Skip to content
QCecuring

Scanners Overview

The CBOM sensor includes 9 specialized scanners, each designed to discover cryptographic assets from different sources. Scanners can be combined in a single sensor configuration to provide comprehensive visibility across your environment.

Available Scanners

Section titled “Available Scanners”
ScannerWhat It ScansAsset Types ProducedAuth Required
HTTPS EndpointTLS/HTTPS endpointscertificate, public-key, protocolNo
File SystemCertificate and key files on diskcertificate, private-key, public-keyNo (filesystem access)
Java KeystoreJKS and PKCS#12 keystorescertificate, private-key, public-key, symmetric-keyKeystore password
SSH KeysSSH key filesprivate-key, public-keyNo (filesystem access)
Windows Certificate StoreWindows CryptoAPI storescertificate, public-keyLocal admin
Source CodeSource code repositoriesalgorithm, signatureNo (filesystem access)
BinaryCompiled binaries (DLL, EXE, SO, JAR)algorithm, signature, certificateNo (filesystem access)
AWSACM, KMS, IAM servicescertificate, symmetric-key, public-keyAWS credentials or IAM role
Active DirectoryADCS, LDAP certificate attributescertificate, public-keyAD/LDAP credentials

How Scanners Work

Section titled “How Scanners Work”

Each scanner follows the same lifecycle:

  1. Configuration — Define targets (endpoints, paths, credentials) in the sensor YAML config
  2. Discovery — Scanner connects to or reads from the target source
  3. Extraction — Cryptographic assets are parsed and normalized
  4. Deduplication — Assets are fingerprinted to avoid duplicates across scans
  5. Reporting — Discovered assets are sent to the CBOM platform for inventory

Choosing Scanners

Section titled “Choosing Scanners”
  • Network-facing services → HTTPS Endpoint Scanner
  • Servers and VMs → File System + Java Keystore + SSH Keys
  • Windows environments → Windows Certificate Store + File System
  • Cloud infrastructure → AWS Scanner
  • Enterprise PKI → Active Directory Scanner
  • Application security → Source Code + Binary Scanners

Scanner Configuration

Section titled “Scanner Configuration”

All scanners are configured in the sensor’s config.yml file. Multiple scanners can run in a single sensor instance:

scanners:
  https-endpoint:
    - endpoints:
        - api.example.com:443
  filesystem:
    - paths:
        - /etc/ssl/certs
  java-keystore:
    - paths:
        - /opt/app/keystore.p12
      password: changeit

hidden Scanner configuration overview

For sensor installation and setup, see the Sensor Setup Guide.