Parikshak — Fast Docker image vulnerability scanner. Finds CVEs, secrets, and misconfigurations.
Project description
Parikshak
Fast Docker image vulnerability scanner. Finds CVEs, secrets, and misconfigurations.
pip install parikshak
parikshak scan nginx:latest
What It Does
$ parikshak scan python:3.12-slim
parikshak v1.0.0 — scanning python:3.12-slim
Extracting image... done (1200ms)
Detecting packages... 88 packages (45ms)
Matching advisories... 12 vulnerabilities (700ms)
Scanning secrets... 0 secrets (180ms)
Checking misconfigs... 3 issues (25ms)
┌─────────────────────────────────────────────────────────────┐
│ RESULTS: python:3.12-slim │
├────────┬────────┬────────┬────────┬────────┬───────────────┤
│ CRIT │ HIGH │ MED │ LOW │ TOTAL │ Secrets/Misc │
│ 0 │ 6 │ 8 │ 74 │ 88 │ 0 / 3 │
└────────┴────────┴────────┴────────┴────────┴───────────────┘
Features
- Fast — Rust-powered package detection, parallel scanning
- Accurate — Uses distro-specific advisories (Debian Tracker, Alpine SecDB), not raw NVD
- More than CVEs — Also finds hardcoded secrets and misconfigurations
- No daemon needed — Works without Docker daemon (pulls via registry API)
- Offline mode — Download DB once, scan without internet
- CI/CD ready — Exit code 1 on critical/high findings, JSON/SARIF output
- CISA KEV — Flags actively exploited vulnerabilities
Install
pip install parikshak
Usage
# Scan an image
parikshak scan nginx:latest
parikshak scan python:3.12-slim --severity HIGH,CRITICAL
# Output formats
parikshak scan nginx:latest --format json
parikshak scan nginx:latest --format sarif
parikshak scan nginx:latest --format csv
# CI/CD mode (exit 1 if critical/high found)
parikshak scan nginx:latest --exit-code 1 --severity CRITICAL,HIGH
# Offline mode
parikshak db update
parikshak scan nginx:latest --offline
# SBOM generation
parikshak sbom nginx:latest --format cyclonedx
parikshak sbom nginx:latest --format spdx
GitHub Actions
- name: Scan container image
run: |
pip install parikshak
parikshak scan myapp:${{ github.sha }} --exit-code 1 --severity CRITICAL,HIGH
Advisory Database
Powered by vuln-intel-db — aggregates advisories from Debian, Alpine, GHSA, CISA KEV, EPSS. Updated every 6 hours.
License
Apache 2.0
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
parikshak-1.0.3.tar.gz
(14.2 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
parikshak-1.0.3-py3-none-any.whl
(14.7 kB
view details)
File details
Details for the file parikshak-1.0.3.tar.gz.
File metadata
- Download URL: parikshak-1.0.3.tar.gz
- Upload date:
- Size: 14.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
883de517cd1f22a8054edde3715da4bb29f4844e0432b584c693b026f79d49c5
|
|
| MD5 |
3ac08cda168016aa89cda14f02ce3b77
|
|
| BLAKE2b-256 |
c07abc051bccc5a832e25948f7aa526f92169407325a68e319939d1a84d8ca0c
|
File details
Details for the file parikshak-1.0.3-py3-none-any.whl.
File metadata
- Download URL: parikshak-1.0.3-py3-none-any.whl
- Upload date:
- Size: 14.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6467588ec8f09fad8752522ee3a670351704e0eb6bfdac459d683b5075d01e2b
|
|
| MD5 |
e394b2d6b1dd8db989e05169179eddcd
|
|
| BLAKE2b-256 |
77c212fb85e83af06833534c6661a40325d539b897e2b9e18af52b2548a1d47c
|