Skip to content
QCecuring

Discovery & Scanners

Discovery & Scanners

Section titled “Discovery & Scanners”

CBOM discovers cryptographic assets using specialized scanners deployed as sensors near your infrastructure. Each scanner type targets a specific source of cryptographic material.

Scanner Overview

Section titled “Scanner Overview”
ScannerTargetDiscovers
HTTPS EndpointTLS endpointsCertificates, chains, cipher suites, protocols
File SystemLocal directoriesPEM/DER/CRT files, keystores
Java KeystoreJKS/PKCS#12 filesCertificates and keys in keystores
SSH KeySSH directoriesPrivate/public SSH keys
Windows CertStoreWindows cert storesMachine and user certificates
Source CodeSource repositoriesCrypto API calls, hardcoded keys
BinaryCompiled binariesLinked crypto libs, embedded keys
AWSAWS servicesACM certs, KMS keys, IAM certs
Active DirectoryAD/LDAPADCS certificates, templates

HTTPS Endpoint Scanner

Section titled “HTTPS Endpoint Scanner”

Performs a TLS handshake with target endpoints and extracts the full certificate chain, negotiated cipher suite, and protocol version.

What it discovers:

  • Server certificate and full issuer chain
  • Certificate algorithm, key size, validity dates
  • Subject Alternative Names (SANs)
  • Negotiated TLS protocol version (1.2, 1.3)
  • Cipher suite (key exchange, encryption, MAC)

Configuration:

scanner: https-endpoint
apiUrl: http://localhost:9090
apiKey: your-api-key


config:
  endpoints:
    - api.example.com:443
    - internal.corp.local:8443
    - 10.0.1.50:443
  timeoutMs: 10000

Asset types produced: certificate, algorithm, protocol

File System Scanner

Section titled “File System Scanner”

Recursively scans directories for files containing cryptographic material.

Supported formats:

ExtensionFormat
.pem, .crt, .cer, .keyPEM-encoded certificates, keys, CSRs
.derDER-encoded certificates
.p12, .pfxPKCS#12 keystores
.jks, .jceksJava keystores
.p7bPKCS#7 certificate bundles
.csrCertificate Signing Requests
.crlCertificate Revocation Lists

Configuration:

scanner: filesystem
apiUrl: http://localhost:9090
apiKey: your-api-key


config:
  paths:
    - /etc/ssl/certs
    - /etc/pki
    - /opt/app/keystores
  # password: changeit  # For password-protected keystores

Asset types produced: certificate, private-key, public-key

Java Keystore Scanner

Section titled “Java Keystore Scanner”

Handled by the filesystem scanner when it encounters .jks, .jceks, .p12, or .pfx files. Extracts all entries (certificates and keys) and establishes keystore containment relationships.

Keystore entries become child assets with parentFingerprint pointing to the keystore asset, enabling relationship visualization.

SSH Key Scanner

Section titled “SSH Key Scanner”

Scans standard SSH key locations for private and public keys.

Configuration:

scanner: ssh-keys
apiUrl: http://localhost:9090
apiKey: your-api-key


config:
  # Defaults to ~/.ssh and /etc/ssh if paths not specified
  # paths:
  #   - /home/user/.ssh
  #   - /etc/ssh

Discovers: Key algorithm (RSA, ECDSA, Ed25519), key size, key format.

Asset types produced: private-key, public-key

Windows Certificate Store Scanner

Section titled “Windows Certificate Store Scanner”

Scans Windows certificate stores using certutil. Requires Windows OS.

Configuration:

scanner: windows-certstore
apiUrl: http://localhost:9090
apiKey: your-api-key


config:
  storeLocation: LocalMachine  # or CurrentUser
  stores:
    - My        # Personal certificates
    - Root      # Trusted Root CAs
    - CA        # Intermediate CAs
    - Trust     # Enterprise Trust

Asset types produced: certificate

Source Code Scanner

Section titled “Source Code Scanner”

Scans source code for cryptographic API usage, hardcoded keys, and crypto library imports.

Detection capabilities:

  • Crypto API calls (e.g., Cipher.getInstance("AES/GCM/NoPadding"), MessageDigest.getInstance("SHA-256"))
  • Hardcoded keys and secrets in source
  • Crypto library import statements

Configuration:

scanner: source-code
apiUrl: http://localhost:9090
apiKey: your-api-key


config:
  paths:
    - /home/user/repo/src
  excludePaths:
    - node_modules
    - target
    - .git
    - build
    - dist
  cryptoApiCalls: true
  hardcodedKeys: true
  importStatements: true

Asset types produced: algorithm, symmetric-key, signature

Binary Scanner

Section titled “Binary Scanner”

Scans compiled binaries, shared libraries, and packaged artifacts for cryptographic usage.

Detection methods:

  • Linked crypto library symbols (OpenSSL, BoringSSL, etc.)
  • Function symbol analysis
  • Embedded PEM certificates/keys
  • Algorithm string references
  • Crypto constants (AES S-box, SHA round constants)

Configuration:

scanner: binary
apiUrl: http://localhost:9090
apiKey: your-api-key


config:
  paths:
    - /usr/local/bin
    - /opt/app/lib
  extensions:
    - dll
    - exe
    - so
    - jar
  maxFileSize: 50MB

Supported file types: DLL, EXE, SO, dylib, JAR, WAR, EAR, class, .o, .a, .lib, .sys, .node

Asset types produced: algorithm, certificate (embedded), private-key (embedded)

AWS Scanner

Section titled “AWS Scanner”

Scans AWS services for certificates and cryptographic keys using AWS APIs.

Services scanned:

  • ACM — AWS Certificate Manager certificates
  • KMS — Key Management Service keys (metadata only, not key material)
  • IAM — IAM server certificates

Configuration:

scanner: aws
apiUrl: http://localhost:9090
apiKey: your-api-key


config:
  region: us-east-1
  services:
    - acm
    - kms
    - iam
  # Optional: explicit credentials (uses default chain if omitted)
  accessKeyId: AKIAXXXXXXXXXXXXXXXX
  secretAccessKey: your-secret-access-key

Credential resolution: Config → Environment variables → ~/.aws/credentials → EC2 instance profile

Asset types produced: certificate, symmetric-key, public-key

Active Directory / LDAP Scanner

Section titled “Active Directory / LDAP Scanner”

Scans Active Directory Certificate Services (ADCS) for issued certificates, CA certificates, and certificate templates.

Configuration:

scanner: active-directory
apiUrl: http://localhost:9090
apiKey: your-api-key


config:
  scan_name: Production AD Scan
  page_size: 500
  connect_timeout_seconds: 10
  search_timeout_seconds: 30
  retry_attempts: 3
  retry_delay_seconds: 5


  forests:
    - name: corp.example.com
      auth_type: simple  # simple, ntlm, gssapi
      username: CN=svc_scanner,OU=ServiceAccounts,DC=corp,DC=example,DC=com
      password: your-password
      domain: CORP
      use_ssl: true
      verify_ssl: true
      domains:
        - server: dc01.corp.example.com
          base_dn: DC=corp,DC=example,DC=com

Authentication types:

  • simple — LDAP simple bind
  • ntlm — Windows NTLM authentication
  • gssapi — Kerberos (requires keytab or TGT)

Asset types produced: certificate

Asset Deduplication

Section titled “Asset Deduplication”

All scanners compute a SHA-256 fingerprint of each discovered asset’s intrinsic content. When the API receives an asset with a fingerprint that already exists, it merges the new location data rather than creating a duplicate.

This means the same certificate deployed to 10 servers appears once in the inventory with 10 locations listed.

Section titled “Related”