Cryptographic Asset Scanner¶
The Cryptographic Asset Scanner extension identifies cryptographic assets within components and creates findings for non-compliant cryptographic usage against configured standards.
Configuration Example¶
crypto:
interval: 86400 # 24 hours
on_unsupported: warning
mappings:
- prefix: 'acme.org/product-a'
included_asset_types:
- algorithm
- certificate
- library
libraries:
- ref:
path: odg/crypto_defaults.yaml
standards:
- name: FIPS
version: 140-3
ref:
path: odg/crypto_defaults.yaml
aws_secret_name: aws-account-prod
- prefix: '' # catch-all
included_asset_types: null # all types
libraries:
- ref:
path: odg/crypto_defaults.yaml
standards:
- name: FIPS
version: 140-3
ref:
path: odg/crypto_defaults.yaml
Top-Level Options¶
Option |
Type |
Default |
Description |
|---|---|---|---|
|
int (seconds) |
|
Maximum time before a component is re-scanned. |
|
string |
|
Behaviour when artefact kind/type/access is unsupported. Options: |
|
list |
|
Per-prefix component mappings. See mapping fields below. |
Mapping Fields¶
Each entry in the mappings list supports the following fields:
Option |
Type |
Required |
Description |
|---|---|---|---|
|
string |
yes |
Component name prefix. Use |
|
list |
yes |
Cryptographic standards to validate against. See standard fields below. |
|
list |
yes |
References to files containing known cryptographic library names. |
|
list or null |
no |
Filter which cryptographic asset types to analyse. |
|
string |
no |
Name of the AWS secret to use for S3 artefacts. |
Standard Fields¶
Each entry in the standards list defines a cryptographic compliance standard:
Option |
Type |
Required |
Description |
|---|---|---|---|
|
string |
yes |
Standard name (e.g., |
|
string |
yes |
Standard version (e.g., |
|
string |
yes |
Relative path to file containing standard definitions. |
Library Reference Fields¶
Each entry in the libraries list can be a string (library name) or a reference object:
Option |
Type |
Required |
Description |
|---|---|---|---|
|
string |
yes |
Relative path to file in odg-core repository, external GitHub repo, or OCM resource. |
Configuration Details¶
interval¶
The maximum time (in seconds) before a component’s cryptographic assets are re-analysed. Default is 86400 seconds (24 hours).
This interval ensures:
Cryptographic compliance is regularly re-evaluated
New standards or library definitions are applied to existing components
Changes in artefacts are detected and analysed
on_unsupported¶
Defines the behaviour when an artefact kind, type, or access method is not supported:
fail: Raise an exception and stop processingignore: Silently skip the unsupported artefactwarning(default): Skip the artefact and log a warning message
mappings¶
Allows per-component-prefix configuration for cryptographic analysis. This is useful when:
Different components must comply with different standards
Some components require analysis of specific asset types only
Components are stored in different AWS S3 accounts
Prefix Matching¶
The prefix field uses simple string prefix matching:
prefix: 'acme.org'matchesacme.org/productandacme.org/another-productprefix: ''(empty string) matches all components (use as a catch-all)
Multiple mappings are evaluated in order, and the first matching prefix is used.
standards¶
Defines cryptographic compliance standards to validate against. Each standard requires:
A name and version identifier
A reference to a YAML file containing the standard’s compliance rules
The referenced file must contain a standards property with the rules for that standard.
Example standard reference:
standards:
- name: FIPS
version: 140-3
ref:
path: odg/crypto_defaults.yaml
libraries¶
Lists known cryptographic library names used for validation. Libraries can be:
Inline strings (direct library names)
References to YAML files containing a
librariesproperty
Example with reference:
libraries:
- ref:
path: odg/crypto_defaults.yaml # File in odg-core repo
Example with inline names:
libraries:
- OpenSSL
- BoringSSL
- wolfSSL
You can also reference files in external GitHub repositories or OCM resources.
included_asset_types¶
Filters which cryptographic asset types to analyse. Set to null to analyse all types,
or provide a list to restrict analysis to specific categories:
algorithm: Cryptographic algorithms (AES, RSA, SHA, etc.)certificate: X.509 certificates and certificate chainslibrary: Cryptographic libraries (OpenSSL, BoringSSL, etc.)protocol: Cryptographic protocols (TLS, SSH, etc.)related-crypto-material: Keys, seeds, nonces, and other crypto material
Examples:
# Analyse all asset types
included_asset_types: null
# Only analyse algorithms and libraries
included_asset_types:
- algorithm
- library
# Only analyse certificates
included_asset_types:
- certificate
aws_secret_name¶
When scanning artefacts stored in AWS S3, specify which AWS secret to use for authentication. This is required when multiple AWS secrets are configured in ODG.
aws_secret_name: aws-production-account