Source Code Scanner
The Source Code Scanner analyzes source code repositories to find cryptographic API calls, algorithm constants, key size parameters, and hardcoded secrets.
What It Scans
Section titled “What It Scans”Source code files across multiple languages, looking for patterns that indicate cryptographic usage — cipher instantiation, hash algorithm selection, key generation, and hardcoded key material.
Supported languages:
- Java
- Python
- Go
- C/C++
- C#
- JavaScript/TypeScript
How It Works
Section titled “How It Works”- Walks the configured source directories (respecting exclude paths)
- Identifies source files by extension
- Applies language-specific pattern matching for crypto API calls
- Detects algorithm constants (e.g., “AES”, “SHA-256”, “RSA”)
- Identifies key size parameters and hardcoded key bytes
- Reports the file, line number, and matched pattern for each finding
Configuration
Section titled “Configuration”scanners: source-code: - paths: - /opt/app/src - /home/dev/projects/api excludePaths: - node_modules - target - .git - vendor cryptoApiCalls: true| Parameter | Required | Default | Description |
|---|---|---|---|
paths | Yes | — | List of source directories to scan |
excludePaths | No | [] | Directories to skip |
cryptoApiCalls | No | true | Whether to detect crypto API call patterns |
Assets Produced
Section titled “Assets Produced”| Asset Type | What’s Captured |
|---|---|
algorithm | Algorithm name, usage context (encryption/hashing/signing), key size, file path, line number |
signature | Signature algorithm, usage context, file path, line number |
What Gets Detected
Section titled “What Gets Detected”| Language | Example Patterns |
|---|---|
| Java | Cipher.getInstance("AES/CBC/PKCS5Padding"), MessageDigest.getInstance("SHA-1"), KeyPairGenerator.getInstance("RSA") |
| Python | hashlib.md5(), Crypto.Cipher.AES.new(), cryptography.hazmat usage |
| Go | crypto/aes, crypto/sha256, tls.Config cipher suites |
| C/C++ | EVP_aes_256_cbc(), SHA1(), OpenSSL function calls |
| C# | Aes.Create(), SHA256.Create(), RSACryptoServiceProvider |
| JS/TS | crypto.createCipher(), crypto.createHash('md5') |
Deduplication
Section titled “Deduplication”Findings are deduplicated by algorithm + usage context + file path. The same algorithm used in different files produces separate entries. The same algorithm on multiple lines in the same file is consolidated.
Use Cases
Section titled “Use Cases”- Find hardcoded crypto in source code before it reaches production
- Identify deprecated algorithm usage — MD5, SHA-1, DES, 3DES, RC4
- Audit key sizes — find RSA-1024 or AES-128 where stronger options are required
- Prepare for post-quantum migration — identify all RSA and ECC usage that will need replacement
Example Output
Section titled “Example Output”{ "type": "algorithm", "name": "AES/CBC/PKCS5Padding", "category": "encryption", "keySize": 128, "deprecated": false, "quantumVulnerable": false, "source": { "scanner": "source-code", "filePath": "/opt/app/src/com/example/CryptoService.java", "lineNumber": 42, "snippet": "Cipher cipher = Cipher.getInstance(\"AES/CBC/PKCS5Padding\");" }}{ "type": "algorithm", "name": "SHA-1", "category": "hashing", "deprecated": true, "quantumVulnerable": false, "source": { "scanner": "source-code", "filePath": "/opt/app/src/com/example/HashUtil.java", "lineNumber": 15, "snippet": "MessageDigest md = MessageDigest.getInstance(\"SHA-1\");" }}
← Back to Scanners Overview | Sensor Setup Guide