Skip to main content
FormatDescriptionUse Case
JSONdefault formatSCANOSS ecosystem, detailed analysis
CycloneDXIndustry-standard CBOMCompliance, third-party tools

JSON Format

The default output format containing detailed cryptographic asset information optimised for the SCANOSS ecosystem.

Generate

# Output to stdout
crypto-finder scan /path/to/code

# Save to file
crypto-finder scan --output results.json /path/to/code

Format Specification

{
  "version": "1.0",
  "tool": {
    "name": "opengrep",
    "version": "1.12.1"
  },
  "findings": [
    {
      "file_path": "path/to/file",
      "language": "language_name",
      "cryptographic_assets": [
        {
          "match_type": "scanner_name",
          "line_number": 123,
          "match": "code snippet",
          "rule": {
            "id": "rule.id",
            "message": "description",
            "severity": "INFO|WARNING|ERROR"
          },
          "type": "algorithm|certificate|protocol|related-crypto-material",
          "name": "algorithm_name",
          "primitive": "primitive_type",
          "mode": "mode_of_operation",
          "padding": "padding_scheme"
        }
      ],
      "timestamp_utc": "2025-01-15T10:00:00Z"
    }
  ]
}

Field Descriptions

FieldDescription
versionFormat version (currently “1.0”)
tool.nameScanner used (opengrep or semgrep)
tool.versionScanner version
findingsArray of file-level findings
file_pathRelative path to scanned file
languageDetected programming language
cryptographic_assetsArray of crypto findings in the file
match_typeScanner that detected the asset
line_numberLine where the match was found
matchActual code snippet matched
rule.idUnique rule identifier
rule.messageHuman-readable description
rule.severityFinding severity level
typeAsset classification
nameAlgorithm/protocol name
primitiveCryptographic primitive type
modeMode of operation (for block ciphers)
paddingPadding scheme used

Example Output

{
  "version": "1.0",
  "tool": {
    "name": "opengrep",
    "version": "1.12.1"
  },
  "findings": [
    {
      "file_path": "src/crypto/Example.java",
      "language": "java",
      "cryptographic_assets": [
        {
          "match_type": "opengrep",
          "line_number": 29,
          "match": "cipher = Cipher.getInstance(\"AES/CBC/PKCS5Padding\");",
          "rule": {
            "id": "java.crypto.cipher-aes-cbc",
            "message": "AES cipher usage detected",
            "severity": "INFO"
          },
          "type": "algorithm",
          "name": "AES",
          "primitive": "block-cipher",
          "mode": "CBC",
          "padding": "PKCS5Padding"
        }
      ],
      "timestamp_utc": "2025-10-22T10:00:00Z"
    }
  ]
}

Use Cases

  • Integration with SCANOSS platform
  • Custom analysis pipelines
  • Detailed cryptographic asset tracking
  • Security auditing and compliance

CycloneDX Format

CycloneDX 1.6 compatible Cryptography Bill of Materials format for standardised reporting.

Features

  • Schema Validation: Validates against CycloneDX 1.6 specification
  • Standardized Components: Maps cryptographic assets to standardized component types
  • Rich Metadata: Includes algorithm properties, evidence, and provenance
  • Industry Standard: Compatible with CycloneDX ecosystem tools

Supported Asset Types

TypeDescription
algorithmCryptographic algorithms (AES, RSA, SHA-256, etc.)
certificateDigital certificates and certificate chains
protocolCryptographic protocols (TLS, SSH, etc.)
related-crypto-materialKeys, seeds, nonces, and other crypto material

Generate

# Direct generation
crypto-finder scan --format cyclonedx --output cbom.json /path/to/code

Example Output

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "version": 1,
  "metadata": {
    "timestamp": "2025-01-15T10:00:00Z",
    "tools": [
      {
        "vendor": "SCANOSS",
        "name": "crypto-finder",
        "version": "0.1.0"
      }
    ],
    "component": {
      "type": "application",
      "name": "scanned-project"
    }
  },
  "components": [
    {
      "type": "cryptographic-asset",
      "name": "AES",
      "cryptoProperties": {
        "assetType": "algorithm",
        "algorithmProperties": {
          "primitive": "block-cipher",
          "mode": "CBC",
          "padding": "PKCS5Padding"
        }
      },
      "evidence": {
        "occurrences": [
          {
            "location": "src/crypto/Example.java:29"
          }
        ]
      }
    }
  ]
}

Converting Formats

Use the convert command to transform interim JSON to CycloneDX: 
# Convert from file
crypto-finder convert results.json --output cbom.json

# Convert from stdin (pipe from scan)
crypto-finder scan /path/to/code | crypto-finder convert --output cbom.json

# Direct output during scan
crypto-finder scan --format cyclonedx --output cbom.json /path/to/code

Integration

CycloneDX CBOM output can be consumed by:
  • Dependency track systems
  • Software Bill of Materials (SBOM) aggregators
  • Security scanning platforms
  • Compliance reporting tools
  • Supply chain risk management systems

Format Comparison

FeatureInterim JSONCycloneDX CBOM
EcosystemSCANOSS-specificIndustry standard
Detail LevelHigh (includes code snippets)Medium (structured metadata)
File SizeLargerSmaller
Best ForDeep analysis, custom toolingCompliance, integration, reporting
SchemaSCANOSS interim specCycloneDX 1.6
ValidationSCANOSS toolsCycloneDX validators