Host scanner Reference Manual
The Cryptosense Host Scanner is a CLI program that scans the filesystem or a container image to find cryptographic material and logs them in a format suitable for treatment by Cryptosense Analyzer.
Installation
Before you can use the Host scanner, see installation instructions.
Usage
Scanning a Filesystem
Getting started will explain you how to use the Host scanner to scan the filesystem.
Detect cryptographic material inside a zip file
When it encounters a zip file, the Cryptosense Host Scanner scans the files inside it. It performs the same checks as it would for regular files on a filesystem, with the following limitations:
- JAR files inside ZIP archives are not supported
- ZIP files inside ZIP archives are not supported
It is also worth noting that the host-scanner only supports files following the original PKZIP file format specification that does not span across several files. In particular, it does not support ZIP64 archives.
Scanning a container image
To run the Host scanner on a container image, replace the --root
option by the
--image-name
one. For example:
./cs-host-scanner \
--image-name python:latest \
--output scan.cst.gz
Note: This feature is not available for Windows.
Detect hard-coded keys and certificates in JARs
To detect hard-coded keys and certificates, the Host Scanner calls the Static Scanner to retrieve hard-coded strings in JAR files.
To run the Host Scanner with the Static Scanner:
./cs-host-scanner \
--root /path/to/root/directory \
--output "output_file.cst" \
--module jar
--static-scanner-path "path-to-static-scanner"
The output trace then only contains keys and certificates found in JAR files. Using
--module all
will make it contain both those and the ones found in other types of files.
Configuration
The Host scanner is configured using command-line options. For example, to configure the
directory where the Host scanner will write the resulting trace, use the --output
option:
./cs-host-scanner \
--root /path/to/root/directory \
--output path/to/scan.cst.gz
Command-line options
Here is a list of the available options:
--root
: The path to start searching from if the scan target is a filesystem. The host scanner will search everything below this point.
--image-name
: The image name if the scan target is a container.
--output
(required): File to write the trace to. This is a Cryptosense trace in CST format, which can be uploaded to the web application and analyzed to produce a cryptography usage report.
--max-file-size
: Cutoff size for files to be scanned, in bytes. Defaults to 1000000 (1MB). If set to 0, the cutoff is disabled.
--module
(default:default
): Choices arepem
,der
,ssh
,jks
,jceks
,keys
(which meanspem
,der
andssh
),keystore
(which meansjks
andjceks
),jar
anddefault
(which means all modules exceptjar
). May be present more than once to specify multiple modules to use.
--static-scanner-path
: The path to the Static Scanner binary, which is needed to run the Host Scanner with--module jar
--password
: An optional password to be used to attempt decryption of encrypted data
--exclude
: Exclude a file or directory from scan. Can be specified multiple times to exclude several files or directories. This is useful eg. for preventing network filesystem to be scanned.
You need to either use the --root
option (if the target is a filesystem) or the
--image-name
option (if the target is a container image).
To get information about all the options, run:
./cs-host-scanner --help