Skip to main content

The Problem

What cryptography is in your codebase? Algorithms, certificates, protocols, and keys — critical components that many teams struggle to inventory and assess with confidence. Without clear visibility, organisations face serious challenges:
  • Compliance: Standards like PCI-DSS, NIST, and other regulatory frameworks require an accurate cryptographic inventory.
  • Security: Outdated or weak cryptographic implementations introduce exploitable vulnerabilities.
  • Post-Quantum Readiness: Emerging quantum computing capabilities will render current encryption schemes obsolete.
  • Visibility: Manual audits are slow, inconsistent, and unscalable across large or fast-changing codebases.
Crypto Finder solves these challenges by automating cryptographic discovery, giving teams the insight they need to secure and modernise their code.

Key Features

Multi-Scanner Support

Supports multiple scanning engines with extensible architecture:
  • OpenGrep (default): High-performance scanner with advanced taint analysis
  • Semgrep: Popular open-source static analysis tool
  • Extensible architecture for additional scanners

Advanced Detection Capabilities

  • Taint Analysis: OpenGrep scanner includes --taint-intrafile by default for enhanced dataflow analysis
  • Automatic Language Detection: Uses go-enry to detect project languages for optimised scanning
  • Flexible Rule Management: Support for local rule files and directories
  • Performance Optimised: Language-based rule filtering to minimize scan time

Standardised Output Formats

  • Interim JSON Format: Compatible with the SCANOSS ecosystem
  • CycloneDX CBOM: Industry-standard Cryptography Bill of Materials (CycloneDX 1.6)
  • Structured data for integration with security tools

Integration Ready

  • CI/CD Ready: Docker images and integration-friendly design
  • Skip Patterns: Configurable file/directory exclusion via scanoss.json
  • GitHub Actions: Pre-built workflows for automated scanning
  • GitLab CI: Native integration support

How It Works

  1. Scan: Point crypto-finder to your source code
  2. Detect: Automatically identifies languages and fetches appropriate cryptographic detection rules
  3. Analyse: OpenGrep/Semgrep scans for crypto patterns using rule-based detection
  4. Report: Generates CycloneDX CBOM or JSON output

Use Cases

Security Auditing

Identify all cryptographic implementations in your codebase to ensure they meet security standards and compliance requirements.

Cryptography Bill of Materials (CBOM)

Generate comprehensive inventories of cryptographic assets for regulatory compliance (NIST, FIPS, etc.) and security assessments.

Vulnerability Management

Detect deprecated or weak cryptographic algorithms (MD5, SHA-1, DES) that may pose security risks.

Supply Chain Security

Track cryptographic dependencies and implementations across your software supply chain.

Compliance Reporting

Generate reports in standardised formats (CycloneDX) for compliance teams and auditors.

Cryptography Service

The Cryptography Service provides enterprise users with remote cryptographic rulesets powered by the SCANOSS API.

Automatic Rule Fetching

During each scan, Crypto Finder:
  • Detects the programming languages in the target project
  • Retrieves the appropriate cryptographic detection rules from the SCANOSS API
  • Caches these rules locally for up to 7 days (TTL) to optimize performance and reduce network dependency

Offline Mode

When the SCANOSS API is unavailable or the environment is air-gapped, Crypto Finder automatically switches to offline mode, using the most recent cached rules to continue scanning without interruption.

Flow