Available Images
Crypto Finder provides a three-tier image strategy so you can choose the right trade-off between image size and functionality:| Image | Tag | Size | Use Case |
|---|---|---|---|
| Standard | latest | ~800MB | Default: binary + OpenGrep + Semgrep |
| Slim | latest-slim | ~15MB | Binary only, bring your own scanner |
| Deps | latest-deps | ~3-4GB | All language toolchains for dependency scanning |
Standard Image (Recommended)
Includes both OpenGrep and Semgrep scanners.- OpenGrep 1.12.1+ included
- Semgrep 1.145.0+ included
- All scanning capabilities available
Slim Image
A minimal image containing only thecrypto-finder binary. An external scanner
(OpenGrep or Semgrep) must be provided — for example, by mounting it into the
container or by building a derived image.
crypto-finderbinary only- Requires an externally supplied OpenGrep or Semgrep installation
- Smaller image size
- Suitable for workflows that manage scanner versions independently
Deps Image (Dependency Scanning)
Full image with all language toolchains for scanning third-party dependencies with--scan-dependencies.
- Everything in the standard image, plus:
- Go toolchain for
go list/go mod graphdependency resolution - Java (JDK 8, 11, 17, and 21 + Maven + Gradle) for JDK-aware Java dependency resolution and deterministic platform signature indexing
- Rust (Cargo) for
cargo metadatadependency resolution - Python (isolated virtualenv) for pip dependency resolution
- Detects cryptographic usage in third-party dependencies with call chain tracing
Basic Usage
Scanning with Mounted Volumes
Volume Mounting Patterns
| Mount Point | Purpose | Recommended Mode |
|---|---|---|
/workspace/code | Source code to scan | :ro (read-only) |
/workspace/rules | Custom rule files | :ro (read-only) |
/workspace/output | Scan results | :rw (read-write) |
~/.scanoss/crypto-finder/cache | Ruleset cache (optional) | :rw (read-write) |
Preserving Cache Between Runs
CI/CD Integration
GitHub Actions
Complete workflow for scanning code on push and pull requests:With Custom Rules
Dependency Scanning
Thelatest-deps image includes all language toolchains needed for dependency scanning. Use it with the --scan-dependencies flag.
Go Projects
Java (Maven or Gradle) Projects
Rust Projects
Python Projects
Python projects require installing dependencies before scanning, since pip needs them to be resolved:
Note: The deps image uses an isolated virtualenv for project dependencies, separate from the scanner tooling (semgrep), so pip install only affects the target project’s environment.
CI/CD with Dependency Scanning (GitHub Actions)
Advanced Docker Usage
Running with Specific Scanner
Custom Timeout and Language Override
Docker Compose
Exampledocker-compose.yml for local development: