Skip to main content
FormatDescriptionUse Case
JSONDefault formatSCANOSS ecosystem, detailed analysis
CycloneDXIndustry-standard CBOMCompliance, third-party tools
For guidance on choosing between formats, see Format Comparison.

JSON Format

The default output format containing detailed cryptographic asset information, optimised for the SCANOSS ecosystem.

Generate

# Output to stdout
crypto-finder scan /path/to/code

# Save to file
crypto-finder scan --output results.json /path/to/code

Format Specification

{
  "version": "1.0",
  "tool": {
    "name": "opengrep",
    "version": "1.12.1"
  },
  "findings": [
    {
      "file_path": "path/to/file",
      "language": "language_name",
      "cryptographic_assets": [
        {
          "match_type": "scanner_name",
          "line_number": 123,
          "match": "code snippet",
          "rule": {
            "id": "rule.id",
            "message": "description",
            "severity": "INFO|WARNING|ERROR"
          },
          "type": "algorithm|certificate|protocol|related-crypto-material",
          "name": "algorithm_name",
          "primitive": "primitive_type",
          "mode": "mode_of_operation",
          "padding": "padding_scheme"
        }
      ],
      "timestamp_utc": "2025-01-15T10:00:00Z"
    }
  ]
}

Field Descriptions

FieldDescription
versionFormat version (currently "1.0")
tool.nameScanner used (opengrep)
tool.versionScanner version
findingsArray of file-level findings
file_pathRelative path to the scanned file
languageDetected programming language
cryptographic_assetsArray of cryptographic findings within the file
match_typeScanner that detected the asset
line_numberLine number where the match was found
matchActual code snippet matched
rule.idUnique rule identifier
rule.messageHuman-readable description of the rule
rule.severityFinding severity level (INFO, WARNING, ERROR)
typeAsset classification (see Supported Asset Types)
nameAlgorithm or protocol name
primitiveCryptographic primitive type
modeMode of operation (applicable to block ciphers)
paddingPadding scheme used

Example Output

{
  "version": "1.0",
  "tool": {
    "name": "opengrep",
    "version": "1.12.1"
  },
  "findings": [
    {
      "file_path": "src/crypto/Example.java",
      "language": "java",
      "cryptographic_assets": [
        {
          "match_type": "opengrep",
          "line_number": 29,
          "match": "cipher = Cipher.getInstance(\"AES/CBC/PKCS5Padding\");",
          "rule": {
            "id": "java.crypto.cipher-aes-cbc",
            "message": "AES cipher usage detected",
            "severity": "INFO"
          },
          "type": "algorithm",
          "name": "AES",
          "primitive": "block-cipher",
          "mode": "CBC",
          "padding": "PKCS5Padding"
        }
      ],
      "timestamp_utc": "2025-10-22T10:00:00Z"
    }
  ]
}

Use Cases

  • Integration with the SCANOSS platform via its native JSON schema
  • Building custom analysis pipelines that consume detailed finding data
  • Tracking cryptographic assets at the code-snippet level
  • Security auditing workflows requiring full match context

CycloneDX Format

CycloneDX 1.6-compatible Cryptography Bill of Materials (CBOM) format for standardised reporting.

Features

  • Schema Validation: Output is validated against the CycloneDX 1.6 specification.
  • Standardised Components: Cryptographic assets are mapped to CycloneDX-defined component types.
  • Rich Metadata: Includes algorithm properties, evidence, and provenance information.

Supported Asset Types

TypeDescription
algorithmCryptographic algorithms (AES, RSA, SHA-256, etc.)
certificateDigital certificates and certificate chains
protocolCryptographic protocols (TLS, SSH, etc.)
related-crypto-materialKeys, seeds, nonces, and other cryptographic material

Generate

# Generate CBOM directly to file
crypto-finder scan --format cyclonedx --output cbom.json /path/to/code

Example Output

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "version": 1,
  "metadata": {
    "timestamp": "2025-01-15T10:00:00Z",
    "tools": [
      {
        "vendor": "SCANOSS",
        "name": "crypto-finder",
        "version": "0.1.0"
      }
    ],
    "component": {
      "type": "application",
      "name": "scanned-project"
    }
  },
  "components": [
    {
      "type": "cryptographic-asset",
      "name": "AES",
      "cryptoProperties": {
        "assetType": "algorithm",
        "algorithmProperties": {
          "primitive": "block-cipher",
          "mode": "CBC",
          "padding": "PKCS5Padding"
        }
      },
      "evidence": {
        "occurrences": [
          {
            "location": "src/crypto/Example.java:29"
          }
        ]
      }
    }
  ]
}

Converting Formats

Use the convert command to transform a SCANOSS JSON output file into CycloneDX CBOM format: 
# Convert from file
crypto-finder convert results.json --output cbom.json

# Convert from stdin (pipe from scan)
crypto-finder scan /path/to/code | crypto-finder convert --output cbom.json

# Generate CycloneDX CBOM directly during scan
crypto-finder scan --format cyclonedx --output cbom.json /path/to/code

Integration

CycloneDX CBOM output can be consumed by tools including:
  • Dependency-Track (OWASP)
  • Software Bill of Materials (SBOM) aggregators
  • Security scanning platforms
  • Compliance reporting tools
  • Supply chain risk management systems

Format Comparison

FeatureSCANOSS JSONCycloneDX CBOM
EcosystemSCANOSS-specificIndustry standard
Detail LevelHigh (includes code snippets)Medium (structured metadata)
File SizeLargerSmaller
Best ForDeep analysis, custom toolingCompliance, integration, reporting
SchemaSCANOSS JSON specCycloneDX 1.6
ValidationSCANOSS toolsCycloneDX validators