Skip to main content
Modern software supply chains contain cryptographic implementations that are often invisible to the teams responsible for them. Regulations including the EU Cyber Resilience Act (CRA), DORA, and Executive Order 14028 require documented accountability for cryptographic usage, and Cryptography Bills of Materials (CBOMs) are increasingly expected by customers, auditors, and regulators. SCANOSS provides the tooling and datasets needed to achieve that visibility.

The Challenge of Cryptographic Visibility

Modern software applications rarely implement cryptography from scratch. Instead, they rely on numerous open-source libraries and dependencies that may contain many different cryptographic implementations. These implementations are often:
  • Hidden in transitive dependencies: Direct dependencies may themselves depend on libraries that implement cryptography you are unaware of.
  • Version-dependent: A specific package version may contain weak cryptography that was addressed in later releases.
  • Undocumented: Many libraries use cryptography internally without declaring which algorithms or key sizes they employ.
  • Not quantum-safe: Most existing cryptographic implementations rely on algorithms such as RSA and ECC that are expected to become vulnerable as quantum computing capabilities advance.
Consider this scenario: your application uses a popular HTTP library that internally depends on a cryptographic library implementing 1024-bit RSA and MD5 hashing. Neither appears in your dependency declarations, yet both create compliance violations and security vulnerabilities. You cannot secure what you cannot see.

Why Cryptographic Visibility Matters

Several converging factors have made cryptographic visibility increasingly important. Regulatory pressure: The EU Cyber Resilience Act requires manufacturers to document cryptographic implementations. FIPS compliance demands specific algorithm certifications. Export controls restrict certain cryptographic technologies across borders. Post-quantum risk: Quantum computers are expected to break widely used algorithms such as RSA and ECC. Organisations need to inventory their current cryptographic usage to plan migration towards quantum-resistant alternatives. This process — commonly referred to as cryptographic agility — requires knowing exactly where and how cryptography is used. Security hygiene: Legacy algorithms (MD5, SHA-1, DES, 1024-bit RSA) remain prevalent in older dependencies and create exploitable vulnerabilities. Identifying and remediating weak cryptography is a fundamental security practice. Supply chain transparency: Just as Software Bills of Materials (SBOMs) provide component transparency, CBOMs provide cryptographic transparency. Customers, auditors, and regulators increasingly require CBOMs to assess cryptographic risk.

Building a Strategy for Cryptographic Transparency

Managing cryptographic risk requires comprehensive visibility across your entire software supply chain. DevSecOps teams need a cryptographic detection system capable of identifying algorithms, key sizes, protocols, and frameworks, regardless of how deeply nested they are in dependency trees. SCANOSS provides this through multiple complementary approaches. Component-level detection: Automatically identify which open-source components contain cryptographic implementations, what algorithms they use, and which versions introduced or removed specific cryptographic capabilities. Source code scanning: Detect cryptographic keywords, patterns, and implementations in source code, including local modifications and custom implementations that would not appear in dependency manifests. Protocol and framework recognition: Identify supporting cryptographic infrastructure — encryption libraries (OpenSSL, BouncyCastle), SDKs, and protocol stacks — that indicate cryptographic usage even when specific algorithms are not directly referenced. Version-specific analysis: Track cryptographic capabilities across version ranges to understand when algorithms were introduced, modified, or deprecated. This is critical for planning upgrades and migrations.

SCANOSS Solutions for Cryptography Detection

SCANOSS provides a suite of tools and datasets designed to support cryptographic transparency.

Encryption Dataset

The SCANOSS Encryption Dataset is a specialised subset of the SCANOSS Knowledge Base, offering detailed metadata and source code fingerprints for open-source components that implement or reference cryptographic functionality.

SCANOSS API

SCANOSS provides dedicated API endpoints for querying cryptographic metadata. Refer to the linked repository for available endpoints and query formats.

Crypto Finder

The Crypto Finder command-line tool enables local cryptographic analysis using remote rulesets. It automatically detects programming languages in your project, retrieves appropriate detection rules from SCANOSS, and generates detailed cryptographic reports.

SBOM Workbench

SBOM Workbench provides a visual interface for cryptographic analysis, allowing you to inspect cryptographic findings across components and dependency trees. Refer to the linked repository for installation and usage instructions.

SCANOSS-PY

SCANOSS-PY is a command-line tool for scanning codebases and detecting cryptographic algorithms. It is suitable for integration into CI/CD pipelines. Refer to the linked repository for usage and configuration options.

Getting Started with Cryptography Detection

Not sure which tool fits your use case? Ask our assistant