macOS
brew install cfripperlocal Homebrew formula metadata
brew
Library and CLI tool to analyse CloudFormation templates for security issues. Version 1.21.0 via Homebrew; verified 2026-07-01.
install
brew install cfripperlocal Homebrew formula metadata
nix profile install nixpkgs#cfrippernixpkgs package indexes · pkgs/by-name/cf/cfripper/package.nix · source: api.github.com
overview
Library and CLI tool to analyse CloudFormation templates for security issues
history
CFRipper is a Skyscanner library and CLI for analyzing AWS CloudFormation templates for security and compliance issues. The official README describes it as a way to prevent deploying insecure AWS resources and to add custom compliance plugins.
The official GitHub repository was created in July 2018. Its documentation presents CFRipper as both a library and command-line analyzer, with examples for scanning CloudFormation YAML or JSON templates, resolving references, emitting text or JSON output, and loading custom rule configuration.
The project sits in the CloudFormation security-analysis niche rather than the general linting niche: its examples focus on wildcard principals, overprivileged IAM roles, monitored issues, and compliance rule customization.
Official documentation is published on Read the Docs, the README advertises PyPI and Homebrew badges, and the package metadata in this batch shows Homebrew and Nix packaging.
CFRipper's adoption is tied to security review workflows for CloudFormation templates: it is useful before deployment, in CI, or as a library embedded in custom cloud-governance checks.
The README documents running `cfripper` against one or more CloudFormation templates, choosing `txt` or `json` output, using `--resolve`, writing results with `--output-folder`, and passing custom rules config or rules filter folders.
The official docs show rules config files as command inputs rather than a fixed application config location, so `config-file-location` remains null. No official credential file location is documented for the CLI.
CFRipper is notable because it packages cloud-security review into an ordinary CLI: a repository can add it to pre-deploy checks without first building an internal CloudFormation parser and IAM rule engine.
It also shows the common packaging path for Python security tools: library plus CLI, PyPI first, then Homebrew or Nix for operators who want a standalone command.
security posture
infrastructure mutation or orchestration signal.
orange risk · medium confidence · infrastructure
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
cfripper | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://cfripper.readthedocs.io
install metadata
| Package key | brew:cfripper |
|---|---|
| Version | 1.21.0 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/cfripper |
| Homepage | https://cfripper.readthedocs.io |
| Repository | https://github.com/Skyscanner/cfripper |
| Upstream docs | https://cfripper.readthedocs.io/ |
| License | Apache-2.0 |
| Source archive | https://files.pythonhosted.org/packages/0c/6b/ae7ef7f1984222dd5a93cf53cdda8f802cf9c3e0855f671dcb15b3a2a89a/cfripper-1.21.0.tar.gz |
| Last updated | 2026-07-01T15:27:38Z |
| Pulse | updated |
| Dependencies | libyaml, pydantic, python@3.14 |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | cfripper |
| Version Scheme | 0 |
| Revision | 0 |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
cfripper
nix profile install nixpkgs#cfrippersource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.