Shed your skin anew.
cicada scans computers for software nearing the end of their support timelines. This helps everyone keep up with shifting market trends, adopting new capabilities and important security updates at a sustainable pace.
Our scans provide actionable results, which you can use to increase the security and reliability of your systems.
Other security tools act like canaries in the coal mine. But by the time the canary dies, it may be too late. cicada takes a different approach. cicada is active, not passive. It provides shrill warnings before the mine tumbles.
$ cicada
warning: end of life for ruby 2.6.8 on 2022-03-31
warning: end of life for ubuntu hirsute on 2022-01-20
warning: end of life for debian stretch on 2022-06-30See cicada -help for more detail.
Many software components offer Long Term Support (LTS) releases, which receive security updates, bugfixes, and new features more rapidly than older releases. Unfortunately, it is often left up to the developer to opt into LTS releases. That is not an easy proposition, because software tends to grow in complexity over time. The dependency tree tends to get bigger and bigger. Meaning the risk of accidentally consuming a dead package is high. And the likelihood of spotting a dead package is low.
This is where cicada steps in. cicada helps engineers to identify more non-LTS software components. In an entirely automated fashion. cicada provides focused, actionable information for developers to implement. So that the larger software system remains robust, mature, and well supported by industry standards.
https://godoc.org/github.com/mcandre/cicada
https://github.com/mcandre/cicada/releases
$ go install github.com/mcandre/cicada/cmd/cicada@latestSee CONFIGURATION.md.
BSD-2-Clause
(None)
For more information about developing cicada itself, see DEVELOPMENT.md.
Following classical UNIX conventions, cicada often emits no output of any kind, and returns zero exit status, in the case where no non-LTS components are identified. To see a list of supported versions that cicada identifies on your machine, you may run cicada -debug to show additional logs. cicada is designed to integrate easily into full linter suites for CI/CD usage. Especially for Docker image builds. With a simple tweak to your base images, you can unlock more productive, more predictable SDLC workflows.
Some false positives may arise from stock components. Critically, stock components are less open to taking action. Only a suitable operating system (OS) update can fully remove these old components. Yet, OS development cycles are particularly long on desktop and laptop workstations, even for users enthusiastic about applying all available updates. And so stock components may not represent actionable items; You may run cicada -quiet to skip them.
For hybrid host / Docker workflows, you may want to configure a local shell alias like alias cicada='cicada -quiet', in order to reduce noise. When running cicada during Docker builds, be advised to not apply -quiet mode, as components there are more eligible for resolution by way of updating the base image tag. It is much easier to replace a Docker base image OS than to replace a workstation OS.
For enterprise systems, a variety of tools are available to identify specific vulnerabilities. But by then, it may be too late to migrate and keep up with cyberattacks. This is why cicada takes a more aggressive approach. We want to ward off entire major versions of software that do not receive ongoing patches. So that we can be one step ahead of attackers.
cicada is future compatible: Any software components targeting developmental, git HEAD versions should not trigger false alarms. Maybe you're already consuming clang tip, for example, which is well ahead of the pack. For the rest of us, we can relax and enjoy stable, LTS releases. Rest well on islands of stability. Let cicada guide you to successful operation.
cicada can even scan direct parent base images in Dockerfiles in terms of FROM OS support timelines.
For a deeper level of scanning, run cicada inside your containers, VM's, or other pre-production environments. Such as part of a linter phase in a CI/CD pipeline.
Ultimately, how you use cicada is up to you. We try to strike a balance between comprehensiveness and practicality, so that you can tailor cicada to your team's particular needs.
- dependabot scans GitHub repositories for vulnerabilities
- endoflife.date for support lifetime data
- npm scans Node.js projects for vulnerabilities
- RubyGems scans Ruby projects for vulnerabilities
- safety scans Python projects for vulnerabilities
- Snyk scans software projects and Docker images for vulnerabilities