Jacked is an open-source vulnerability scanning tool designed to help you identify and mitigate security risks in your Container Images and File Systems.

Integration with Diggity

Jacked works seamlessly with Diggity, our powerful tool for generating Software Bill of Materials (SBOM). Together, they provide a comprehensive solution for securing your software development process.

Key Features:

Comprehensive Vulnerability Scanning: Jacked thoroughly examines your container images and file systems to pinpoint potential security risks and vulnerabilities. This comprehensive approach ensures the robustness and security of your deployed container images and codebases.
Intelligent Configuration Management: Jacked features automatic configuration validation, missing field detection, and comprehensive documentation generation. Configuration files are automatically created with helpful comments and maintained with complete settings.
Tailored Configuration: Customize Jacked to align with your specific security preferences. Tailor the tool to suit your organization's unique requirements and security policies with well-documented configuration options.
Cross-Platform Compatibility: Jacked seamlessly integrates with major operating systems and supports various package types. It offers flexibility and compatibility to fit into your existing workflow.
Diggity Integration: Enhance your security posture by leveraging Jacked's compatibility with Diggity. This integration provides SBOM (Software Bill of Materials) Container Image and File System support.
Integration-Friendly: Seamlessly integrate Jacked into your CI/CD pipelines and DevOps workflows to automate vulnerability analysis.
User-Friendly Interface: Jacked offers an intuitive command-line interface, making it accessible to both security experts and developers.
Flexible Output Formats: Jacked provides multiple output formats, making it easy to analyze scan results. Choose from options like tabulated summaries, JSON reports, CycloneDX, SPDX, and more.

What Jacked Includes

Jacked is a comprehensive vulnerability scanning solution that supports a wide range of technologies and provides extensive features:

🔍 Package Ecosystem Support

Jacked provides comprehensive vulnerability scanning for a wide range of package ecosystems. It includes specialized scanning strategies for the most common ecosystems, while also supporting generic scanning for other package types:

Ecosystems with Specialized Scanning Strategies:

Operating Systems: APK (Alpine), DPKG (Debian/Ubuntu), RPM (Red Hat/CentOS/Fedora)
Programming Languages:
- JavaScript/Node.js: NPM packages with semantic versioning
- Python: PyPI packages with PEP 440 version constraints
- Java: Maven artifacts with complex version handling
- Go: Go modules with semantic versioning
- Ruby: RubyGems with version constraints
- Dart: Pub packages for Flutter/Dart applications

Additional Support:

Advanced matching algorithms with CPE (Common Platform Enumeration) support
Generic Package Scanning: Supports any package ecosystem through generic vulnerability matching
Custom Package Types: Extensible architecture allows for additional ecosystem support
Cross-Platform Compatibility: Works with packages from various sources and registries
Actively Expanding: We continuously release new specialized scanning strategies for emerging ecosystems
Community-Driven: Users can request new ecosystem support by opening an issue

🛡️ Vulnerability Data Sources

NVD (National Vulnerability Database): Comprehensive CVE database
GitHub Security Advisories (GHSA): Real-time security alerts from GitHub
Alpine Security Database: Alpine Linux specific vulnerabilities
Debian Security Tracker: Debian/Ubuntu package vulnerabilities

With Jacked, you can fortify your software applications against security threats, streamline your vulnerability management process, and deliver software that is secure, compliant, and reliable.

Installation

Getting Started

Jacked offers a user-friendly command-line interface, ensuring that it is accessible to both security experts and developers.

Scanning Docker Images

To scan a Docker image, use the following command:

jacked <image-name:tag>

Replace <image_name> with the name of the Docker image you want to scan.

Scanning Code Repositories

To analyze a code repository, use the following command:

jacked --dir <repository-path>

Scanning Tarballs

To scan a tarball, use the following command:

jacked --tar <tarball-path>

SBOM Analysis

Jacked uses CycloneDX internally as the Software Bill of Materials (SBOM) format for processing and analyzing components. This enables Jacked to provide comprehensive vulnerability analysis with rich component metadata and dependency relationships.

While CycloneDX is used internally for analysis, the scan results can be exported in multiple standard formats including JSON, SPDX, and table formats for integration with your existing toolchain.

Output formats

Jacked provides flexible options for formatting and presenting scan results, making it easy to tailor the output to your specific needs.

jacked <target> -o <output-format>

You can choose from the following output formats:

table: The default output format, providing a concise columnar summary of the scan results. This format is ideal for a quick overview of vulnerabilities.
json: Get detailed scan results in JSON format, enabling easy integration with other tools and systems for further analysis and automation.
spdx-json: Software Package Data Exchange format in JSON.
spdx-xml: Software Package Data Exchange format in XML.
spdx-tag: Software Package Data Exchange format in tag-value format.
snapshot-json: Snapshot format in JSON for detailed vulnerability data.

Choose the output format that best suits your integration requirements and reporting preferences. Jacked's versatile output options ensure that you can effectively communicate and act on your scan results in a way that aligns with your workflow.

Vulnerability Severity Threshold

Jacked provides a powerful feature that allows you to set a severity threshold for vulnerabilities, helping you control the actions triggered based on the severity level of identified vulnerabilities. With this feature, you can tailor your security policies to align with your organization's risk tolerance and operational requirements.

How it Works

In CI mode --ci, Jacked can be configured to evaluate the severity of vulnerabilities detected in your images or code repositories. By adding --fail-criteria option on scan arguments, you can specify the severity threshold that your organization deems acceptable, such as "low," "medium," or "high."

By defining a severity threshold, you can specify which vulnerabilities should trigger specific actions or policies. For example, you might want to:

Fail a CI/CD Pipeline: Jacked can be integrated into your CI/CD pipeline to halt the pipeline execution if vulnerabilities of a certain severity level (e.g., "low" or higher) are detected. This ensures that only secure code gets deployed.
Generate Alerts: Configure alerts or notifications to be sent to relevant team members when vulnerabilities exceed the specified severity threshold. Stay informed and act swiftly when critical issues arise.
**Customiz

Jacked

Install / Use

README