Configuration Priority
Settings are applied in the following priority order (highest to lowest):- Command-line flags (e.g.,
--api-key,--scanner) - Environment variables (e.g.,
SCANOSS_API_KEY) - Config file (
~/.scanoss/crypto-finder/config.json) - Project settings (
scanoss.jsonin target directory) - Default values
Application Configuration
Config File Location
Setting Up Configuration
Use theconfigure command to set persistent application settings:
Config File Format
Environment Variables
| Variable | Description | Example |
|---|---|---|
SCANOSS_API_KEY | SCANOSS API key for remote rulesets | export SCANOSS_API_KEY=abc123 |
SCANOSS_API_URL | Custom API base URL | export SCANOSS_API_URL=https://custom.com |
SCANOSS_JAVA_JDK_MAJOR | Java JDK major for Java dependency resolution and type enrichment (auto, 8, 11, 17, 21) | export SCANOSS_JAVA_JDK_MAJOR=21 |
SCANOSS_JAVA_JDK_HOMES | Comma-separated Java home mappings used for explicit JDK selection | export SCANOSS_JAVA_JDK_HOMES=17=/opt/jdks/jdk17,21=/opt/jdks/jdk21 |
SCANOSS_FINDINGS_CACHE_BACKEND | FindingsCache backend (disk or postgres); default disk | export SCANOSS_FINDINGS_CACHE_BACKEND=postgres |
SCANOSS_FINDINGS_CACHE_DSN | Postgres connection string used when backend is postgres (required) | export SCANOSS_FINDINGS_CACHE_DSN=postgres://user:pass@host:5432/db?sslmode=require |
SCANOSS_FINDINGS_CACHE_TABLE | Optional table name override; default findings_cache | export SCANOSS_FINDINGS_CACHE_TABLE=cf_findings_cache |
Java Runtime Selection
For Java dependency scans and call graph export, Crypto Finder can select a specific JDK major per scan:- CLI:
--java-jdk-majorand repeatable--java-jdk-home <major>=<path> - Environment/config:
SCANOSS_JAVA_JDK_MAJOR,SCANOSS_JAVA_JDK_HOMES, or the matching config file keys - Supported majors:
8,11,17,21 - Standalone CLI default:
auto(use ambientJAVA_HOMEwhen available)
FindingsCache Backend
Crypto Finder caches per-dependency scan results in aFindingsCache so warm scans skip the OpenGrep work for already-analysed dependencies. Two backends are supported:
| Backend | Storage | When to use |
|---|---|---|
disk (default) | ~/.scanoss/crypto-finder/cache/findings/ | Local development, single-machine repeated scans |
postgres | a Postgres database (findings_cache table) | Multi-worker fleet deployments where the cache must be shared across machines |
- CLI:
--findings-cache=diskor--findings-cache=postgres - Environment:
SCANOSS_FINDINGS_CACHE_BACKEND=postgres - Config file:
findings_cache_backend: postgres
postgres is selected, the connection string MUST be provided via SCANOSS_FINDINGS_CACHE_DSN. The scan exits with a clear error if it is missing — there is no silent fallback to disk, because a misconfigured fleet would otherwise lose cache sharing without surfacing the bug.
The table is bootstrapped on first use (idempotent CREATE TABLE IF NOT EXISTS); no separate migration step is required. The default table name is findings_cache; override with SCANOSS_FINDINGS_CACHE_TABLE if you run multiple deployments in the same database.
Example:
- The cache key includes the rules hash, so changing rules invalidates entries automatically — no manual eviction needed.
- Failures of the disk backend are non-fatal (a warning is logged and the scan continues without caching). Failures of the postgres backend (missing DSN, unreachable database, schema bootstrap error) are fatal.
- The Postgres pool is opened per
crypto-finder scaninvocation and closed when the scan finishes. For long-lived workers, reuse a single binary process where possible to amortise pool setup.
Project Configuration (scanoss.json)
Thescanoss.json file in your project directory configures scan behaviour and skip patterns.
File Location
Placescanoss.json in the root of the directory you are scanning:
Configuration Schema
Crypto Finder follows the SCANOSS Settings Schema.Basic Example
Skip Patterns
Skip patterns control which files and directories are excluded from scanning.Default Skip Patterns
The following patterns are excluded automatically: Version control:.git/.svn/.hg/.bzr/
node_modules/vendor/venv/virtualenv/__pycache__/
dist/build/target/*.min.js*.min.css
*.zip*.tar*.tar.gz*.tar.bz2*.jar*.war*.ear
*.exe*.dll*.so*.dylib*.bin
Custom Skip Patterns
Pattern Types
- Directory patterns (end with
/):
- File extension patterns:
- Specific file patterns:
- Path patterns:
Size Limits
Configure the maximum file size to scan:Advanced Configuration Examples
Monorepo Configuration
For large monorepos with multiple subprojects:JavaScript/TypeScript Project Configuration
For projects using Node.js-based tooling:Java/Python/Go Project Configuration
For compiled or interpreted backend projects:CI/CD Configuration
Excludes tests and generated artefacts to reduce scan scope in automated pipelines:Scanner Configuration
Choosing a Scanner
Crypto Finder supports multiple scanners. Select a scanner using the--scanner flag:
--scanner: opengrep, semgrep.
Cross-File Analysis (Semgrep Pro)
When using the Semgrep scanner, you can enable cross-file (interfile) analysis with the--interfile flag. This adds the --pro flag to the underlying Semgrep command, enabling Semgrep Pro features such as cross-file taint tracking and type inference.
The--interfileflag is only supported with--scanner semgrep. Using it with other scanners will result in an error. A valid Semgrep Pro license is required.
Language Detection
Automatic Detection
By default, Crypto Finder uses go-enry to detect the programming languages present in a project automatically.Manual Override
Override detected languages when needed:Supported Languages
The scanner includes rules for:- C/C++
- C#
- Go
- Java
- JavaScript/TypeScript
- Kotlin
- PHP
- Python
- Ruby
- Rust
- Swift
- And more…
Timeout Configuration
Default Timeout
Default scan timeout: 10 minutesCustom Timeout
Recommended Timeouts
| Project size | Recommended timeout |
|---|---|
| Small (<1,000 files) | 5m |
| Medium (1,000–10,000 files) | 15m |
| Large (10,000–50,000 files) | 30m |
| Very large (>50,000 files) | 1h+ |