# Install cfripper with Homebrew, Nix

Library and CLI tool to analyse CloudFormation templates for security issues. Version 1.21.0 via Homebrew; verified 2026-07-01.

## Install

```sh
sudo av install brew:cfripper
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install cfripper
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#cfripper
```

  Evidence: nixpkgs package indexes: pkgs/by-name/cf/cfripper/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:cfripper
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/cfripper>
- **Version:** 1.21.0
- **Source summary:** Library and CLI tool to analyse CloudFormation templates for security issues
- **Homepage:** <https://cfripper.readthedocs.io>
- **Repository:** <https://github.com/Skyscanner/cfripper>
- **Upstream docs:** <https://cfripper.readthedocs.io/>
- **License:** Apache-2.0
- **Source archive:** <https://files.pythonhosted.org/packages/0c/6b/ae7ef7f1984222dd5a93cf53cdda8f802cf9c3e0855f671dcb15b3a2a89a/cfripper-1.21.0.tar.gz>
- **Last updated:** 2026-07-01T15:27:38Z
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- cfripper (cli)
- cfripper (alias)

## Dependencies

- libyaml
- pydantic
- python@3.14

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.21.0
- Package-manager updated: 2026-07-01
- Local data: ok
- Upstream repository: https://cfripper.readthedocs.io
- info: Release/tag comparison is only available for GitHub repositories.
## Project history and usage

CFRipper is a Skyscanner library and CLI for analyzing AWS CloudFormation templates for security and compliance issues. The official README describes it as a way to prevent deploying insecure AWS resources and to add custom compliance plugins.

### Project history

The official GitHub repository was created in July 2018. Its documentation presents CFRipper as both a library and command-line analyzer, with examples for scanning CloudFormation YAML or JSON templates, resolving references, emitting text or JSON output, and loading custom rule configuration.

The project sits in the CloudFormation security-analysis niche rather than the general linting niche: its examples focus on wildcard principals, overprivileged IAM roles, monitored issues, and compliance rule customization.

### Adoption history

Official documentation is published on Read the Docs, the README advertises PyPI and Homebrew badges, and the package metadata in this batch shows Homebrew and Nix packaging.

CFRipper's adoption is tied to security review workflows for CloudFormation templates: it is useful before deployment, in CI, or as a library embedded in custom cloud-governance checks.

### How it is used

The README documents running `cfripper` against one or more CloudFormation templates, choosing `txt` or `json` output, using `--resolve`, writing results with `--output-folder`, and passing custom rules config or rules filter folders.

The official docs show rules config files as command inputs rather than a fixed application config location, so `config-file-location` remains null. No official credential file location is documented for the CLI.

### Why package nerds care

CFRipper is notable because it packages cloud-security review into an ordinary CLI: a repository can add it to pre-deploy checks without first building an internal CloudFormation parser and IAM rule engine.

It also shows the common packaging path for Python security tools: library plus CLI, PyPI first, then Homebrew or Nix for operators who want a standalone command.

### Timeline

- 2018: The Skyscanner/cfripper repository is created on GitHub.
- 2018: The project documents CloudFormation security analysis and custom compliance plugins.
- 2026: The repository and Read the Docs site remain the official documentation surfaces.

### Related projects

- AWS CloudFormation templates are the artifacts CFRipper analyzes.
- IAM policy and principal rules are central to the README examples.
- cfn-lint is an adjacent CloudFormation validation tool, while CFRipper focuses on security and compliance rules.

### Sources

- <https://api.github.com/repos/Skyscanner/cfripper>
- <https://github.com/Skyscanner/cfripper>
- <https://cfripper.readthedocs.io>
- <https://cfripper.readthedocs.io/>
- <https://formulae.brew.sh/api/formula/cfripper.json>


## Security Notes

infrastructure mutation or orchestration signal.

- **Geiger risk:** orange / medium
- infrastructure mutation or orchestration signal

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** cfripper
- **Version Scheme:** 0
- **Revision:** 0
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** stable

## Other Package-Manager Records

- Nix - cfripper: normalized package name match | nixpkgs package indexes: pkgs/by-name/cf/cfripper/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1


## Related links

- [Cloud CLI packages](https://www.automicvault.com/pkg/cloud-clis/) - Belongs to a cloud or infrastructure command family.
- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Developer build packages](https://www.automicvault.com/pkg/developer-build-tools/) - Matched build, compiler, generator, or developer workflow metadata.
- [python@3.14](https://www.automicvault.com/pkg/brew/python-3-14/) - Runtime dependency declared by Homebrew.
- [parliament](https://www.automicvault.com/pkg/brew/parliament/) - Shares av.db curated category or tags: aws, cli, cloud-security, security.
- [terraform-iam-policy-validator](https://www.automicvault.com/pkg/brew/terraform-iam-policy-validator/) - Shares av.db curated category or tags: aws, cli, cloud-security, security.
- [trailscraper](https://www.automicvault.com/pkg/brew/trailscraper/) - Shares av.db curated category or tags: aws, cli, cloud-security, security.
- [cliam](https://www.automicvault.com/pkg/brew/cliam/) - Shares av.db curated category or tags: aws, cli, cloud-security, security.
- [cloudfox](https://www.automicvault.com/pkg/brew/cloudfox/) - Shares av.db curated category or tags: aws, cli, cloud-security, security.
- [cloudsplaining](https://www.automicvault.com/pkg/brew/cloudsplaining/) - Shares av.db curated category or tags: aws, cli, cloud-security, security.
- [lacework-cli](https://www.automicvault.com/pkg/brew/lacework-cli/) - Shares av.db curated category or tags: cli, cloud-security, security.
- [legitify](https://www.automicvault.com/pkg/brew/legitify/) - Shares av.db curated category or tags: cli, cloud-security, security.
- [checkov](https://www.automicvault.com/pkg/brew/checkov/) - Both packages touch the same language runtime or ecosystem. Shared terms: analysis, cli, cloud, libyaml, pydantic.

## Combined YAML source

View the package source record on GitHub. [combined/cfripper.yml](https://github.com/automic-vault/db/blob/main/combined/cfripper.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
