Skip to content

Usage

checksec is invoked as checksec <command> [args] [flags]. Each command selects what to scan; the global flags control how results are rendered.

Commands

Command Scans Example
file <file> A single ELF binary checksec file /usr/bin/ls
dir <directory> Every ELF in a directory (add -r to recurse) checksec dir /usr/bin -r
proc <pid> The executable backing a running process checksec proc 1
procAll Every running process you can read checksec procAll
procLibs <pid> The shared libraries mapped into a process checksec procLibs 1
listfile <path\|-> A newline-delimited list of paths (- = stdin) checksec listfile targets.txt
kernel The running kernel's hardening configuration checksec kernel
fortifyFile <file> FORTIFY_SOURCE breakdown for one binary checksec fortifyFile /usr/bin/ls
fortifyProc <pid> FORTIFY_SOURCE breakdown for a process checksec fortifyProc 1

Global flags

These persistent flags apply to every command:

Flag Default Description
-o, --output <format> table Output format: table, json, yaml, xml, csv.
-l, --libc <path> (auto) Path to libc, used by the FORTIFY check for offline / embedded filesystems. See Advanced.
--color <mode> auto Color output: auto, always, never.
--no-banner off Suppress the ASCII banner.
--no-headers off Suppress the column header row.
--no-warnings off Suppress non-fatal warnings (e.g. unreadable files during a scan).
--fail-if <keys> (none) Exit non-zero if any listed check is not green. See CI gating.

Output formats

The same scan rendered in each format (columns trimmed for space):

$ checksec file ./myapp
RELRO       Stack Canary  CFI      NX          PIE          ...  Name
Full RELRO  Canary Found  Unknown  NX enabled  PIE Enabled  ...  ./myapp
$ checksec file ./myapp -o csv
RELRO,Stack Canary,CFI,NX,PIE,...,Name
Full RELRO,Canary Found,Unknown,NX enabled,PIE Enabled,...,./myapp
$ checksec file ./myapp -o json
[
  {
    "name": "./myapp",
    "checks": {
      "relro":  { "value": "Full RELRO",  "status": "green" },
      "canary": { "value": "Canary Found", "status": "green" },
      "cfi":    { "value": "Unknown",      "status": "yellow" }
    }
  }
]
$ checksec file ./myapp -o xml
<checksec>
  <file name="./myapp">
    <checks>
      <relro status="green">Full RELRO</relro>
      <canary status="green">Canary Found</canary>
      <cfi status="yellow">Unknown</cfi>
    </checks>
  </file>
</checksec>
$ checksec file ./myapp -o yaml
- name: ./myapp
  checks:
    relro:
      value: Full RELRO
      status: green
    cfi:
      value: Unknown
      status: yellow

Machine-readable output carries the color too

json, yaml, and xml emit a list of files, and every check reports both a value (the text) and a status (green, yellow, red, unset, italic). See Understanding output for what each status means.

CI gating

--fail-if turns checksec into a build/CI gate. Pass a comma-separated list of check keys; checksec exits non-zero if any of them is not green:

# Fail the pipeline unless the binary has RELRO, a stack canary, and PIE
checksec file ./myapp --fail-if=relro,canary,pie

The keys are the JSON/YAML keys from the report (relro, canary, cfi, nx, pie, rpath, runpath, fortify_source, …). See each check reference page for the key of a given check.