Runtime Surveys
A runtime survey instruments a running JVM to detect the cryptographic operations your application actually executes. It complements an inventory survey, which finds the cryptography present in your artifacts: inventory answers “what cryptography is present?” while runtime answers “what cryptography did this artifact actually use?”
Running a survey
Run your application under the surveyor:
spice survey runtime <subject> --jfr -- <command>
<subject>— a label for the system being surveyed (shown on the dashboard).--jfr— required; uses JDK Flight Recorder instrumentation to observe cryptographic calls.--— separates surveyor options from the command to run.<command>— the JVM process to instrument.
Examples:
# Instrument a running application
spice survey runtime my-app --jfr -- java -jar app.jar
# Instrument a test run
spice survey runtime my-app --jfr -- mvn test
The two survey types are far more powerful together than either alone. Survey the same artifact both ways and Spice Labs correlates the results into a combined report.
CBOMs
Every survey produces a Cryptography Bill of Materials. To correlate a runtime survey with an inventory survey that indexed the same artifact — into a single combined CBOM — anchor it with --anchor:
spice survey runtime my-app --anchor ./build/output/app.jar --jfr -- java -jar ./build/output/app.jar
Runtime instrumentation alone cannot tell which build artifact it is exercising, so without --anchor the runtime survey will not correlate with your inventory survey and no combined CBOM is produced. See CBOMs for the full workflow.
See the Surveyor CLI Reference for the complete list of runtime survey options.