{"id":34139925,"url":"https://github.com/cbomkit/cbomkit-theia","last_synced_at":"2026-05-13T13:01:10.230Z","repository":{"id":257424537,"uuid":"858198155","full_name":"cbomkit/cbomkit-theia","owner":"cbomkit","description":"A tool for detecting cryptographic assets in container images and directories, and generating CBOMs.","archived":false,"fork":false,"pushed_at":"2026-04-08T09:44:56.000Z","size":1797,"stargazers_count":34,"open_issues_count":8,"forks_count":12,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-04-08T10:20:03.042Z","etag":null,"topics":["cbom","cbom-tool","cbomkit","cryptography","cryptography-bom","docker","filesystem","go","golang","post-quantum-cryptography","quantum-safe","sbom"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cbomkit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-09-16T13:36:10.000Z","updated_at":"2026-04-08T09:43:36.000Z","dependencies_parsed_at":"2024-09-16T17:18:54.259Z","dependency_job_id":"d700f7c5-af2b-48bd-859c-7b8553ee4c59","html_url":"https://github.com/cbomkit/cbomkit-theia","commit_stats":null,"previous_names":["ibm/cbomkit-theia","pqca/cbomkit-theia","cbomkit/cbomkit-theia"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/cbomkit/cbomkit-theia","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cbomkit%2Fcbomkit-theia","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cbomkit%2Fcbomkit-theia/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cbomkit%2Fcbomkit-theia/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cbomkit%2Fcbomkit-theia/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cbomkit","download_url":"https://codeload.github.com/cbomkit/cbomkit-theia/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cbomkit%2Fcbomkit-theia/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32297913,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T09:34:17.070Z","status":"ssl_error","status_checked_at":"2026-04-26T09:34:00.993Z","response_time":129,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cbom","cbom-tool","cbomkit","cryptography","cryptography-bom","docker","filesystem","go","golang","post-quantum-cryptography","quantum-safe","sbom"],"created_at":"2025-12-15T02:33:10.835Z","updated_at":"2026-05-13T13:01:10.212Z","avatar_url":"https://github.com/cbomkit.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CBOMkit-theia\n\n[![GitHub License](https://img.shields.io/github/license/cbomkit/cbomkit-theia)](https://opensource.org/licenses/Apache-2.0)\n\nThis repository contains CBOMkit-theia: a tool that detects cryptographic assets in container images as well as directories and generates [CBOM](https://cyclonedx.org/capabilities/cbom/).\n\n\u003e [!NOTE] \n\u003e CBOMkit-theia is part of [CBOMkit](https://github.com/cbomkit) and meant to run in conjunction with the [Sonar Cryptography Plugin](https://github.com/cbomkit/sonar-cryptography).\n\n```\n ██████╗██████╗  ██████╗ ███╗   ███╗██╗  ██╗██╗████████╗████████╗██╗  ██╗███████╗██╗ █████╗ \n██╔════╝██╔══██╗██╔═══██╗████╗ ████║██║ ██╔╝██║╚══██╔══╝╚══██╔══╝██║  ██║██╔════╝██║██╔══██╗\n██║     ██████╔╝██║   ██║██╔████╔██║█████╔╝ ██║   ██║█████╗██║   ███████║█████╗  ██║███████║\n██║     ██╔══██╗██║   ██║██║╚██╔╝██║██╔═██╗ ██║   ██║╚════╝██║   ██╔══██║██╔══╝  ██║██╔══██║\n╚██████╗██████╔╝╚██████╔╝██║ ╚═╝ ██║██║  ██╗██║   ██║      ██║   ██║  ██║███████╗██║██║  ██║\n ╚═════╝╚═════╝  ╚═════╝ ╚═╝     ╚═╝╚═╝  ╚═╝╚═╝   ╚═╝      ╚═╝   ╚═╝  ╚═╝╚══════╝╚═╝╚═╝  ╚═╝ by IBM Research\n\nCBOMkit-theia analyzes cryptographic assets in a container image or directory.\nIt is part of cbomkit (https://github.com/cbomkit/cbomkit) donated to PQCA by IBM Research.\n\n--\u003e Disclaimer: CBOMkit-theia does *not* perform source code scanning \u003c--\n--\u003e Use https://github.com/cbomkit/sonar-cryptography for source code scanning \u003c--\n\nFeatures\n- Find certificates in your image/directory\n- Find keys in your image/directory\n- Find secrets in your image/directory\n- Verify the executability of cryptographic assets in a CBOM (requires --bom to be set)\n- Output: Enriched CBOM to stdout/console\n\nSupported image/filesystem sources:\n- local directory \n- local application with dockerfile (ready to be build)\n- local docker image from docker daemon\n- local docker image as TAR archive\n- local OCI image as directory\n- local OCI image as TAR archive\n- OCI image from OCI registry\n- docker image\n- image from singularity\n\nSupported BOM formats (input \u0026 output):\n- CycloneDXv1.6\n\nExamples:\ncbomkit-theia dir my/cool/directory\ncbomkit-theia image nginx\n\nPlugin Explanations:\n\u003e \"certificates\": Certificate File Plugin\nFind x.509 certificates\n\n\u003e \"javasecurity\": java.security Plugin\nVerify the executability of cryptographic assets from Java code\nAdds a confidence level (0-1) to the CBOM components to show how likely it is that this component is actually executable\n\n\u003e \"secrets\": Secret Detection Plugin\nFind secrets \u0026 keys (private, public and secret keys)\n\n\u003e \"opensslconf\": OpenSSL Configuration Plugin\nReads OpenSSL configuration files and adds tls protocol and cipher suites to CBOM\n\nUsage:\n  cbomkit-theia [command]\n\nAvailable Commands:\n  completion  Generate the autocompletion script for the specified shell\n  dir         Analyze cryptographic assets in a directory\n  help        Help about any command\n  image       Analyze cryptographic assets in a container image\n\nFlags:\n  -b, --bom string          BOM file to be verified and enriched\n      --config string       config file (default is $HOME/.cbomkit-theia.yaml)\n      --docker-host string  Docker daemon socket (default \"unix:///var/run/docker.sock\")\n  -h, --help                help for cbomkit-theia\n      --ignore strings      file path patterns to ignore during scanning (glob syntax, e.g. 'testdata/,*.tmp')\n      --log-level string    log level (trace, debug, info, warn, error, fatal, panic) (default \"info\")\n  -p, --plugins strings     list of plugins to use (default [certificates,javasecurity,secrets,opensslconf,keys,vex])\n      --schema string       BOM schema to validate the given BOM (default \"provider/cyclonedx/bom-1.6.schema.json\")\n\nUse \"cbomkit-theia [command] --help\" for more information about a command.\n```\n\n## Prerequisites\n\n- Go \n  - Version: `1.25` or up\n- Docker (or similar container runtimes)\n  - Recommended: Set the `DOCKER_HOST` environment variable (default: `unix:///var/run/docker.sock`)\n\n## Running\n\n### Docker\n\n```shell\ndocker build -t cbomkit-theia . \n# CLI\ndocker run cbomkit-theia [command] \u003e enriched_CBOM.json\n```\n\n### Compiled\n\n```shell\ngo mod download\ngo build\n./cbomkit-theia [command] \u003e enriched_CBOM.json\n```\n\n## Configuration\n\nCBOMkit-theia reads its configuration from `$HOME/.cbomkit-theia/config.yaml`. This file is automatically created on first run.\n\n### Plugins\n\nBy default, all available plugins are enabled:\n- certificates\n- javasecurity\n- secrets (private, public and secret keys)\n- opensslconf\n\n**Important Note:** The application is configured to ensure all plugins are always available. If you manually edit the configuration file to exclude specific plugins, CBOMkit-theia will detect this and automatically restore all plugins to their default enabled state on the next run. If you need to disable specific plugins for a particular run, use the `-p` flag instead of modifying the config file:\n\n```shell\n# Run with only specific plugins\n./cbomkit-theia image nginx -p certificates -p secrets\n```\n\n### Ignoring Files\n\nTo skip certain files during scanning (e.g., test fixtures or development artifacts), you can specify ignore patterns using glob syntax. Patterns can be provided via three sources, which are merged:\n\n**1. `.cbomkitignore` file** (placed in the scanned directory root, gitignore-style):\n\n```\n# Skip test fixtures\ntestdata/\n*_test_cert.pem\n\n# Skip vendor/dependency dirs\nvendor/\nnode_modules/\n\n# Skip development secrets\n.env\n*.key.dev\n```\n\n**2. Config file** (`$HOME/.cbomkit-theia/config.yaml`):\n\n```yaml\nignore:\n  - testdata/\n  - \"*.tmp\"\n  - vendor/\n```\n\n**3. CLI flag** (`--ignore`):\n\n```shell\ncbomkit-theia dir ./myproject --ignore \"testdata/,*.tmp,vendor/\"\n```\n\nPatterns support [doublestar](https://github.com/bmatcuk/doublestar) glob syntax (e.g., `**/*.pdf`, `*.tmp`, `dir/`). Lines starting with `#` are treated as comments. A trailing `/` matches any path with that directory prefix.\n\n\u003e [!NOTE]\n\u003e For image scanning, `.cbomkitignore` is not applicable (there is no local directory root). Config and CLI patterns still apply.\n\n## Development\n\n### Plugins\n  - `java.security` Configuration Plugin:\n    - Searches the filessystem for the `java.security` file and reads the configuration\n    - Reads the `jdk.tls.disabledAlgorithms` property and checks if any of the algorithms are used in the given CBOM\n    - Based on the results, a confidence level (`confidence_level`) is assigned to the restricted (or not restricted) algorithms in the CBOM\n      - A higher confidence level means that a component is more likely to be executable\n  - OpenSSL Configuration Plugin:\n    - Searches the filesystem for OpenSSL configuration files (e.g., `openssl.cnf`)\n    - When an `openssl.cnf` file is detected, it will be scanned and a file component will be created as part of the CBOM\n    - Extracts and adds TLS protocol versions and cipher suites configured in the OpenSSL configuration to the CBOM\n  - X.509 Certificate Plugin:\n    - Search the filesystem for X.509 certificates\n    - Add the certificates to the CBOM, as well as signature algorithms, public keys and public key algorithms\n  - Secret Plugin:\n    - Leverages [gitleaks](https://github.com/gitleaks/gitleaks) to find secrets and keys in the data source\n    - Add the secrets and keys (private, public and secret keys) to the CBOM\n\nAdditional plugins can be added by implementing the `Plugin` interface from [`cbomkit-theia/scanner/plugins`](./scanner/plugins/plugin.go#L41) and adding the plugins constructor to the `GetAllPluginConstructors` function in [`cbomkit-theia/scanner/scanner.go`](./scanner/scanner.go#L58): \n\n## Security Disclaimer\nCBOMkit-theia performs several filesystem reads based on the user input and may print the contents of these files to the stderr console. Do not use this tools on untrusted input or provide the output to untrusted parties.\n\n## Contribution Guidelines\n\nIf you'd like to contribute to CBOMkit-theia, please take a look at our [contribution guidelines](CONTRIBUTING.md). By participating, you are expected to uphold our [code of conduct](CODE_OF_CONDUCT.md).\n\nWe use [GitHub issues](https://github.com/cbomkit/cbomkit-theia/issues) for tracking requests and bugs. For questions start a discussion using [GitHub Discussions](https://github.com/cbomkit/cbomkit-theia/discussions).\n\n## License\n\n[Apache License 2.0](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcbomkit%2Fcbomkit-theia","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcbomkit%2Fcbomkit-theia","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcbomkit%2Fcbomkit-theia/lists"}