[FEATURE REQUEST] Background scanning

[ioqr]

Is your feature request related to a problem? Please describe.

The problem is that manual scanning can be forgotten, background scanning is an always-on proactive approach to application security

Describe the solution you'd like

The solution I have in mind is for Secr to run as an always-on service that scans a list of known endpoints for servers

Describe alternatives you've considered

There are two approaches I have thought of:

1. periodic scans: every 24-hours or some fixed time period, scan my servers
2. scanning is triggered by a deployment (such as integration with Github actions)

I think that periodic scanning is easiest to implement, and the code can be eventually reused in triggered scans, provided we add some sort of background-scanning functionality

Additional context

Not really targeted at localhost scanning, this is geared towards live staging and prod environments

[DGKSK8LIFE]

Thanks for this feature request! This is something I've been meaning to implement for a while.

Right now, I'm really concerned with localhost appsec and getting as close to development as possible, so regarding automatic/background scanning for that use-case, my implementation would probably involve checking for when an app hot reloads/when code changes within said app, and then executing SECR's scanning functionality automatically when that specific event occurs.

Regarding live staging and prod environments, you hit the nail on the head. You could also trigger SECR with a variety of other events, so open to ideas for that kind of use case.

Also, feel free to share your specific use case for SECR, would be happy to adapt the core product to that 😃. Thanks!

[ioqr]

Glad to hear that this is on the radar! No specific use case to share, but it is generally nice to be able to scan internet-facing servers. Since the list of CVEs is forever growing, secr might be able to detect and alert engineers about vulns the instant they become public

[DGKSK8LIFE]

This is already the case mostly since the disclosure in vulnerability databases tends to swiftly follow public disclosure anyways. Can look at DBs other than vulners though and compare dates published. Thanks again.