Documentation Index
Fetch the complete documentation index at: https://docs.binarly.io/llms.txt
Use this file to discover all available pages before exploring further.
Secure product development
Hardware OEMs and software vendors use Binarly to validate compiled binaries before products ship. The scan runs post-build — after all components have been compiled and linked — which is the point where the binary is in its final form and source-code scanning no longer reaches the full picture.
Problem: Traditional SCA tools run against source code and package manifests. They miss vulnerabilities in statically linked libraries, precompiled third-party components, and firmware blobs where source is unavailable. By the time a binary reaches production, these blind spots have already been inherited.
Solution: The Binarly Transparency Platform scans the compiled binary directly. The Binarly Analysis Engine decompiles, constructs call graphs, and performs data-flow analysis across the full binary — first-party code and all embedded third-party components. Known CVEs are detected via binary-level component identification, not version string matching. Unknown vulnerability classes are detected through semantic code behavior analysis. Results include a binary-derived SBOM, prioritized findings, and reachability data. The result: a triage list grounded in what’s actually reachable, not what’s theoretically possible.
How it integrates: Post-build in CI/CD pipelines via GitHub Actions, GitLab CI, Jenkins, or the REST API. Scans typically complete within minutes for most binary sizes. Findings can gate the release or feed directly into JIRA for remediation tracking.
Third-party risk management
Enterprise security and procurement teams use Binarly to inspect vendor-supplied firmware and software before it enters their environment. Vendor SBOMs and attestations describe what a vendor says is in their product. Binary analysis shows what’s actually there.
Problem: Statically linked dependencies, undeclared components, and backported patches are invisible to tools that work from manifests alone. Accepting a vendor SBOM without binary validation means accepting self-attestation as ground truth.
Solution: Binarly scans the firmware or software binary provided by the vendor and generates an independent SBOM from the binary itself. The platform compares vendor-supplied SBOMs against binary ground truth, surfaces discrepancies, and flags known and novel vulnerabilities present in the actual binary — not in the declared component list. The result: objective evidence replacing vendor self-attestation.
How it integrates: Vendor onboarding workflows, pre-procurement security assessments, and ongoing supplier monitoring. Scan results become a vendor security posture report, a SBOM attestation, or evidence for contractual security requirements.
Post-quantum cryptography readiness
Binarly generates a Cryptography Bill of Materials (CBOM) from binary analysis and maps every cryptographic asset to CNSA 2.0 and NIST IR 8547 compliance requirements. This applies to any binary where you need to know what cryptographic algorithms are actually in use — not what documentation says should be there.
Problem: Quantum-resistant cryptography migration requires knowing what algorithms are deployed across every system and component. Most organizations can’t answer that question for third-party firmware and compiled software where source code is unavailable. Standard inventory tools work from metadata; cryptographic assets embedded in binaries are invisible to them.
Solution: The Binarly Analysis Engine identifies every cryptographic algorithm, key, certificate, and protocol present in the binary. Cryptographic reachability analysis determines which assets are actively used versus merely present. The CBOM output maps each finding to NIST IR 8547 compliance tiers and includes migration timelines: immediate action required for MD5 and DES, RSA phase-out by 2030, full PQC migration by 2035. See PQC reports for export format details.
How it integrates: CNSA 2.0 compliance assessments for National Security Systems (new acquisitions must be compliant by January 2027). PCI DSS 4.0 cryptographic inventory requirements (Requirements 4.2.1.1 and 12.3.3). Internal PQC migration planning for any organization with compiled firmware or software in scope.
