> ## Documentation Index
> Fetch the complete documentation index at: https://docs.scanoss.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Output Formats

> Crypto Finder supports two output formats for scan results.

| Format        | Description            | Use Case                             |
| ------------- | ---------------------- | ------------------------------------ |
| **JSON**      | Default format         | SCANOSS ecosystem, detailed analysis |
| **CycloneDX** | Industry-standard CBOM | Compliance, third-party tools        |

For guidance on choosing between formats, see [Format Comparison](#format-comparison).

## JSON Format

The default output format containing detailed cryptographic asset information,
optimised for the SCANOSS ecosystem.

### Generate

```bash theme={null}
# Output to stdout
crypto-finder scan /path/to/code

# Save to file
crypto-finder scan --output results.json /path/to/code
```

### Format Specification

```json theme={null}
{
  "version": "1.0",
  "tool": {
    "name": "opengrep",
    "version": "1.12.1"
  },
  "findings": [
    {
      "file_path": "path/to/file",
      "language": "language_name",
      "cryptographic_assets": [
        {
          "match_type": "scanner_name",
          "line_number": 123,
          "match": "code snippet",
          "rule": {
            "id": "rule.id",
            "message": "description",
            "severity": "INFO|WARNING|ERROR"
          },
          "type": "algorithm|certificate|protocol|related-crypto-material",
          "name": "algorithm_name",
          "primitive": "primitive_type",
          "mode": "mode_of_operation",
          "padding": "padding_scheme"
        }
      ],
      "timestamp_utc": "2025-01-15T10:00:00Z"
    }
  ]
}
```

### Field Descriptions

| Field                  | Description                                         |
| ---------------------- | --------------------------------------------------- |
| `version`              | Format version (currently `"1.0"`)                  |
| `tool.name`            | Scanner used (`opengrep`)                           |
| `tool.version`         | Scanner version                                     |
| `findings`             | Array of file-level findings                        |
| `file_path`            | Relative path to the scanned file                   |
| `language`             | Detected programming language                       |
| `cryptographic_assets` | Array of cryptographic findings within the file     |
| `match_type`           | Scanner that detected the asset                     |
| `line_number`          | Line number where the match was found               |
| `match`                | Actual code snippet matched                         |
| `rule.id`              | Unique rule identifier                              |
| `rule.message`         | Human-readable description of the rule              |
| `rule.severity`        | Finding severity level (`INFO`, `WARNING`, `ERROR`) |
| `type`                 | Asset classification (see Supported Asset Types)    |
| `name`                 | Algorithm or protocol name                          |
| `primitive`            | Cryptographic primitive type                        |
| `mode`                 | Mode of operation (applicable to block ciphers)     |
| `padding`              | Padding scheme used                                 |

### Example Output

```json theme={null}
{
  "version": "1.0",
  "tool": {
    "name": "opengrep",
    "version": "1.12.1"
  },
  "findings": [
    {
      "file_path": "src/crypto/Example.java",
      "language": "java",
      "cryptographic_assets": [
        {
          "match_type": "opengrep",
          "line_number": 29,
          "match": "cipher = Cipher.getInstance(\"AES/CBC/PKCS5Padding\");",
          "rule": {
            "id": "java.crypto.cipher-aes-cbc",
            "message": "AES cipher usage detected",
            "severity": "INFO"
          },
          "type": "algorithm",
          "name": "AES",
          "primitive": "block-cipher",
          "mode": "CBC",
          "padding": "PKCS5Padding"
        }
      ],
      "timestamp_utc": "2025-10-22T10:00:00Z"
    }
  ]
}
```

### Use Cases

* Integration with the SCANOSS platform via its native JSON schema
* Building custom analysis pipelines that consume detailed finding data
* Tracking cryptographic assets at the code-snippet level
* Security auditing workflows requiring full match context

## CycloneDX Format

CycloneDX 1.6-compatible Cryptography Bill of Materials (CBOM) format for
standardised reporting.

### Features

* **Schema Validation**: Output is validated against the CycloneDX 1.6
  specification.
* **Standardised Components**: Cryptographic assets are mapped to
  CycloneDX-defined component types.
* **Rich Metadata**: Includes algorithm properties, evidence, and provenance
  information.

### Supported Asset Types

| Type                      | Description                                           |
| ------------------------- | ----------------------------------------------------- |
| `algorithm`               | Cryptographic algorithms (AES, RSA, SHA-256, etc.)    |
| `certificate`             | Digital certificates and certificate chains           |
| `protocol`                | Cryptographic protocols (TLS, SSH, etc.)              |
| `related-crypto-material` | Keys, seeds, nonces, and other cryptographic material |

### Generate

```bash theme={null}
# Generate CBOM directly to file
crypto-finder scan --format cyclonedx --output cbom.json /path/to/code
```

### Example Output

```json theme={null}
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "version": 1,
  "metadata": {
    "timestamp": "2025-01-15T10:00:00Z",
    "tools": [
      {
        "vendor": "SCANOSS",
        "name": "crypto-finder",
        "version": "0.1.0"
      }
    ],
    "component": {
      "type": "application",
      "name": "scanned-project"
    }
  },
  "components": [
    {
      "type": "cryptographic-asset",
      "name": "AES",
      "cryptoProperties": {
        "assetType": "algorithm",
        "algorithmProperties": {
          "primitive": "block-cipher",
          "mode": "CBC",
          "padding": "PKCS5Padding"
        }
      },
      "evidence": {
        "occurrences": [
          {
            "location": "src/crypto/Example.java:29"
          }
        ]
      }
    }
  ]
}
```

## Converting Formats

Use the `convert` command to transform a SCANOSS JSON output file into CycloneDX
CBOM format:

```bash theme={null}
# Convert from file
crypto-finder convert results.json --output cbom.json

# Convert from stdin (pipe from scan)
crypto-finder scan /path/to/code | crypto-finder convert --output cbom.json

# Generate CycloneDX CBOM directly during scan
crypto-finder scan --format cyclonedx --output cbom.json /path/to/code
```

## Integration

CycloneDX CBOM output can be consumed by tools including:

* [Dependency-Track](https://dependencytrack.org/) (OWASP)
* Software Bill of Materials (SBOM) aggregators
* Security scanning platforms
* Compliance reporting tools
* Supply chain risk management systems

## Format Comparison

| Feature          | SCANOSS JSON                  | CycloneDX CBOM                     |
| ---------------- | ----------------------------- | ---------------------------------- |
| **Ecosystem**    | SCANOSS-specific              | Industry standard                  |
| **Detail Level** | High (includes code snippets) | Medium (structured metadata)       |
| **File Size**    | Larger                        | Smaller                            |
| **Best For**     | Deep analysis, custom tooling | Compliance, integration, reporting |
| **Schema**       | SCANOSS JSON spec             | CycloneDX 1.6                      |
| **Validation**   | SCANOSS tools                 | CycloneDX validators               |