Overview

This change introduces a unified engine abstraction layer and refactors the existing SCA implementation into a pluggable engine.

The goal is to establish a stable, engine-agnostic contract before expanding Scanr into additional scanning domains (container, IaC, SAST, secrets).

No behavioral changes were introduced.

Architecture Changes

New scanr-engine Crate

Introduced a new crate defining the core engine contract:

• EngineType
• Finding
• Severity
• ScanInput
• ScanResult
• ScanMetadata
• ScanEngine trait

This crate now represents the stable security schema across all engines.

Unified Finding Model

All engines now return findings in a standardized format:

pub struct Finding {
    pub id: String,
    pub engine: EngineType,
    pub severity: Severity,
    pub title: String,
    pub description: String,
    pub location: Option<String>,
    pub remediation: Option<String>,
}

This becomes the canonical security data model.

SCA Refactored into scanr-sca

The previous scanr-core crate has been renamed to scanr-sca.

It now:

• Depends on scanr-engine

• Implements the ScanEngine trait

• Wraps its results into the unified Finding model

• Preserves:

  • Baseline tracking
  • OSV caching
  • Offline mode
  • License enforcement
  • Policy evaluation
  • Deterministic output

No SCA logic was removed or altered.

Engine Invocation Updated

CLI now invokes engines via abstraction:

let engine = ScaEngine::new();
let result = engine.scan(ScanInput::Path(path))?;

Direct SCA coupling has been removed.

Policy Layer Decoupled

Policy evaluation is now engine-agnostic.

Instead of operating on SCA-specific structures, it consumes:

Vec<Finding>

This allows future engines to integrate seamlessly without modifying policy logic.

Behavioral Guarantees

• No CLI contract changes
• No exit code changes
• No baseline behavior changes
• No cache behavior changes
• No JSON/SARIF format changes
• Deterministic output preserved
• CI semantics unchanged

All existing tests pass.

Strategic Impact

This refactor establishes:

• A stable engine contract

• Clear separation of concerns

• Pluggable scanning architecture

• Future support for:

  • Container scanning
  • IaC scanning
  • SAST
  • Secret detection

Scanr now transitions from a single-engine tool to a multi-engine security platform foundation.