Automic VaultAutomic Vault

brew

Install cfripper with Homebrew, Nix

Library and CLI tool to analyse CloudFormation templates for security issues. Version 1.21.0 via Homebrew; verified 2026-07-01.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install cfripper

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#cfripper

nixpkgs package indexes · pkgs/by-name/cf/cfripper/package.nix · source: api.github.com

overview

Package summary

Library and CLI tool to analyse CloudFormation templates for security issues

Commands and aliases

  • cfripper

history

Project history and usage

CFRipper is a Skyscanner library and CLI for analyzing AWS CloudFormation templates for security and compliance issues. The official README describes it as a way to prevent deploying insecure AWS resources and to add custom compliance plugins.

Project history

The official GitHub repository was created in July 2018. Its documentation presents CFRipper as both a library and command-line analyzer, with examples for scanning CloudFormation YAML or JSON templates, resolving references, emitting text or JSON output, and loading custom rule configuration.

The project sits in the CloudFormation security-analysis niche rather than the general linting niche: its examples focus on wildcard principals, overprivileged IAM roles, monitored issues, and compliance rule customization.

Adoption history

Official documentation is published on Read the Docs, the README advertises PyPI and Homebrew badges, and the package metadata in this batch shows Homebrew and Nix packaging.

CFRipper's adoption is tied to security review workflows for CloudFormation templates: it is useful before deployment, in CI, or as a library embedded in custom cloud-governance checks.

How it is used

The README documents running `cfripper` against one or more CloudFormation templates, choosing `txt` or `json` output, using `--resolve`, writing results with `--output-folder`, and passing custom rules config or rules filter folders.

The official docs show rules config files as command inputs rather than a fixed application config location, so `config-file-location` remains null. No official credential file location is documented for the CLI.

Why package nerds care

CFRipper is notable because it packages cloud-security review into an ordinary CLI: a repository can add it to pre-deploy checks without first building an internal CloudFormation parser and IAM rule engine.

It also shows the common packaging path for Python security tools: library plus CLI, PyPI first, then Homebrew or Nix for operators who want a standalone command.

Timeline

  • 2018: The Skyscanner/cfripper repository is created on GitHub.
  • 2018: The project documents CloudFormation security analysis and custom compliance plugins.
  • 2026: The repository and Read the Docs site remain the official documentation surfaces.

Related projects

  • AWS CloudFormation templates are the artifacts CFRipper analyzes.
  • IAM policy and principal rules are central to the README examples.
  • cfn-lint is an adjacent CloudFormation validation tool, while CFRipper focuses on security and compliance rules.

security posture

Risk level: orange

infrastructure mutation or orchestration signal.

Risk classifier

orange risk · medium confidence · infrastructure

Why

  • infrastructure mutation or orchestration signal

Signals

  • text:cloud

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Installs with 3 runtime dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
cfrippercliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version1.21.0
manager updated2026-07-01
local dataok
upstreamnot checked
latest detectednot detected

https://cfripper.readthedocs.io

install metadata

Package metadata

Package keybrew:cfripper
Version1.21.0
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/cfripper
Homepagehttps://cfripper.readthedocs.io
Repositoryhttps://github.com/Skyscanner/cfripper
Upstream docshttps://cfripper.readthedocs.io/
LicenseApache-2.0
Source archivehttps://files.pythonhosted.org/packages/0c/6b/ae7ef7f1984222dd5a93cf53cdda8f802cf9c3e0855f671dcb15b3a2a89a/cfripper-1.21.0.tar.gz
Last updated2026-07-01T15:27:38Z
Pulseupdated
Dependencieslibyaml, pydantic, python@3.14
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namecfripper
Version Scheme0
Revision0
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

cfripper

nix profile install nixpkgs#cfripper
  • normalized package name match
  • Matched by: Cfripper
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/cf/cfripper/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment