Docker Usage

Available Images

Full Image (Recommended)

Includes both OpenGrep and Semgrep scanners.

docker pull ghcr.io/scanoss/crypto-finder:latest

Features:

OpenGrep 1.12.1+ included
Semgrep 1.119.0+ included
All scanning capabilities available

Slim Image

A minimal image containing only the crypto-finder binary. An external scanner (OpenGrep or Semgrep) must be provided — for example, by mounting it into the container or by building a derived image.

docker pull ghcr.io/scanoss/crypto-finder:latest-slim

Features:

crypto-finder binary only
Requires an externally supplied OpenGrep or Semgrep installation
Smaller image size
Suitable for workflows that manage scanner versions independently

Basic Usage

Scanning with Mounted Volumes

The examples below use $(pwd) to reference the current working directory. Replace YOUR_SCANOSS_API_KEY with a valid SCANOSS API key.

# Scan a code directory using remote rulesets
docker run --rm \
  -v $(pwd)/code:/workspace/code:ro \
  -v $(pwd)/output:/workspace/output \
  -e SCANOSS_API_KEY=YOUR_SCANOSS_API_KEY \
  ghcr.io/scanoss/crypto-finder:latest \
  scan --output /workspace/output/results.json /workspace/code

# Scan using local rule files (bypasses remote ruleset download)
docker run --rm \
  -v $(pwd)/code:/workspace/code:ro \
  -v $(pwd)/rules:/workspace/rules:ro \
  -v $(pwd)/output:/workspace/output \
  ghcr.io/scanoss/crypto-finder:latest \
  scan --no-remote-rules --rules-dir /workspace/rules \
  --output /workspace/output/results.json /workspace/code

# Generate a CycloneDX CBOM
docker run --rm \
  -v $(pwd)/code:/workspace/code:ro \
  -v $(pwd)/output:/workspace/output \
  -e SCANOSS_API_KEY=YOUR_SCANOSS_API_KEY \
  ghcr.io/scanoss/crypto-finder:latest \
  scan --format cyclonedx --output /workspace/output/cbom.json /workspace/code

Note: --no-remote-rules disables the automatic download of rulesets from the SCANOSS platform. Use this flag when supplying rule files locally via --rules-dir.

Volume Mounting Patterns

Mount Point	Purpose	Recommended Mode
`/workspace/code`	Source code to scan	`:ro` (read-only)
`/workspace/rules`	Local rule files	`:ro` (read-only)
`/workspace/output`	Scan output files	`:rw` (read-write)
`~/.scanoss/crypto-finder/cache`	Ruleset cache (optional)	`:rw` (read-write)

Preserving Cache Between Runs

Using a named Docker volume avoids re-downloading rulesets on each run.

# Create a named volume for cache persistence
docker volume create crypto-finder-cache

# Use the named volume in subsequent scans
docker run --rm \
  -v $(pwd)/code:/workspace/code:ro \
  -v $(pwd)/output:/workspace/output \
  -v crypto-finder-cache:/root/.scanoss/crypto-finder/cache \
  -e SCANOSS_API_KEY=YOUR_SCANOSS_API_KEY \
  ghcr.io/scanoss/crypto-finder:latest \
  scan --output /workspace/output/results.json /workspace/code

CI/CD Integration

GitHub Actions

The workflow below runs Crypto Finder on every push and pull request. It assumes that the source code to scan is located under src/ within the repository root.

name: Crypto Scan

on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Crypto Finder
        run: |
          docker run --rm \
            -v ${{ github.workspace }}:/workspace \
            -e SCANOSS_API_KEY=${{ secrets.SCANOSS_API_KEY }} \
            ghcr.io/scanoss/crypto-finder:latest \
            scan --output /workspace/results.json /workspace/src

      - name: Upload results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: crypto-scan-results
          path: results.json

      - name: Fail on findings
        # Exits with a non-zero code if any cryptographic findings are detected
        run: |
          docker run --rm \
            -v ${{ github.workspace }}:/workspace \
            ghcr.io/scanoss/crypto-finder:latest \
            scan --fail-on-findings /workspace/src

With Custom Rules

name: Crypto Scan (Custom Rules)

on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Crypto Finder with custom rule files
        run: |
          docker run --rm \
            -v ${{ github.workspace }}:/workspace \
            ghcr.io/scanoss/crypto-finder:latest \
            scan --no-remote-rules \
            --rules-dir /workspace/.crypto-rules \
            --output /workspace/results.json \
            /workspace/src

      - name: Convert results to CBOM
        # The `convert` subcommand transforms scan output into CycloneDX CBOM format
        run: |
          docker run --rm \
            -v ${{ github.workspace }}:/workspace \
            ghcr.io/scanoss/crypto-finder:latest \
            convert /workspace/results.json --output /workspace/cbom.json

      - name: Upload CBOM
        uses: actions/upload-artifact@v4
        with:
          name: crypto-cbom
          path: cbom.json

Advanced Docker Usage

Specifying a Scanner

By default, Crypto Finder uses OpenGrep. Use the --scanner flag to select Semgrep instead.

docker run --rm \
  -v $(pwd)/code:/workspace/code:ro \
  -v $(pwd)/output:/workspace/output \
  -e SCANOSS_API_KEY=YOUR_SCANOSS_API_KEY \
  ghcr.io/scanoss/crypto-finder:latest \
  scan --scanner semgrep --output /workspace/output/results.json /workspace/code

Custom Timeout and Language Override

docker run --rm \
  -v $(pwd)/code:/workspace/code:ro \
  -v $(pwd)/output:/workspace/output \
  -e SCANOSS_API_KEY=YOUR_SCANOSS_API_KEY \
  ghcr.io/scanoss/crypto-finder:latest \
  scan \
  --timeout 30m \
  --languages java,python,go \
  --output /workspace/output/results.json \
  /workspace/code

Docker Compose

The following docker-compose.yml example is intended for local development use. Set SCANOSS_API_KEY in your environment or in a .env file before running.

version: "3.8"

services:
  crypto-finder:
    image: ghcr.io/scanoss/crypto-finder:latest
    volumes:
      - ./code:/workspace/code:ro
      - ./rules:/workspace/rules:ro
      - ./output:/workspace/output
      - crypto-cache:/root/.scanoss/crypto-finder/cache
    environment:
      - SCANOSS_API_KEY=${SCANOSS_API_KEY}
    command: >
      scan
      --rules-dir /workspace/rules
      --output /workspace/output/results.json
      /workspace/code

volumes:
  crypto-cache:

Run with:

SCANOSS_API_KEY=your_key docker-compose up

Documentation

Links

Available Images

Full Image (Recommended)

Slim Image

Basic Usage

Scanning with Mounted Volumes

Volume Mounting Patterns

Preserving Cache Between Runs

CI/CD Integration

GitHub Actions

With Custom Rules

Advanced Docker Usage

Specifying a Scanner

Custom Timeout and Language Override

Docker Compose

Documentation

Links

​Available Images

​Full Image (Recommended)

​Slim Image

​Basic Usage

​Scanning with Mounted Volumes

​Volume Mounting Patterns

​Preserving Cache Between Runs

​CI/CD Integration

​GitHub Actions

​With Custom Rules

​Advanced Docker Usage

​Specifying a Scanner

​Custom Timeout and Language Override

​Docker Compose

Available Images

Full Image (Recommended)

Slim Image

Basic Usage

Scanning with Mounted Volumes

Volume Mounting Patterns

Preserving Cache Between Runs

CI/CD Integration

GitHub Actions

With Custom Rules

Advanced Docker Usage

Specifying a Scanner

Custom Timeout and Language Override

Docker Compose