Skip to content

Host scanner manual

The Cryptosense Host Scanner is a CLI program that scans the filesystem to find cryptographic material. The output is a trace file (.cst) that can be uploaded to the Cryptosense Analyzer Platform in order to get an analysis report.



./cs-host-scanner \
  --root /etc \
  --include-keys \
  --output trace.cst

Detect hard-coded keys and certificates in JARs

To detect hard-coded keys and certificates, the Host Scanner calls the Static Scanner to retrieve hard-coded strings in JAR files.

To run the Host Scanner with the Static Scanner:

./cs-host-scanner \
  --root "starting-point-of-scan" \
  --output "output_file.cst" \
  --module jar
  --static-scanner-path "path-to-static-scanner"

The output trace then contains keys and certificates found in JAR files in addition to those found in other types of files.

Command-line options

  • --root: The path to start searching from if the scan target is a file system. The host scanner will search everything below this point.
  • --image-name: The image name if the scan target is a container.
  • --output (required): File to write the trace to. This is a Cryptosense trace in CST format, which can be uploaded to the web application and analyzed to produce a cryptography usage report.
  • --include-keys: Include key material in trace.
  • --module (default: default): Choices are pem, der, ssh, jks, jceks, keys (which means pem, der and ssh), keystore (which means jks and jceks), jar and default (which means all modules except jar). May be present more than once to specify multiple modules to use.
  • --static-scanner-path : The path to the Static Scanner binary, which is needed to run the Host Scanner with --module jar

To get information about all the options, run:

./cs-host-scanner --help