wish: update README to document whether the scanning or local or remote

Question

wish: update README to document whether the scanning or local or remote

markstos opened this issue 5 years ago · 3 comments

It's important to note for privacy if this tool does the scanning locally or if the user's is ever uploaded for scanning. If the scanning happens locally, clarify how the local vuln database is updated.

Answer 1 · 2020-04-10T14:48:14.000Z

Hey @markstos, this is an interesting question. Would you be able to explain more about the concern you'd like addressed in the documentation?

At the moment the only details which leave your machine are a package name and version string.

Answer 2 · 2020-04-10T14:53:20.000Z

Thanks for the quick reply. For example, if you were uploading entire code documents that would be a concern. A think a simple statement could suffice:

To perform the scanning, Snyk uploads related package names and version strings to check against our constantly updated vulnerability database.

Answer 3 · 2020-04-10T15:21:40.000Z

Thanks @markstos, thanks for clarifying. Please see the associated PR and let me know if you think there is any further information we could provide here.