Inventory Surveys
An inventory survey analyzes software artifacts to map the cryptography present in your builds. It is the default survey type, and complements a runtime survey, which observes the cryptography your application actually executes: inventory answers “what cryptography is present?” while runtime answers “what cryptography did this artifact actually use?”
The survey generates encrypted Artifact Dependency Graphs (ADGs) and uploads them to your Spice Labs environment.
Running a survey
spice survey inventory <subject> <input>
<subject>— a label for the system being surveyed (shown on the dashboard).<input>— path to the artifacts to survey: a directory, a.tararchive, or a single jar, war, or ear.
Examples:
# Survey a build output directory
spice survey inventory my-app ./build/output
# Survey a single archive
spice survey inventory my-app ./artifacts/my-app.tar
# Survey without uploading (local only)
spice survey inventory my-app ./build/output --no-upload
The two survey types are far more powerful together than either alone. Survey the same artifact both ways and Spice Labs correlates the results into a combined report.
CBOMs
An inventory survey produces a CBOM and indexes every jar, war, and ear in your build — the “present” view of its cryptography. When a runtime survey is anchored to one of those artifacts, Spice Labs correlates the two into a combined Cryptography Bill of Materials, adding what actually runs to what is present. See CBOMs for the full workflow.
See the Surveyor CLI Reference for the complete list of inventory survey options.