Crypto Finder: Source-Level Cryptography Visibility

Detect cryptographic algorithms, protocols, certificates, and key generation directly in your codebase

Cryptography has always been part of modern software. Sometimes it arrives through open source dependencies, sometimes it is implemented directly in application code, utilities, or internal libraries. SCANOSS has long helped teams identify cryptography risks at the open source component level through its encryption dataset, making inherited cryptographic usage visible across dependencies.

As regulatory pressure increases and post-quantum timelines become more concrete, knowing exactly where and how cryptography appears in source code is becoming a practical requirement.

What has remained harder for developers is understanding what cryptography is actually implemented in their own source code. Crypto Finder is designed to address that gap by bringing cryptographic detection directly into the developer workflow.

Increasingly, this level of visibility is required not only for security, but also to support trade compliance obligations and to assess future quantum-safe migration work.

What’s new

Crypto Finder is a new, open source CLI that scans source code repositories to detect cryptographic usage at code level. Instead of relying only on dependency analysis, it identifies concrete implementations such as algorithms, certificates, protocols, and key generation primitives directly in source files.

This approach complements the existing encryption risk dataset. Together, they provide two necessary perspectives: cryptography inherited from third-party software, and cryptography explicitly implemented by developers. Crypto Finder strengthens cryptographic visibility by making the latter explicit, inspectable, and automatable.

How it works

Crypto Finder is designed to fit naturally into a developer’s workflow. You point it at a repository, it detects cryptographic usage in source code, and it produces a CBOM that can be reviewed locally or passed downstream into CI and governance tooling.

1. Run Crypto Finder directly against a source directory, locally or inside a container.

crypto-finder scan <my-project>

This single command initiates the full detection process. There is no project configuration required to get started, which makes it easy to experiment locally before wiring it into CI/CD pipelines or automated policy workflows.

2. When a scan starts, Crypto Finder automatically detects the programming languages present in the repository and loads only the relevant detection rules. This selective loading is a deliberate performance optimisation, particularly important for large or polyglot codebases. The current release supports Java, Python, Go, and C.

3. With languages identified, Crypto Finder performs rule-based analysis using open scanning engines. OpenGrep is used by default, providing consistent behaviour across languages and rule sets.

   
   
   
   

   Semgrep is also supported and can be configured explicitly if required. The choice of scanner does not change the structure of the results.

   
   

   During a scan, the tool fetches the relevant cryptographic rules from SCANOSS.

   
   

   Cached rules can be reused without network access, and the tool can be configured to rely entirely on local rule directories. This allows Crypto Finder to run in restricted or air-gapped environments without changing how scans are executed.

4. Crypto Finder produces structured findings rather than human-oriented reports. Each match includes file location, line range, the matched cryptographic construct, and associated metadata.

   
   
   
   

   By default, results are produced in a structured JSON format. Crypto Finder can also generate a CycloneDX Cryptography Bill of Materials (CBOM), making cryptographic usage consumable by CI systems and supply chain tooling.

crypto-finder scan --format cyclonedx --output cbom.json <my-project>

Why it matters

For developers, cryptography often lives in code paths that are rarely revisited once they work. Over time, algorithms age, standards evolve, and regulatory expectations change. Without source-level visibility, teams are left guessing where cryptography is implemented and how difficult it will be to change.

Crypto Finder produces structured, machine and human-readable output for each finding, including file location, line range, matched construct, and rule metadata. Where available, metadata already includes attributes such as algorithm name, mode, padding, key size, and cryptographic primitive. Results can be emitted in an internal SCANOSS format or exported as CycloneDX, enabling the generation of a Cryptography Bill of Materials.

By treating CBOM generation as a first-class outcome, Crypto Finder makes cryptographic inventorying compatible with modern supply chain tooling and CI/CD workflows. Output is generated in an open standard format, CycloneDX, making it well suited for applying policy as part of existing CI/CD, governance, and risk management systems.

This integration-first approach allows teams to evaluate cryptographic usage where policy decisions already take place, rather than enforcing them in isolation. In parallel, SCANOSS is working on the Crypto Insight Framework (CIF), an ongoing effort to move beyond visibility and detection towards richer cryptographic insight and decision support, informed by collaboration with IBM.

Early benchmarks show that this approach scales to real-world repositories, from small projects that complete in seconds to large codebases with tens of thousands of files that complete in minutes. This makes continuous cryptographic visibility feasible as part of normal development cycles.

Where to find it

Crypto Finder is open source and available today.

Documentation, usage examples, and configuration options are available here: