We’re excited to announce that CBOMkit now supports Go (Golang) for cryptographic detection and CBOM generation.
With this update, CBOMkit extends its language coverage beyond Java and Python – bringing cryptographic visibility to one of the most widely used languages in modern infrastructure.
What’s Included in Go Support
Go support is powered by the CBOMkit scanning engine (Sonar Cryptography Plugin) and enables detection of cryptographic usage directly from Go source code.
Supported packages
- Standard library (crypto/*)
- Full coverage (except crypto/x509)
- golang.org/x/crypto
- Partial support for:
- hkdf
- pbkdf2
- sha3
- Partial support for:
This allows CBOMkit to identify cryptographic algorithms (hashing, encryption, key derivation), crypto primitives and parameters and usage locations within source code written in Go.
What Changes for Users
If you’re working with Go projects, you can now:
- Scan Go repositories to detect cryptographic assets
- Generate CBOMs in CycloneDX format
- Understand crypto usage at a granular level (file + line)
No changes are required to your workflow – Go support integrates seamlessly into existing CBOMkit pipelines.
Contributions:
- Go support in scanner:
https://github.com/cbomkit/sonar-cryptography/pull/361 – Nicklas Körtge - Integration into CBOMkit:
https://github.com/cbomkit/cbomkit/pull/323 – Andreas Schade
Get Started
You can start using Go support immediately:
- Scan your Go repository using CBOMkit
- Be a part of the CBOMkit community- open an issue in the repository, or reach out on discord, or join the bi-weekly meetings.
What’s Next
We’ll continue expanding:
- Adding C# support (System.Security.Cryptography)
- We recently added support for using an external compliance service with user-defined policies. There is a basic quantum-safe policy for the moment. Other, more sophisticated policies could be developed.
- And more to come
We’re a friendly community and welcome all contributions and feedback.
Contributed By:
Aditya has a strong background in post-quantum cryptography, telco security, and cloud-native technologies. He serves as the TAC Chair of the Post-Quantum Cryptography Alliance (PQCA) and is a member of the Technical Steering Committee (TSC) for the CBOMkit project. He is also the Co-Founder of the NgKore Foundation, a non-profit open-source community, and works as a Principal Security Architect at PQStation. Additionally, he is a TAC member at the OpenSSL Corporation & Foundation. Outside of work, he is a moody part-time farmer.
Andreas Schade (IBM Zurich Research Laboratory)
Andreas Schade is a member of the Platform Crypto and Security Group at the IBM Zurich Research Laboratory His current research focuses on Cryptography Bill of Materials (CBOM) and Post-Quantum Security. He is a co-author of CBOMkit and serves as a member of the Post Quantum Cryptography Alliance (PQCA). Andreas’ background is computer science in particular distributed systems and applications management, which was also the topic of his dissertation. Throughout his career in IBM Research, he has worked on communication platforms for medical environments, virtual markets and service trading, pervasive computing, device profiles and delivery context information, autonomous tracking devices, authorization languages, and threat management. He holds a diploma degree and a doctoral degree in Computer Science, both from Humboldt University of Berlin, Germany.
Nicklas Körtge is a full-stack software engineer in the security department of IBM Research Lab Zurich. His current work focuses on Cryptographic Discovery and Cryptography Bill of Materials (CBOM) in the Post-Quantum Cryptography research group. Nicklas is a co-author of CBOMkit, a toolset originally developed at IBM and later donated to the Post-Quantum Cryptography Alliance (PQCA), a project of the Linux Foundation. He holds a Master’s degree in Computer Science and has contributed to IBM’s efforts around cryptography inventory and quantum-safe migration.