Documentation Index
Fetch the complete documentation index at: https://docs.scanoss.com/llms.txt
Use this file to discover all available pages before exploring further.
| Format | Description | Use Case |
|---|
| JSON | Default format | SCANOSS ecosystem, detailed analysis |
| CycloneDX | Industry-standard CBOM | Compliance, third-party tools |
Generate
# Output to stdout
crypto-finder scan /path/to/code
# Save to file
crypto-finder scan --output results.json /path/to/code
{
"version": "1.0",
"tool": {
"name": "opengrep",
"version": "1.12.1"
},
"findings": [
{
"file_path": "path/to/file",
"language": "language_name",
"cryptographic_assets": [
{
"match_type": "scanner_name",
"line_number": 123,
"match": "code snippet",
"rule": {
"id": "rule.id",
"message": "description",
"severity": "INFO|WARNING|ERROR"
},
"type": "algorithm|certificate|protocol|related-crypto-material",
"name": "algorithm_name",
"primitive": "primitive_type",
"mode": "mode_of_operation",
"padding": "padding_scheme"
}
],
"timestamp_utc": "2025-01-15T10:00:00Z"
}
]
}
Field Descriptions
| Field | Description |
|---|
version | Format version (currently "1.0") |
tool.name | Scanner used (opengrep) |
tool.version | Scanner version |
findings | Array of file-level findings |
file_path | Relative path to the scanned file |
language | Detected programming language |
cryptographic_assets | Array of cryptographic findings within the file |
match_type | Scanner that detected the asset |
line_number | Line number where the match was found |
match | Actual code snippet matched |
rule.id | Unique rule identifier |
rule.message | Human-readable description of the rule |
rule.severity | Finding severity level (INFO, WARNING, ERROR) |
type | Asset classification (see Supported Asset Types) |
name | Algorithm or protocol name |
primitive | Cryptographic primitive type |
mode | Mode of operation (applicable to block ciphers) |
padding | Padding scheme used |
Example Output
{
"version": "1.0",
"tool": {
"name": "opengrep",
"version": "1.12.1"
},
"findings": [
{
"file_path": "src/crypto/Example.java",
"language": "java",
"cryptographic_assets": [
{
"match_type": "opengrep",
"line_number": 29,
"match": "cipher = Cipher.getInstance(\"AES/CBC/PKCS5Padding\");",
"rule": {
"id": "java.crypto.cipher-aes-cbc",
"message": "AES cipher usage detected",
"severity": "INFO"
},
"type": "algorithm",
"name": "AES",
"primitive": "block-cipher",
"mode": "CBC",
"padding": "PKCS5Padding"
}
],
"timestamp_utc": "2025-10-22T10:00:00Z"
}
]
}
Use Cases
- Integration with the SCANOSS platform via its native JSON schema
- Building custom analysis pipelines that consume detailed finding data
- Tracking cryptographic assets at the code-snippet level
- Security auditing workflows requiring full match context
CycloneDX 1.6-compatible Cryptography Bill of Materials (CBOM) format for
standardised reporting.
Features
- Schema Validation: Output is validated against the CycloneDX 1.6
specification.
- Standardised Components: Cryptographic assets are mapped to
CycloneDX-defined component types.
- Rich Metadata: Includes algorithm properties, evidence, and provenance
information.
Supported Asset Types
| Type | Description |
|---|
algorithm | Cryptographic algorithms (AES, RSA, SHA-256, etc.) |
certificate | Digital certificates and certificate chains |
protocol | Cryptographic protocols (TLS, SSH, etc.) |
related-crypto-material | Keys, seeds, nonces, and other cryptographic material |
Generate
# Generate CBOM directly to file
crypto-finder scan --format cyclonedx --output cbom.json /path/to/code
Example Output
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"version": 1,
"metadata": {
"timestamp": "2025-01-15T10:00:00Z",
"tools": [
{
"vendor": "SCANOSS",
"name": "crypto-finder",
"version": "0.1.0"
}
],
"component": {
"type": "application",
"name": "scanned-project"
}
},
"components": [
{
"type": "cryptographic-asset",
"name": "AES",
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
"primitive": "block-cipher",
"mode": "CBC",
"padding": "PKCS5Padding"
}
},
"evidence": {
"occurrences": [
{
"location": "src/crypto/Example.java:29"
}
]
}
}
]
}
convert command to transform a SCANOSS JSON output file into CycloneDX
CBOM format:
# Convert from file
crypto-finder convert results.json --output cbom.json
# Convert from stdin (pipe from scan)
crypto-finder scan /path/to/code | crypto-finder convert --output cbom.json
# Generate CycloneDX CBOM directly during scan
crypto-finder scan --format cyclonedx --output cbom.json /path/to/code
Integration
CycloneDX CBOM output can be consumed by tools including:
- Dependency-Track (OWASP)
- Software Bill of Materials (SBOM) aggregators
- Security scanning platforms
- Compliance reporting tools
- Supply chain risk management systems
| Feature | SCANOSS JSON | CycloneDX CBOM |
|---|
| Ecosystem | SCANOSS-specific | Industry standard |
| Detail Level | High (includes code snippets) | Medium (structured metadata) |
| File Size | Larger | Smaller |
| Best For | Deep analysis, custom tooling | Compliance, integration, reporting |
| Schema | SCANOSS JSON spec | CycloneDX 1.6 |
| Validation | SCANOSS tools | CycloneDX validators |
