Host scanner manual
The Cryptosense Host Scanner is a CLI program that scans the filesystem to find
cryptographic material. The output is a trace file (
.cst) that can be uploaded to the
Cryptosense Analyzer Platform in order to get an analysis report.
./cs-host-scanner \ --root /etc \ --include-keys \ --output trace.cst
Detect hard-coded keys and certificates in JARs
To detect hard-coded keys and certificates, the Host Scanner calls the Static Scanner to retrieve hard-coded strings in JAR files.
To run the Host Scanner with the Static Scanner:
./cs-host-scanner \ --root "starting-point-of-scan" \ --output "output_file.cst" \ --module jar --static-scanner-path "path-to-static-scanner"
The output trace then contains keys and certificates found in JAR files in addition to those found in other types of files.
--root: The path to start searching from if the scan target is a file system. The host scanner will search everything below this point.
--image-name: The image name if the scan target is a container.
--output(required): File to write the trace to. This is a Cryptosense trace in CST format, which can be uploaded to the web application and analyzed to produce a cryptography usage report.
--include-keys: Include key material in trace.
default): Choices are
default(which means all modules except
jar). This list will almost certainly change over time. May be present more than once to specify multiple modules to use.
--static-scanner-path: The path to the Static Scanner binary, which is needed to run the Host Scanner with
To get information about all the options, run: