Skip to main content

Configuration Priority

Settings are applied in the following priority order (highest to lowest):
  1. Command-line flags (e.g., --api-key, --scanner)
  2. Environment variables (e.g., SCANOSS_API_KEY)
  3. Config file (~/.scanoss/crypto-finder/config.json)
  4. Project settings (scanoss.json in target directory)
  5. Default values

Application Configuration

Config File Location

~/.scanoss/crypto-finder/config.json

Setting Up Configuration

Use the configure command to set persistent application settings: 
# Configure API key
crypto-finder configure --api-key YOUR_API_KEY

# Configure custom API URL
crypto-finder configure --api-url https://custom.scanoss.com

# Configure both
crypto-finder configure --api-key YOUR_KEY --api-url https://custom.scanoss.com

Config File Format

{
  "api_key": "your-scanoss-api-key",
  "api_url": "https://api.scanoss.com"
}

Environment Variables

VariableDescriptionExample
SCANOSS_API_KEYSCANOSS API key for remote rulesetsexport SCANOSS_API_KEY=abc123
SCANOSS_API_URLCustom API base URLexport SCANOSS_API_URL=https://custom.com

Project Configuration (scanoss.json)

The scanoss.json file in your project directory configures scan behaviour and skip patterns.

File Location

Place scanoss.json in the root of the directory you are scanning: 
your-project/
├── scanoss.json
├── src/
└── ...

Configuration Schema

Crypto Finder follows the SCANOSS Settings Schema.

Basic Example

{
  "settings": {
    "skip": {
      "patterns": {
        "scanning": ["node_modules/", "target/", "venv/", "*.min.js"]
      },
      "sizes": {
        "max_file_size": 10485760
      }
    }
  }
}
max_file_size is specified in bytes. The value 10485760 corresponds to 10 MB.

Skip Patterns

Skip patterns control which files and directories are excluded from scanning.

Default Skip Patterns

The following patterns are excluded automatically: Version control:
  • .git/
  • .svn/
  • .hg/
  • .bzr/
Dependencies:
  • node_modules/
  • vendor/
  • venv/
  • virtualenv/
  • __pycache__/
Build artefacts:
  • dist/
  • build/
  • target/
  • *.min.js
  • *.min.css
Archives:
  • *.zip
  • *.tar
  • *.tar.gz
  • *.tar.bz2
  • *.jar
  • *.war
  • *.ear
Binaries:
  • *.exe
  • *.dll
  • *.so
  • *.dylib
  • *.bin
Default skip patterns are defined in the source code. See the current implementation.

Custom Skip Patterns

Pattern Types

  1. Directory patterns (end with /):
{
  "settings": {
    "skip": {
      "patterns": {
        "scanning": ["custom-dir/", "temp/"]
      }
    }
  }
}
  1. File extension patterns:
{
  "settings": {
    "skip": {
      "patterns": {
        "scanning": ["*.log", "*.tmp", "*.cache"]
      }
    }
  }
}
  1. Specific file patterns:
{
  "settings": {
    "skip": {
      "patterns": {
        "scanning": ["package-lock.json", "yarn.lock"]
      }
    }
  }
}
  1. Path patterns:
{
  "settings": {
    "skip": {
      "patterns": {
        "scanning": ["src/generated/", "test/fixtures/"]
      }
    }
  }
}

Size Limits

Configure the maximum file size to scan: 
{
  "settings": {
    "skip": {
      "sizes": {
        "max_file_size": 10485760
      }
    }
  }
}
max_file_size is specified in bytes. The value 10485760 corresponds to 10 MB.

Advanced Configuration Examples

Monorepo Configuration

For large monorepos with multiple subprojects: 
{
  "settings": {
    "skip": {
      "patterns": {
        "scanning": [
          "*/node_modules/",
          "*/dist/",
          "*/build/",
          "*/target/",
          "docs/",
          "scripts/",
          "*.test.js",
          "*.spec.ts"
        ]
      }
    }
  }
}

JavaScript/TypeScript Project Configuration

For projects using Node.js-based tooling: 
{
  "settings": {
    "skip": {
      "patterns": {
        "scanning": [
          "node_modules/",
          "dist/",
          "build/",
          ".next/",
          ".nuxt/",
          "coverage/",
          "*.min.js",
          "*.bundle.js",
          "*.map"
        ]
      }
    }
  }
}

Java/Python/Go Project Configuration

For compiled or interpreted backend projects: 
{
  "settings": {
    "skip": {
      "patterns": {
        "scanning": [
          "target/",
          "venv/",
          "vendor/",
          "__pycache__/",
          "*.pyc",
          "*.class",
          "*.jar"
        ]
      }
    }
  }
}

CI/CD Configuration

Excludes tests and generated artefacts to reduce scan scope in automated pipelines: 
{
  "settings": {
    "skip": {
      "patterns": {
        "scanning": [
          "node_modules/",
          "vendor/",
          "venv/",
          "target/",
          "dist/",
          "build/",
          "test/",
          "tests/",
          "*.test.*",
          "*.spec.*",
          "*.min.*"
        ]
      }
    }
  }
}

Scanner Configuration

Choosing a Scanner

Crypto Finder supports multiple scanners. Select a scanner using the --scanner flag: 
# Use OpenGrep (default)
crypto-finder scan /path/to/code

# Use Semgrep
crypto-finder scan --scanner semgrep /path/to/code
Valid values for --scanner: opengrep, semgrep.

Language Detection

Automatic Detection

By default, Crypto Finder uses go-enry to detect the programming languages present in a project automatically.

Manual Override

Override detected languages when needed: 
# Scan only Java and Python files
crypto-finder scan --languages java,python /path/to/code

# Scan a single language
crypto-finder scan --languages go /path/to/code

Supported Languages

The scanner includes rules for:
  • C/C++
  • C#
  • Go
  • Java
  • JavaScript/TypeScript
  • Kotlin
  • PHP
  • Python
  • Ruby
  • Rust
  • Swift
Additional languages may be supported. See the rules repository for the current list. Language detection ensures that only relevant rules are loaded, which improves scan performance.

Timeout Configuration

Default Timeout

Default scan timeout: 10 minutes

Custom Timeout

# 30-minute timeout
crypto-finder scan --timeout 30m /path/to/code

# 2-hour timeout
crypto-finder scan --timeout 2h /path/to/code

# 90-second timeout
crypto-finder scan --timeout 90s /path/to/code
Project sizeRecommended timeout
Small (<1,000 files)5m
Medium (1,000–10,000 files)15m
Large (10,000–50,000 files)30m
Very large (>50,000 files)1h+

Output Configuration

Output Destination

# Write to file
crypto-finder scan --output results.json /path/to/code

# Write to stdout (default)
crypto-finder scan /path/to/code

# Pipe to another tool
crypto-finder scan /path/to/code | jq '.findings | length'

Output Format

# SCANOSS Interim JSON format (default)
crypto-finder scan --format json /path/to/code

# CycloneDX CBOM format
crypto-finder scan --format cyclonedx /path/to/code
SCANOSS Interim JSON is an internal format used by the SCANOSS toolchain. Use cyclonedx for interoperability with third-party tools that support the CycloneDX CBOM specification.

Logging Configuration

Verbosity Levels

# Default output
crypto-finder scan /path/to/code

# Verbose logging (info level)
crypto-finder scan -v /path/to/code
crypto-finder scan --verbose /path/to/code

# Debug logging (debug-level output)
crypto-finder scan -d /path/to/code
crypto-finder scan --debug /path/to/code