β
βΌ β β
ββββββββββββββββββββββ β β
β Orchestrator β β β
β - Scan mgmt βββββββββββ β
β - K8s dispatcher β GetArtifact(presigned URL) β
β - gRPC APIs β β
ββββββββ¬ββββββββββββββ β
β β
β 4. Create K8s Job β
β with SOURCE_DOWNLOAD_URL β
βΌ β
βββββββββββββββββββββββ β
β Kubernetes Cluster β β
β β β
β βββββββββββββββββ β β
β β Runner Pod β β β
β β β β 5. Stream logs β
β β - Semgrep ββββΌββββββββββββββββββββββββββββββββββ
β β - Trivy β β
β β - TruffleHog β β
β β - ScanCode β β
β βββββββββ¬ββββββββ β
ββββββββββββΌβββββββββββ
β
β 6. Download source (presigned URL)
βΌ
βββββββββββββββββββββββ
β S3/MinIO/GCS β
β Object Storage β
β - Source code β
β - Scan artifacts β
βββββββββββββββββββββββ
β
β 7. CreateFindings(gRPC)
β UpdateScan(gRPC)
βΌ
ββββββββββββββββ
β PostgreSQL β
β - Scans β
β - Findings β
β - Artifacts β
ββββββββββββββββ
Services:
- cloudscan-ui: React frontend with real-time updates
- cloudscan-api-gateway: HTTP gateway with authentication
- cloudscan-orchestrator: Core service (job management, K8s dispatcher)
- cloudscan-storage: Multi-cloud storage abstraction (S3/GCS/Azure)
- cloudscan-websocket: Real-time log streaming
- cloudscan-runner: Scanner executors (runs in K8s Jobs)
- Kubernetes cluster (v1.28+)
- Helm 3.x
- kubectl configured
# Add Helm repository
helm repo add cloudscan https://charts.cloudscan.dev
helm repo update
# Install CloudScan
helm install cloudscan cloudscan/cloudscan \
--namespace cloudscan \
--create-namespace \
--set postgresql.enabled=true \
--set storage.type=s3 \
--set storage.s3.bucket=my-scans-bucket \
--set ingress.enabled=true \
--set ingress.hosts[0].host=cloudscan.mycompany.comNavigate to: https://cloudscan.mycompany.com
Create your account and start scanning! π
cloudscan/
βββ cloudscan-orchestrator/ # Core orchestration service (Go)
βββ cloudscan-ui/ # React frontend
βββ cloudscan-storage/ # Storage service (Go)
βββ cloudscan-api-gateway/ # API gateway (Go)
βββ cloudscan-websocket/ # WebSocket service (Go)
βββ cloudscan-runner/ # Scanner runner (Go)
βββ protobuf/ # Shared protobuf definitions
βββ shared/ # Shared Go libraries
βββ charts/ # Helm charts
βββ docs/ # Documentation
βββ scripts/ # Build and deployment scripts
See individual service READMEs for development setup:
| Type | Tool | What it Scans |
|---|---|---|
| SAST | Semgrep | Security vulnerabilities in code (SQL injection, XSS, etc.) |
| SCA | Trivy | Vulnerable dependencies (CVEs in npm, pip, maven, etc.) |
| Secrets | TruffleHog | API keys, passwords, tokens leaked in code |
| License | ScanCode | Open-source license compliance |
- Startups: Free alternative to expensive commercial tools
- Enterprises: Self-hosted solution for compliance (GDPR, HIPAA, SOC2)
- Open Source Projects: Public scanning with badges
- Educational: Teaching secure coding practices
We welcome contributions! See CONTRIBUTING.md for guidelines.
Ways to contribute:
- π Report bugs
- π‘ Suggest features
- π Improve documentation
- π§ Submit pull requests
- π Star the repo!
Apache 2.0 - see LICENSE
CloudScan leverages these amazing open-source tools:
- Documentation: https://docs.cloudscan.dev
- Community Discord: https://discord.gg/cloudscan
- GitHub Issues: https://github.com/cloudscan/cloudscan/issues
- Email: support@cloudscan.dev
Made with β€οΈ by developers, for developers