Skip to content

Host scanner Reference Manual

The Cryptosense Host Scanner is a CLI program that scans the filesystem or a container image to find cryptographic material and logs them in a format suitable for treatment by Cryptosense Analyzer.


Before you can use the Host scanner, see installation instructions.


Scanning a Filesystem

Getting started will explain you how to use the Host scanner to scan the filesystem.

Detect cryptographic material inside a zip file

When it encounters a zip file, the Cryptosense Host Scanner scans the files inside it. It performs the same checks as it would for regular files on a filesystem, with the following limitations:

  • JAR files inside ZIP archives are not supported
  • ZIP files inside ZIP archives are not supported

It is also worth noting that the host-scanner only supports files following the original PKZIP file format specification that does not span across several files. In particular, it does not support ZIP64 archives.

Scanning a container image

To run the Host scanner on a container image, replace the --root option by the --image-name one. For example:

./cs-host-scanner \
  --image-name python:latest \
  --output scan.cst.gz

Note: This feature is not available for Windows.

Detect hard-coded keys and certificates in JARs

To detect hard-coded keys and certificates, the Host Scanner calls the Static Scanner to retrieve hard-coded strings in JAR files.

To run the Host Scanner with the Static Scanner:

./cs-host-scanner \
  --root /path/to/root/directory \
  --output "output_file.cst" \
  --module jar
  --static-scanner-path "path-to-static-scanner"

The output trace then only contains keys and certificates found in JAR files. Using --module all will make it contain both those and the ones found in other types of files.


The Host scanner is configured using command-line options. For example, to configure the directory where the Host scanner will write the resulting trace, use the --output option:

./cs-host-scanner \
  --root /path/to/root/directory \
  --output path/to/scan.cst.gz

Command-line options

Here is a list of the available options:

  • --root: The path to start searching from if the scan target is a filesystem. The host scanner will search everything below this point.
  • --image-name: The image name if the scan target is a container.
  • --output (required): File to write the trace to. This is a Cryptosense trace in CST format, which can be uploaded to the web application and analyzed to produce a cryptography usage report.
  • --max-file-size: Cutoff size for files to be scanned, in bytes. Defaults to 1000000 (1MB). If set to 0, the cutoff is disabled.
  • --module (default: default): Choices are pem, der, ssh, jks, jceks, keys (which means pem, der and ssh), keystore (which means jks and jceks), jar and default (which means all modules except jar). May be present more than once to specify multiple modules to use.
  • --static-scanner-path: The path to the Static Scanner binary, which is needed to run the Host Scanner with --module jar
  • --password: An optional password to be used to attempt decryption of encrypted data
  • --exclude: Exclude a file or directory from scan. Can be specified multiple times to exclude several files or directories. This is useful eg. for preventing network filesystem to be scanned.

You need to either use the --root option (if the target is a filesystem) or the --image-name option (if the target is a container image).

To get information about all the options, run:

./cs-host-scanner --help