How SCANOSS identifies and analyses cryptographic algorithms in software for security, compliance and regulatory purposes.
The increasing complexity of software supply chains has made cryptographic transparency essential for modern organisations. With regulations like the EU Cyber Resilience Act (CRA), DORA, and Executive Order 14028 demanding greater accountability, understanding what encryption exists in your codebase is no longer optional; it’s a compliance requirement.Yet most organisations struggle to answer fundamental questions: Which cryptographic algorithms are we using? Are they quantum-safe? Do they meet FIPS requirements? Are we using deprecated or weak encryption that exposes us to security risks?
Modern software applications rarely implement cryptography from scratch. Instead, they rely on countless open source libraries and dependencies that may contain hundreds of different cryptographic implementations.These implementations are often:
Hidden in transitive dependencies: Your direct dependencies might be cryptography-free, but their dependencies may implement encryption you’re unaware of.
Version-dependent: A package version you’re using might contain weak cryptography that was fixed in later releases.
Undocumented: Many libraries use cryptography internally without clearly declaring which algorithms or key sizes they employ.
Non-quantum-safe: Most existing cryptographic implementations rely on algorithms (RSA, ECC) that will become vulnerable when quantum computers mature.
Consider this scenario: your application uses a popular HTTP library that internally depends on a cryptographic library implementing 1024-bit RSA and MD5 hashing. Neither appears in your dependency declarations, yet both create compliance violations and security vulnerabilities. The fundamental problem remains: you cannot secure what you cannot see.
Multiple converging factors have made cryptographic visibility urgent:Regulatory Pressure: The EU Cyber Resilience Act requires manufacturers to document cryptographic implementations. FIPS compliance demands specific algorithm certifications. Export controls restrict certain cryptographic technologies across borders.Post-Quantum Threat: Quantum computers will break widely-used algorithms like RSA and ECC. Organisations need to inventory their current cryptographic usage to plan migration toward quantum-resistant alternatives. This transition (known as “cryptographic agility”) requires knowing exactly where and how encryption is used.Security Hygiene: Legacy algorithms (MD5, SHA-1, DES, 1024-bit RSA) remain prevalent in older dependencies, creating exploitable vulnerabilities. Identifying and remediating weak cryptography is fundamental security practice.Supply Chain Transparency: Just as Software Bills of Materials (SBOMs) provide component transparency, Cryptography Bills of Materials (CBOMs) deliver encryption transparency. Customers, auditors, and regulators increasingly demand CBOMs to assess cryptographic risk.
Building a Strategy for Cryptographic Transparency
Managing cryptographic risk requires comprehensive visibility across your entire software supply chain. Modern DevSecOps teams need an intelligent cryptographic detection system capable of identifying algorithms, key sizes, protocols, and frameworks, regardless of how deeply nested they are in dependency trees.SCANOSS provides this intelligence through multiple complementary approaches:Component-Level Detection: Automatically identify which open source components contain cryptographic implementations, what algorithms they use, and which versions introduced or removed specific encryption capabilities.Source Code Scanning: Detect cryptographic keywords, patterns, and implementations directly in source code, including local modifications and custom implementations that wouldn’t appear in dependency manifests.Protocol and Framework Recognition: Identify supporting cryptographic infrastructure including encryption libraries (OpenSSL, BouncyCastle), SDKs, and protocol stacks that indicate cryptographic usage even when specific algorithms aren’t directly referenced.Version-Specific Intelligence: Track cryptographic capabilities across version ranges to understand when algorithms were introduced, modified, or deprecated, which is critical for planning upgrades and migrations.
The SCANOSS Encryption Dataset is a specialised subset of the SCANOSS Knowledge Base offering detailed metadata and source code fingerprints for open source components that implement or reference cryptographic functionality.
The Crypto Finder command-line tool enables local cryptographic analysis with remote rulesets. It automatically detects programming languages in your project, retrieves appropriate detection rules from SCANOSS, and generates detailed cryptographic reports.
Cryptographic transparency is no longer a nice-to-have capability; it’s a regulatory requirement and security imperative. As quantum computing advances and regulations tighten, organisations that lack visibility into their cryptographic usage face growing risk.SCANOSS provides the intelligence, tools, and community collaboration needed to achieve and maintain cryptographic transparency. By detecting algorithms across source code and dependencies, generating standardised CBOMs, and supporting both immediate compliance needs and long-term quantum readiness, SCANOSS enables organisations to secure their software against evolving cryptographic threats.The goal is simple: help organisations see, understand, and manage their cryptographic footprint, turning opacity into transparency, risk into control, and compliance obligations into competitive advantages.
