From SBOM to CBOM
Join us in London for Infosecurity Europe
June 2 – 4, 2026 | Booth C69 | Excel London
You can't migrate what you can't see
PQC starts with visibility
You have your software inventory sorted. Now it’s time to know your cryptographic inventory — every algorithm, protocol, certificate, and key in your codebase and supply chain.
“61% of organizations lack full visibility into their cryptographic systems — a major impediment to migration readiness.”
Gartner Cybersecurity Trend · Horvath, Hankins, Almond · January 2026
“By 2030, advances in quantum computing will make conventional asymmetric cryptography unsafe to use.”
Gartner Strategic Planning Assumption · Mark Horvath · November 2025
120+
ALGORITHMS DETECTED
12+
LANGUAGES SUPPORTED
100%
OPEN SOURCE
Complete cryptographic detection end to end
Most organisations don’t know what cryptographic algorithms are running in their code. SCANOSS gives you that map — completely, openly, on the standards your team already knows.
01 – DETECT
Semantic crypto detection
Beyond keyword matching, crypto-finder uses AST-aware analysis to surface real crypto usage — not false positives from comments or variable names. Structured output with algorithm family, OID, library, and call chain.
02 – INVENTORY
Complete CBOM generation
Scan your source code, dependencies, and containers. Trace crypto through your full supply chain — including vendor BSPs, RTOS components, and third-party libraries. CycloneDX 1.6 CBOM output.
03 – ENFORCE
Policy and compliance
Structured JSON output lets you flag weak algorithms, gate CI/CD builds, and feed compliance reports for EU CRA, NIST SSDF, IEC 62443, and DO-178C. API-first — your rules, your toolchain.
04 – MIGRATE
PQC migration planning
Know your exposure before quantum breaks it. Identify every quantum-vulnerable algorithm, prioritise by risk, plan replacements. Phase 1 — inventory — is free and starts today.
We didn't just build a tool. We built the standard
2021-2022
Customer spark
Paying customers asked “what crypto is in our code?” We built detection and released the dataset under CC0. Open from day one.
2024
Community & standardisation
Collaborated with SPDX. Dataset grew from 60 to 120+ algorithms. Donated to the STF. Even competitors contributed back.
2025
SPDX Crypto Algorithm List V1.0
Our dataset became the starting point for the industry standard. IBM, and others contributing alongside us.
2026
crypto-finder launches
Beyond keywords — semantic code analysis for deeper, more accurate detection. CycloneDX CBOM output. Open source, GPL-2.0.
CBOM output feeds directly into compliance reporting for EU Cyber Resilience Act, NIST SSDF, IEC 62443, and DO-178C.
Machine-readable evidence, not manual audits.
Ready to get started?
"When we were evaluating SCANOSS at Cariad, the choice became obvious when on the very first test on our software found a snippet in public software written by me, coincidentally. It was a spot-on result”
"It’s fantastic to see SCANOSS support the Telco SBOM format. When we first started this activity having a major tool vendor support it was a very ambitious target far in the future, and now it’s a real validation to how useful the Telco SBOM is”
“FOSSLight Scanner's integration with SCANOSS for source code snippet matching is a long-awaited feature for our users. We are grateful to the SCANOSS and OSSKB teams for their openness and collaboration, which makes this integration possible. We look forward to working together on more exciting projects in the future”
“We have used SCANOSS for forensic and provenance check purposes and we have found it invaluable and reliable. It's one hitherto missing tile of the software composition analysis, very that the team has made it such a good product.”