# Install dependency-check with Homebrew, scoop

OWASP dependency-check. Version 12.2.2 via Homebrew; verified 2026-06-23.

## Install

```sh
sudo av install brew:dependency-check
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install dependency-check
```

  Evidence: local Homebrew formula metadata

### Windows

- Scoop (92%):

```sh
scoop install main/dependency-check
```

  Evidence: Scoop official bucket manifest trees: bucket/dependency-check.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:dependency-check
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/dependency-check>
- **Version:** 12.2.2
- **Source summary:** OWASP dependency-check
- **Homepage:** <https://owasp.org/www-project-dependency-check/>
- **Repository:** <https://github.com/dependency-check/DependencyCheck>
- **Upstream docs:** <https://github.com/dependency-check/DependencyCheck#readme>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/dependency-check/DependencyCheck/releases/download/v12.2.2/dependency-check-12.2.2-release.zip>
- **Last updated:** 2026-06-23T11:38:03-04:00
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- dependency-check (cli)
- dependency-check (alias)

## Dependencies

- openjdk

## Install behavior

- Post-install hook: not defined
- Bottle: available on all

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 12.2.2
- Package-manager updated: 2026-06-23
- Local data: ok
- Upstream repository: https://github.com/dependency-check/DependencyCheck
- info: No cached GitHub release or tag data was available.
## Project history and usage

OWASP Dependency-Check is a long-running software composition analysis tool that detects publicly disclosed vulnerabilities in project dependencies. It maps dependencies to CPE identifiers and reports related CVE entries, putting vulnerability intelligence into command-line, build-tool, and CI workflows.

### Project history

The official GitHub repository dates to 2012, and the OWASP project page describes Dependency-Check as an SCA tool suite for identifying dependencies and checking them against known public vulnerabilities. The project grew from a Java command-line scanner into a family of integrations for Maven, Gradle, Ant, Jenkins, and other build environments.

The README and generated CLI documentation show a project that has adapted to changes in vulnerability data distribution. Modern releases use the NVD API, recommend an NVD API key for acceptable update speed, and document analyzer behavior for ecosystems such as .NET, Go, npm, pnpm, yarn, Ruby, Maven, and Gradle.

### Adoption history

Dependency-Check became a standard OWASP-branded option for teams that wanted vulnerability scanning without adopting a commercial SCA platform. Its availability as a standalone CLI, Maven plugin, Gradle plugin, Ant task, Jenkins plugin, GitHub releases, and Homebrew formula helped it travel through Java shops, CI servers, and security baselines.

### How it is used

The common command-line shape is `dependency-check --project <name> --scan <path> --out <dir>`, producing reports that list dependencies, matching CPEs, and CVEs. Build integrations usually wire the same engine into verification phases or CI jobs, while larger installations may use a shared data directory or centralized database to avoid repeatedly downloading vulnerability data.

### Why package nerds care

Package nerds care about Dependency-Check because it sits at the messy join between language package metadata and vulnerability databases. Its CPE matching, analyzer requirements, NVD API migration, local data cache, and plugin ecosystem are all examples of the hard operational details behind a simple phrase like dependency vulnerability scan.

### Timeline

- 2012: Official DependencyCheck repository created.
- 2012: OWASP Dependency-Check copyright period begins in generated project documentation.
- 2024: Version 9.0.0 and later moved from NVD data feeds to the NVD API.
- 2026: CLI documentation published for version 12.2.2.

### Related projects

- Related official surfaces include dependency-check-core, dependency-check-cli, dependency-check-maven, dependency-check-gradle, dependency-check-ant, and the Jenkins plugin.

### Sources

- <https://owasp.org/www-project-dependency-check/>
- <https://github.com/dependency-check/DependencyCheck#readme>
- <https://dependency-check.github.io/DependencyCheck/dependency-check-cli/>
- <https://api.github.com/repos/dependency-check/DependencyCheck>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** dependency-check
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Scoop - main/dependency-check: normalized package name match | Scoop official bucket manifest trees: bucket/dependency-check.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [Package ecosystem packages](https://www.automicvault.com/pkg/package-ecosystem-tools/) - Matched package manager, installer, dependency, registry, or publishing metadata.
- [openjdk](https://www.automicvault.com/pkg/brew/openjdk/) - Runtime dependency declared by Homebrew.
- [cargo-deny](https://www.automicvault.com/pkg/brew/cargo-deny/) - Shares av.db curated category or tags: cli, security, software-composition-analysis.
- [cargo-audit](https://www.automicvault.com/pkg/brew/cargo-audit/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [cargo-cyclonedx](https://www.automicvault.com/pkg/brew/cargo-cyclonedx/) - Shares av.db curated category or tags: cli, security, software-composition-analysis.
- [clair](https://www.automicvault.com/pkg/brew/clair/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [flawfinder](https://www.automicvault.com/pkg/brew/flawfinder/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [gotestwaf](https://www.automicvault.com/pkg/brew/gotestwaf/) - Shares av.db curated category or tags: cli, owasp, security.
- [govulncheck](https://www.automicvault.com/pkg/brew/govulncheck/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [kics](https://www.automicvault.com/pkg/brew/kics/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [noir](https://www.automicvault.com/pkg/brew/noir/) - Security-sensitive metadata or terminology overlaps. Shared terms: analysis, cli, security.
- [vet](https://www.automicvault.com/pkg/brew/vet/) - Security-sensitive metadata or terminology overlaps. Shared terms: analysis, cli, composition, dependencies, dependency.

## Combined YAML source

View the package source record on GitHub. [combined/dependency-check.yml](https://github.com/automic-vault/db/blob/main/combined/dependency-check.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
