Skip to content

Host scanner Reference Manual

The Cryptosense Host Scanner is a CLI program that scans the filesystem or a container image to find cryptographic material and logs them in a format suitable for treatment by Cryptosense Analyzer.

Installation

Before you can use the Host scanner, see installation instructions.

Usage

Scanning a Filesystem

Getting started will explain you how to use the Host scanner to scan the filesystem.

Scanning a container image

To run the Host scanner on a container image, replace the --root option by the --image-name one. For example:

./cs-host-scanner \
  --image-name python:latest \
  --output scan.cst.gz

Detect hard-coded keys and certificates in JARs

To detect hard-coded keys and certificates, the Host Scanner calls the Static Scanner to retrieve hard-coded strings in JAR files.

To run the Host Scanner with the Static Scanner:

./cs-host-scanner \
  --root /path/to/root/directory \
  --output "output_file.cst" \
  --module jar
  --static-scanner-path "path-to-static-scanner"

The output trace then only contains keys and certificates found in JAR files. Using --module all will make it contain both those and the ones found in other types of files.

Configuration

The Host scanner is configured using command-line options. For example, to configure the directory where the Host scanner will write the resulting trace, use the --output option:

./cs-host-scanner \
  --root /path/to/root/directory \
  --output path/to/scan.cst.gz

Command-line options

Here is a list of the available options:

  • --root: The path to start searching from if the scan target is a filesystem. The host scanner will search everything below this point.
  • --image-name: The image name if the scan target is a container.
  • --output (required): File to write the trace to. This is a Cryptosense trace in CST format, which can be uploaded to the web application and analyzed to produce a cryptography usage report.
  • --max-file-size: Cutoff size for files to be scanned, in bytes. Defaults to 1000000 (1MB). If set to 0, the cutoff is disabled.
  • --module (default: default): Choices are pem, der, ssh, jks, jceks, keys (which means pem, der and ssh), keystore (which means jks and jceks), jar and default (which means all modules except jar). May be present more than once to specify multiple modules to use.
  • --static-scanner-path : The path to the Static Scanner binary, which is needed to run the Host Scanner with --module jar

You need to either use the --root option (if the target is a filesystem) or the --image-name option (if the target is a container image).

To get information about all the options, run:

./cs-host-scanner --help