Parikshak — Fast Docker image vulnerability scanner. Finds CVEs, secrets, and misconfigurations.
Project description
Parikshak
Fast Docker image vulnerability scanner. Finds CVEs, secrets, and misconfigurations.
pip install parikshak
parikshak scan nginx:latest
What It Does
$ parikshak scan python:3.12-slim
parikshak v1.0.0 — scanning python:3.12-slim
Extracting image... done (1200ms)
Detecting packages... 88 packages (45ms)
Matching advisories... 12 vulnerabilities (700ms)
Scanning secrets... 0 secrets (180ms)
Checking misconfigs... 3 issues (25ms)
┌─────────────────────────────────────────────────────────────┐
│ RESULTS: python:3.12-slim │
├────────┬────────┬────────┬────────┬────────┬───────────────┤
│ CRIT │ HIGH │ MED │ LOW │ TOTAL │ Secrets/Misc │
│ 0 │ 6 │ 8 │ 74 │ 88 │ 0 / 3 │
└────────┴────────┴────────┴────────┴────────┴───────────────┘
Features
- Fast — Rust-powered package detection, parallel scanning
- Accurate — Uses distro-specific advisories (Debian Tracker, Alpine SecDB), not raw NVD
- More than CVEs — Also finds hardcoded secrets and misconfigurations
- No daemon needed — Works without Docker daemon (pulls via registry API)
- Offline mode — Download DB once, scan without internet
- CI/CD ready — Exit code 1 on critical/high findings, JSON/SARIF output
- CISA KEV — Flags actively exploited vulnerabilities
Install
pip install parikshak
Usage
# Scan an image
parikshak scan nginx:latest
parikshak scan python:3.12-slim --severity HIGH,CRITICAL
# Output formats
parikshak scan nginx:latest --format json
parikshak scan nginx:latest --format sarif
parikshak scan nginx:latest --format csv
# CI/CD mode (exit 1 if critical/high found)
parikshak scan nginx:latest --exit-code 1 --severity CRITICAL,HIGH
# Offline mode
parikshak db update
parikshak scan nginx:latest --offline
# SBOM generation
parikshak sbom nginx:latest --format cyclonedx
parikshak sbom nginx:latest --format spdx
GitHub Actions
- name: Scan container image
run: |
pip install parikshak
parikshak scan myapp:${{ github.sha }} --exit-code 1 --severity CRITICAL,HIGH
Advisory Database
Powered by vuln-intel-db — aggregates advisories from Debian, Alpine, GHSA, CISA KEV, EPSS. Updated every 6 hours.
License
Apache 2.0
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
parikshak-1.0.2.tar.gz
(14.0 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
parikshak-1.0.2-py3-none-any.whl
(14.4 kB
view details)
File details
Details for the file parikshak-1.0.2.tar.gz.
File metadata
- Download URL: parikshak-1.0.2.tar.gz
- Upload date:
- Size: 14.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
316f991af76ef97cdd77df6493bf56902f4b9e80a1cd4c3a326506f8c0b2382f
|
|
| MD5 |
ba92603553fea088a5b7922443bb0cd2
|
|
| BLAKE2b-256 |
86116f417d73a31997434245511f69556df6047e17fb2b477e2e42344ee46201
|
File details
Details for the file parikshak-1.0.2-py3-none-any.whl.
File metadata
- Download URL: parikshak-1.0.2-py3-none-any.whl
- Upload date:
- Size: 14.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
06209ca439cbf4d053eb79dc9a0dbd16ae4782d2f305df38bceceaa37987146f
|
|
| MD5 |
2a59f497094e01c6f57ba223a8c108d4
|
|
| BLAKE2b-256 |
cdc8bfdff7b10a43d91a4e7768326a66e396420d6d50ebd31ba324be4d3f1e42
|