Introducing Jacked
Jacked is an open-source vulnerability scanning tool designed to help you identify and mitigate security risks in your Container Images and File Systems.
Key Features
With Jacked, you can fortify your software applications against security threats, streamline your vulnerability management process, and deliver software that is secure, compliant, and reliable.
- Comprehensive Vulnerability Scanning
- Tailored Configuration
- Diggity Integration
- Flexible Output Formats
Vulnerability Data Sources
Jacked leverages multiple trusted data sources for comprehensive vulnerability detection and management
National Vulnerability Database
The NVD provides a rich source of vulnerability data, including CVEs (Common Vulnerabilities and Exposures), which Jacked uses to identify and assess vulnerabilities.
GitHub Advisories
Jacked monitors GitHub's advisory feed to stay up-to-date with security advisories related to open-source projects hosted on GitHub, enhancing its ability to detect vulnerabilities in widely used libraries and repositories.
Alpine Security Advisories
Jacked is equipped to access and utilize Alpine Linux's security advisories. This integration ensures that Alpine Linux-based containers are thoroughly scanned for security issues.
Debian Security Advisories
Jacked taps into Debian's security advisories, enabling it to detect vulnerabilities in packages commonly found in Debian-based systems.
Utilize Jacked in combination with Jenkins, Azure and GitHub plugins.
Ensure code quality for faster software delivery and enhance productivity and streamline development processes.
- Image, Tar, and Directory Scanning
- Severity Fail Criteria
- Ignore CVEs and Package Names
- Skip Build Fail and Database Update
Supported Installation OS
Jacked currently supports the following operating systems:
WINDOWS INSTALLATION
With Windows OS' amd64 achitecture, you can seamlessly run our newest open-source tool program to protect your images against any possible threat.
MAC INSTALLATION
Scan image vulnerability on any Mac operating system because Jacked supports arm64 and amd64 architecture.
LINUX INSTALLATION
Jacked can easily detect security issues in your images. The open-source tool can run in the amd64, arm64, ppc64le, and s390x architecture of the Linux operating system.
Installation Guide
You can improve your code security by installing Jacked, the newest open-source analysis scanning tool in the market!
Build
$ git clone https://github.com/carbonetes/jacked
$ go install
Recommended
A great way to install a working binary tool on your terminal.
curl -sSfL https://raw.githubusercontent.com/carbonetes/jacked/main/install.sh | sh -s -- -d /usr/local/bin
You can specify a release version and destination directory for the installation:
curl -sSfL https://raw.githubusercontent.com/carbonetes/jacked/main/install.sh | sh -s -- -d -v
Homebrew
brew tap carbonetes/jacked
brew install jacked
Scoop
scoop bucket add jacked https://github.com/carbonetes/jacked-bucket
scoop install jacked
Useful Commands and Flags
jacked [command] [flag]
SubCommand | Description |
config | Display the current configurations |
db | Display the database information |
version | Display Build Version Information of Jacked |
Available Commands and their flags with description:
jacked [flag]
Root Flags | Description |
--sbom string | Input sbom file from diggity to scan (Only read from json file) |
-d --dir string | Read directly from a path on disk (any directory) (e.g. 'jacked path/to/dir)' |
-t --tar string | Read a tarball from a path on disk for archives created from docker save (e.g. 'jacked path/to/image.tar)' |
--disable-file-listing | Disables file listing from package metadata (default false) |
--enabled-parsers stringArray | Specify enabled parsers ([apk debian java npm composer python gem rpm dart nuget go]) (default all) |
-l --licenses | Enable scanning for package licenses |
-o --output string | Show scan results in "table", "json", "cyclonedx-json", "cyclonedx-xml", "spdx-json", "spdx-xml", "spdx-tag-value" format (default "table") |
--registry-uri string | Registry uri endpoint (default "index.docker.io/") |
--registry-token string | Access token for private registry access |
--registry-username string | Username credential for private registry access |
--registry-password string | Password credential for private registry access |
--secret-exclude-filenames stringArray | Exclude secret searching for each specified filenames |
--secret-max-file-size in | Maximum file size that the secret will search -- each file (default 10485760) |
-v --version | Print application version |
--ignore-package-names | Specify package names to be whitelisted on the result |
--ignore-vuln-cves | Specify CVEs to be whitelisted on the result |
jacked config [flag]
Config Flags | Description |
-d --display | Display the content of the configuration file |
-h --help | Help for configuration |
-p --path | Display the path of the configuration file |
-r --reset | Restore default configuration file |
jacked db [flag]
Database Flags | Description |
-i --info | Print database metadata information |
-v --version | Print database current version |
jacked version [flag] [string]
Version Flags | Description |
-f --format | Print application version format (json, text) (default "text") |
Get started with Jacked
GitHub