Notifications
Clear all
Topic starter
04/06/2026 6:49 pm
TL;DR: Cryptographic inventories must now track keys, certificates, algorithms, libraries and trust anchors across cloud, CI/CD pipelines and devices because manual records miss where cryptography actually lives, according to Keyfactor. Without that visibility, organisations cannot rotate, replace or assess cryptographic assets fast enough for compliance or quantum-safe planning.
NHIMG editorial — based on content published by Keyfactor: How to build a cryptographic asset inventory across cloud, CI/CD and devices
By the numbers:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.
Questions worth separating out
Q: How should security teams build a cryptographic inventory across cloud and CI/CD systems?
A: Start with automated discovery, not manual spreadsheets.
Q: Why do cryptographic inventories matter for post-quantum readiness?
A: Because you cannot migrate what you cannot find.
Q: What do organisations get wrong about cryptographic bill of materials data?
A: A CBOM tells you what software can do, not how it is configured in a specific environment.
Practitioner guidance
- Automate discovery across every cryptographic domain Map certificates, keys, algorithms, libraries and trust anchors across cloud services, CI/CD systems and devices.
- Extend inventory into CI/CD build paths Scan build pipelines for certificates, keys and secrets used during compilation, packaging and deployment.
- Classify long-lived devices as migration-critical Tag firmware, IoT, OT and edge assets that contain persistent trust anchors or long-lived signatures.
What's in the full article
Keyfactor's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step discovery workflow for cloud certificates, keys and algorithms across IaaS, PaaS and managed services
- Pipeline-level examples for finding embedded cryptography in CI/CD builds and binaries
- Device and firmware inventory considerations for long-lived trust anchors and update signatures
- Implementation guidance for centralising inventory data, ownership and risk context
👉 Read Keyfactor's guide to building a cryptographic asset inventory across cloud, CI/CD and devices →
Cryptographic inventory across cloud, CI/CD and devices: are your controls current?
Explore further
04/06/2026 7:02 pm
Cryptographic inventory is the missing control plane for cryptographic governance. The article makes clear that discovery alone is not enough; organisations need a central, continuously updated record that ties each cryptographic object to ownership, usage and risk. Without that, rotation, replacement and audit decisions are made against stale assumptions. The practitioner conclusion is simple: inventory is not documentation, it is operational governance.
A few things that frame the scale:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to the State of Secrets Sprawl 2026.
- 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded.
A question worth separating out:
Q: How can teams prioritise cryptographic remediation without creating chaos?
A: Start with asset criticality, exposure and lifecycle status. Expired certificates, weak algorithms and long-lived device trust anchors should rise to the top first because they create the highest operational and compliance risk. A good inventory turns remediation into a ranked queue rather than an unstructured backlog.
👉 Read our full editorial: Cryptographic asset inventory is now a governance baseline for agility
