Skip to main content

The Problem

What cryptography is in your codebase? Algorithms, certificates, protocols, and keys — critical components that many teams struggle to inventory and assess with confidence. Without clear visibility, organisations face serious challenges:
  • Compliance: Standards such as PCI-DSS and frameworks published by NIST (e.g. SP 800-175B) require an accurate cryptographic inventory.
  • Security: Outdated or weak cryptographic implementations introduce exploitable vulnerabilities.
  • Post-Quantum Readiness: Emerging quantum computing capabilities will render many current encryption schemes obsolete.
  • Visibility: Manual audits are slow, inconsistent, and do not scale across large or fast-changing codebases.
Crypto Finder addresses these challenges by automating cryptographic discovery, giving teams the visibility they need to secure and maintain their codebase.

Key Features

Multi-Scanner Support

Crypto Finder supports multiple scanning engines through an extensible architecture:
  • OpenGrep (default): High-performance scanner with advanced taint analysis
  • Semgrep: Open-source static analysis tool
  • Additional scanners can be integrated via the extensible architecture

Advanced Detection Capabilities

  • Taint Analysis: The OpenGrep scanner applies --taint-intrafile by default, enabling enhanced intra-file dataflow analysis
  • Automatic Language Detection: Uses go-enry to detect project languages for optimised scanning
  • Flexible Rule Management: Supports local rule files and directories
  • Performance Optimised: Language-based rule filtering to minimise scan time

Standardised Output Formats

  • Interim JSON Format: A JSON format compatible with the SCANOSS ecosystem (used as an intermediate representation prior to final output)
  • CycloneDX CBOM: Cryptography Bill of Materials output conforming to the CycloneDX 1.6 specification
  • Structured data for integration with downstream security tooling

CI/CD and Integration Support

  • Docker Support: Pre-built Docker images for use in automated pipelines
  • Skip Patterns: Configurable file and directory exclusion via scanoss.json
  • GitHub Actions: Pre-built workflows for automated scanning
  • GitLab CI: Native integration support

How It Works

  1. Scan: Point crypto-finder at your source code repository
  2. Detect: Automatically identifies programming languages and fetches the appropriate cryptographic detection rules
  3. Analyse: OpenGrep or Semgrep scans the codebase for cryptographic patterns using rule-based detection
  4. Report: Generates a CycloneDX CBOM or JSON output file

Use Cases

Security Auditing

Identify all cryptographic implementations in a codebase to verify they meet security standards and compliance requirements.

Cryptography Bill of Materials (CBOM)

Generate a comprehensive inventory of cryptographic assets for regulatory compliance (e.g. NIST SP 800-175B, FIPS 140) and security assessments.

Vulnerability Management

Detect deprecated or weak cryptographic algorithms — such as MD5, SHA-1, and DES — that may introduce security risk.

Supply Chain Security

Track cryptographic dependencies and implementations across the software supply chain.

Compliance Reporting

Generate reports in standardised formats (CycloneDX CBOM) for consumption by compliance teams and auditors.

Cryptography Service

The Cryptography Service provides access to remote cryptographic rulesets via the SCANOSS API.

Automatic Rule Fetching

During each scan, Crypto Finder:
  • Detects the programming languages present in the target project
  • Retrieves the appropriate cryptographic detection rules from the SCANOSS API
  • Caches these rules locally for up to 7 days (Time-to-Live) to reduce network dependency and improve performance

Offline Mode

When the SCANOSS API is unavailable or the environment is air-gapped, Crypto Finder automatically falls back to offline mode, using the most recently cached rules to continue scanning without interruption.

Flow