Jacked is an open-source vulnerability scanning tool designed to help you identify and mitigate security risks in your Container Images and File Systems.

Jacked works seamlessly with Diggity, our powerful tool for generating Software Bill of Materials (SBOM). Together, they provide a comprehensive solution for securing your software development process.
Jacked is a comprehensive vulnerability scanning solution that supports a wide range of technologies and provides extensive features:
Jacked provides comprehensive vulnerability scanning for a wide range of package ecosystems. It includes specialized scanning strategies for the most common ecosystems, while also supporting generic scanning for other package types:
Ecosystems with Specialized Scanning Strategies:
Additional Support:
With Jacked, you can fortify your software applications against security threats, streamline your vulnerability management process, and deliver software that is secure, compliant, and reliable.
Run the following command to download and install Jacked using Curl:
curl -sSfL https://raw.githubusercontent.com/carbonetes/jacked/main/install.sh | sh -s -- -d /usr/local/bin
Note: Use root access with sudo sh -s -- -d /usr/local/bin if you encounter a Permission Denied issue, as the /usr/local/bin directory requires the necessary permissions to write to the target directory.
First, tap to the jacked repository by running the following command:
brew tap carbonetes/jacked
Then, install Jacked using Homebrew:
brew install jacked
To check if Jacked is installed properly, try running the following command:
jacked --version
First, add the jacked-bucket by running:
scoop bucket add diggity https://github.com/carbonetes/jacked-bucket
Then, install Jacked using Scoop:
scoop install jacked
Verify that Jacked is installed correctly by running:
jacked --version
First Run Setup: When you first run Jacked, it will automatically create a comprehensive configuration file at ~/.jacked.yaml with detailed documentation and all available settings. You can customize this configuration file to match your specific needs.
Jacked offers a user-friendly command-line interface, ensuring that it is accessible to both security experts and developers.
To scan a Docker image, use the following command:
jacked <image-name:tag>
Replace with the name of the Docker image you want to scan.
To analyze a code repository, use the following command:
jacked --dir <repository-path>
To scan a tarball, use the following command:
jacked --tar <tarball-path>
Jacked uses CycloneDX internally as the Software Bill of Materials (SBOM) format for processing and analyzing components. This enables Jacked to provide comprehensive vulnerability analysis with rich component metadata and dependency relationships.
While CycloneDX is used internally for analysis, the scan results can be exported in multiple standard formats including JSON, SPDX, and table formats for integration with your existing toolchain.
Jacked provides flexible options for formatting and presenting scan results, making it easy to tailor the output to your specific needs.
jacked <target> -o <output-format>
You can choose from the following output formats:
table: The default output format, providing a concise columnar summary of the scan results. This format is ideal for a quick overview of vulnerabilities.json: Get detailed scan results in JSON format, enabling easy integration with other tools and systems for further analysis and automation.spdx-json: Software Package Data Exchange format in JSON.spdx-xml: Software Package Data Exchange format in XML.spdx-tag: Software Package Data Exchange format in tag-value format.snapshot-json: Snapshot format in JSON for detailed vulnerability data.Choose the output format that best suits your integration requirements and reporting preferences. Jacked's versatile output options ensure that you can effectively communicate and act on your scan results in a way that aligns with your workflow.
Jacked provides a powerful feature that allows you to set a severity threshold for vulnerabilities, helping you control the actions triggered based on the severity level of identified vulnerabilities. With this feature, you can tailor your security policies to align with your organization's risk tolerance and operational requirements.
In CI mode --ci, Jacked can be configured to evaluate the severity of vulnerabilities detected in your images or code repositories. By adding --fail-criteria option on scan arguments, you can specify the severity threshold that your organization deems acceptable, such as "low," "medium," or "high."
By defining a severity threshold, you can specify which vulnerabilities should trigger specific actions or policies. For example, you might want to:
Generate Alerts: Configure alerts or notifications to be sent to relevant team members when vulnerabilities exceed the specified severity threshold. Stay informed and act swiftly when critical issues arise.
Customize Actions: Define custom actions or policies based on severity levels. For instance, you can automatically open a ticket in your issue tracking system for "high" severity vulnerabilities.
Here's an example of how to use this feature. To trigger a CI pipeline failure if any vulnerabilities are found in the image with a severity of "low" or higher, use the following command:
jacked <image> --ci --fail-criteria medium
Sample Evaluation

jacked [command] [flag]
| SubCommand | Description |
|---|---|
config |
Display the current configurations |
db |
Display the database information |
version |
Display Build Version Information of Jacked |
jacked [flag]
| Root Flags | Description |
|---|---|
-d, --dir string |
Read directly from a path on disk (any directory) (e.g. 'jacked -d path/to/directory)' |
-t, --tar string |
Read a tarball from a path on disk for archives created from docker save (e.g. 'jacked -t path/to/image.tar)' |
-o, --output string |
Show scan results in specified format (default "table") |
-q, --quiet |
Suppress all output except for errors |
-f, --file string |
Save scan result to a file |
-c, --config string |
Path to configuration file (default: $HOME/.jacked.yaml) |
--performance string |
Set performance optimization level (basic, balanced, aggressive, maximum) (default "balanced") |
--ci |
Enable CI mode [experimental] |
--fail-criteria string |
Set severity threshold for CI failure (e.g. low, medium, high, critical) |
--force-db-update |
Enables immediate implementation of database updates |
--debug |
Enable debug mode |
-v, --version |
Print application version |
jacked config [flag]
| Config Flags | Descriptions |
|---|---|
display |
Display the content of the configuration file |
generate [path] |
Generate a default configuration file with documentation |
path |
Display the path of the configuration file |
reset |
Restore the default configuration file with full documentation |
-h,--help |
Help for configuration commands |
Configuration Management Examples:
```bash
jacked config display
jacked config reset
jacked config generate
jacked config generate /path/to/my-config.yaml
$ claude mcp add jacked \
-- python -m otcore.mcp_server <graph>