Skip to main content

Prerequisites

Before you begin, ensure you have:
  • Crypto Finder installed (see Installation)
  • At least one scanner installed (OpenGrep or Semgrep)
  • SCANOSS API key (optional but recommended for remote rulesets)
  • Source code to scan

First Scan

Basic Scanning

Scan with remote rulesets (recommended): 
crypto-finder scan /path/to/code
Scan with local rules: 
crypto-finder scan --no-remote-rules --rules-dir ./rules /path/to/code
Generate CycloneDX CBOM: 
crypto-finder scan --format cyclonedx --output cbom.json /path/to/code

Common Use Cases

CI/CD Integration: 
# Fail build if cryptographic assets are detected
crypto-finder scan --fail-on-findings /path/to/code
Custom Rule Combination: 
# Combine remote rules with local custom rules
crypto-finder scan --rules-dir ./custom-rules /path/to/code
Force Fresh Rules: 
# Bypass cache and force fresh download
crypto-finder scan --no-cache /path/to/code
Format Conversion: 
# Convert existing results to CycloneDX
crypto-finder convert results.json --output cbom.json

# Or pipe from scan
crypto-finder scan /path/to/code | crypto-finder convert --output cbom.json

Configuration

The application can be configured via command-line flags, environment variables, or configuration files. 
# Set API key
crypto-finder configure --api-key YOUR_API_KEY

# Set custom API URL
crypto-finder configure --api-url https://custom.scanoss.com
Environment Variables: 
export SCANOSS_API_KEY=your-key
export SCANOSS_API_URL=https://custom.scanoss.com
Project-level configuration via scanoss.json: 
{
  "settings": {
    "skip": {
      "patterns": {
        "scanning": ["node_modules/", "target/", "venv/"]
      }
    }
  }
}
For detailed configuration options, see Configuration Documentation.

Command Line Arguments

crypto-finder scan [flags] <target>
Common options:
  • --rules <file> - Custom rule file (repeatable)
  • --rules-dir <dir> - Rule directory (repeatable)
  • --no-remote-rules - Disable remote ruleset fetching
  • --no-cache - Force fresh download, bypass cache
  • --scanner <name> - Scanner to use: opengrep (default), semgrep
  • --format <format> - Output format: json (default), cyclonedx
  • --output <file> - Output file path (default: stdout)
  • --languages <langs> - Override language detection (comma-separated)
  • --fail-on-findings - Exit with error if findings detected
  • --timeout <duration> - Scan timeout (default: 10m)
  • --verbose, -v - Enable verbose logging
  • --help - Display help information
For a complete list of commands and options, run crypto-finder --help.

Advanced Topics

Features

  • Multi-Scanner Support - OpenGrep (default) and Semgrep with advanced taint analysis
  • Remote Rulesets - Automatically fetch curated rules from SCANOSS API with local caching
  • Flexible Configuration - Combine remote and local rules, configure via CLI, env vars, or config files
  • Multiple Output Formats - JSON and CycloneDX 1.6 CBOM formats
  • CI/CD Ready - Docker images for GitHub Actions, GitLab CI, Jenkins, and more
  • Smart Caching - TTL-based cache with automatic stale cache fallback (opt-out with --strict)