Skip to main content

First Scan

Basic Scanning

Scan with remote rulesets (recommended — curated and maintained by SCANOSS): 
crypto-finder scan /path/to/code
Scan with local rules only: 
crypto-finder scan --no-remote-rules --rules-dir ./rules /path/to/code
Generate a CycloneDX Cryptography Bill of Materials (CBOM): 
crypto-finder scan --format cyclonedx --output cbom.json /path/to/code

Common Use Cases

CI/CD Integration: 
# Fail the build if findings are detected
crypto-finder scan --fail-on-findings /path/to/code
Custom Rule Combination: 
# Combine remote rulesets with local custom rules
crypto-finder scan --rules-dir ./custom-rules /path/to/code
Force Fresh Ruleset Download: 
# Bypass the cache and force a fresh download of remote rulesets
crypto-finder scan --no-cache /path/to/code
Post-Scan Format Conversion: 
# Convert existing scan results to CycloneDX CBOM format
crypto-finder convert results.json --output cbom.json

# Or pipe directly from a scan
crypto-finder scan /path/to/code | crypto-finder convert --output cbom.json

Configuration

Crypto Finder can be configured via command-line flags, environment variables, or configuration files. 
# Set an API key
crypto-finder configure --api-key YOUR_API_KEY

# Set a custom API URL
crypto-finder configure --api-url https://custom.scanoss.com
Environment Variables: 
export SCANOSS_API_KEY=your-key
export SCANOSS_API_URL=https://custom.scanoss.com
Project-level configuration via scanoss.json: 
{
  "settings": {
    "skip": {
      "patterns": {
        "scanning": ["node_modules/", "target/", "venv/"]
      }
    }
  }
}
For detailed configuration options, see Configuration Documentation .

Command Line Arguments

crypto-finder scan [flags] <target>
Common options:
  • --rules <file> — Custom rule file path (repeatable; use alongside --rules-dir)
  • --rules-dir <dir> — Directory containing custom rule files (repeatable)
  • --no-remote-rules — Disable fetching of remote rulesets
  • --no-cache — Force a fresh download of remote rulesets, bypassing the local cache
  • --strict — Disable stale cache fallback; fail if remote rulesets cannot be fetched
  • --scanner <name> — Scanner to use: opengrep (recommended) or semgrep
  • --format <format> — Output format: json (default) or cyclonedx
  • --output <file> — Output file path (default: stdout)
  • --languages <langs> — Override automatic language detection (comma-separated list)
  • --fail-on-findings — Exit with a non-zero code if any findings are detected
  • --timeout <duration> — Scan timeout duration (default: 10m)
  • --verbose, -v — Enable verbose logging
  • --help — Display help information
For a complete list of commands and options, run crypto-finder --help.

Advanced Topics

Features

  • Multi-Scanner Support — Supports OpenGrep (recommended) and Semgrep as configurable scan engines; Semgrep includes advanced taint analysis (inter-procedural data-flow tracking).
  • Remote Rulesets — Automatically fetches and caches SCANOSS-maintained rulesets from the SCANOSS API; the local cache is used as a fallback if the remote is unavailable.
  • Flexible Configuration — Combine remote rulesets with local custom rules; configure via CLI flags, environment variables, or a scanoss.json configuration file.
  • Multiple Output Formats — Supports JSON and CycloneDX 1.6 CBOM output formats.
  • CI/CD Integration — Official Docker images available for use with GitHub Actions, GitLab CI, Jenkins, and other CI/CD platforms.
  • TTL-Based Caching — Remote rulesets are cached with a configurable time-to-live (TTL); expired cache entries are used as a fallback when the remote is unavailable (disable with --strict).