Host scanner Reference Manual
The Cryptosense Host Scanner is a CLI program that scans the filesystem or a container image to find cryptographic material and logs them in a format suitable for treatment by Cryptosense Analyzer.
Before you can use the Host scanner, see installation instructions.
Scanning a Filesystem
Getting started will explain you how to use the Host scanner to scan the filesystem.
Scanning a container image
To run the Host scanner on a container image, replace the
--root option by the
--image-name one. For example:
./cs-host-scanner \ --image-name python:latest \ --output scan.cst.gz
Note: This feature is not available for Windows.
Detect hard-coded keys and certificates in JARs
To detect hard-coded keys and certificates, the Host Scanner calls the Static Scanner to retrieve hard-coded strings in JAR files.
To run the Host Scanner with the Static Scanner:
./cs-host-scanner \ --root /path/to/root/directory \ --output "output_file.cst" \ --module jar --static-scanner-path "path-to-static-scanner"
The output trace then only contains keys and certificates found in JAR files. Using
--module all will make it contain both those and the ones found in other types of files.
The Host scanner is configured using command-line options. For example, to configure the
directory where the Host scanner will write the resulting trace, use the
./cs-host-scanner \ --root /path/to/root/directory \ --output path/to/scan.cst.gz
Here is a list of the available options:
--root: The path to start searching from if the scan target is a filesystem. The host scanner will search everything below this point.
--image-name: The image name if the scan target is a container.
--output(required): File to write the trace to. This is a Cryptosense trace in CST format, which can be uploaded to the web application and analyzed to produce a cryptography usage report.
--max-file-size: Cutoff size for files to be scanned, in bytes. Defaults to 1000000 (1MB). If set to 0, the cutoff is disabled.
default): Choices are
default(which means all modules except
jar). May be present more than once to specify multiple modules to use.
--static-scanner-path: The path to the Static Scanner binary, which is needed to run the Host Scanner with
--password: An optional password to be used to attempt decryption of encrypted data
You need to either use the
--root option (if the target is a filesystem) or the
--image-name option (if the target is a container image).
To get information about all the options, run: