Facebook Pixel

Introducing Jacked

Jacked is an open-source vulnerability scanning tool designed to help you identify and mitigate security risks in your Container Images and File Systems.

Key Features

With Jacked, you can fortify your software applications against security threats, streamline your vulnerability management process, and deliver software that is secure, compliant, and reliable.
  • Comprehensive Vulnerability Scanning
  • Tailored Configuration
  • Diggity Integration
  • Flexible Output Formats
Screenshot of Command Prompt screen running Jacked

Vulnerability Data Sources

Jacked leverages multiple trusted data sources for comprehensive vulnerability detection and management
National Vulnerability Database (NVD) Logo
National Vulnerability Database
The NVD provides a rich source of vulnerability data, including CVEs (Common Vulnerabilities and Exposures), which Jacked uses to identify and assess vulnerabilities.
GitHub Logo
GitHub Advisories
Jacked monitors GitHub's advisory feed to stay up-to-date with security advisories related to open-source projects hosted on GitHub, enhancing its ability to detect vulnerabilities in widely used libraries and repositories.
Alpine Linux Logo
Alpine Security Advisories
Jacked is equipped to access and utilize Alpine Linux's security advisories. This integration ensures that Alpine Linux-based containers are thoroughly scanned for security issues.
Debian Logo
Debian Security Advisories
Jacked taps into Debian's security advisories, enabling it to detect vulnerabilities in packages commonly found in Debian-based systems.

Utilize Jacked in combination with Jenkins, Azure and GitHub plugins.

Ensure code quality for faster software delivery and enhance productivity and streamline development processes.
  • Image, Tar, and Directory Scanning
  • Severity Fail Criteria
  • Ignore CVEs and Package Names
  • Skip Build Fail and Database Update
Tiles View of Jenkins, Azure and Github

Supported Installation OS

Jacked currently supports the following operating systems:
With Windows OS' amd64 achitecture, you can seamlessly run our newest open-source tool program to protect your images against any possible threat.
Scan image vulnerability on any Mac operating system because Jacked supports arm64 and amd64 architecture.
Jacked can easily detect security issues in your images. The open-source tool can run in the amd64, arm64, ppc64le, and s390x architecture of the Linux operating system.

Installation Guide

You can improve your code security by installing Jacked, the newest open-source analysis scanning tool in the market!


$ git clone https://github.com/carbonetes/jacked 
$ go install


A great way to install a working binary tool on your terminal.
curl -sSfL https://raw.githubusercontent.com/carbonetes/jacked/main/install.sh | sh -s -- -d /usr/local/bin
You can specify a release version and destination directory for the installation:
curl -sSfL https://raw.githubusercontent.com/carbonetes/jacked/main/install.sh | sh -s -- -d  -v   


brew tap carbonetes/jacked 
brew install jacked


scoop bucket add jacked https://github.com/carbonetes/jacked-bucket 
scoop install jacked

Useful Commands and Flags

jacked [command] [flag] 
SubCommand Description
config Display the current configurations
db Display the database information
version Display Build Version Information of Jacked

Available Commands and their flags with description:

jacked [flag] 
Root Flags Description
--sbom string Input sbom file from diggity to scan (Only read from json file)
-d --dir string Read directly from a path on disk (any directory) (e.g. 'jacked path/to/dir)'
-t --tar string Read a tarball from a path on disk for archives created from docker save (e.g. 'jacked path/to/image.tar)'
--disable-file-listing Disables file listing from package metadata (default false)
--enabled-parsers stringArray Specify enabled parsers ([apk debian java npm composer python gem rpm dart nuget go]) (default all)
-l --licenses Enable scanning for package licenses
-o --output string Show scan results in "table", "json", "cyclonedx-json", "cyclonedx-xml", "spdx-json", "spdx-xml", "spdx-tag-value" format (default "table")
--registry-uri string Registry uri endpoint (default "index.docker.io/")
--registry-token string Access token for private registry access
--registry-username string Username credential for private registry access
--registry-password string Password credential for private registry access
--secret-exclude-filenames stringArray Exclude secret searching for each specified filenames
--secret-max-file-size in Maximum file size that the secret will search -- each file (default 10485760)
-v --version Print application version
--ignore-package-names Specify package names to be whitelisted on the result
--ignore-vuln-cves Specify CVEs to be whitelisted on the result
jacked config [flag] 
Config Flags Description
-d --display Display the content of the configuration file
-h --help Help for configuration
-p --path Display the path of the configuration file
-r --reset Restore default configuration file
jacked db [flag] 
Database Flags Description
-i --info Print database metadata information
-v --version Print database current version
jacked version [flag] [string] 
Version Flags Description
-f --format Print application version format (json, text) (default "text")

Get started with Jacked