macOS
brew install flawfinderlocal Homebrew formula metadata
sudo port install flawfinderMacPorts ports tree · devel/flawfinder/Portfile · source: api.github.com
brew
Examines code and reports possible security weaknesses. Version 2.0.20 via Homebrew; verified 2026-05-18.
install
brew install flawfinderlocal Homebrew formula metadata
sudo port install flawfinderMacPorts ports tree · devel/flawfinder/Portfile · source: api.github.com
sudo apk add flawfinderAlpine Linux edge package indexes · flawfinder · source: dl-cdn.alpinelinux.org
sudo apt install flawfinderDebian stable package indexes · flawfinder · source: deb.debian.org
sudo dnf install flawfinderFedora Rawhide package metadata · flawfinder · source: dl.fedoraproject.org
nix profile install nixpkgs#flawfindernixpkgs package indexes · pkgs/by-name/fl/flawfinder/package.nix · source: api.github.com
sudo pacman -S flawfinderArch Linux sync databases · flawfinder · source: geo.mirror.pkgbuild.com
sudo zypper install flawfinderopenSUSE Tumbleweed package metadata · flawfinder · source: download.opensuse.org
overview
Examines code and reports possible security weaknesses
history
flawfinder is David A. Wheeler's command-line static analysis tool for C and C++ security review. It scans source text for calls and constructs associated with possible weaknesses, ranks findings by risk, and remains a lightweight package-manager staple because it is easy to install, fast to run, and useful before deeper review.
Wheeler developed flawfinder as an open source source-code scanner for security weaknesses. The official site explains that it was created to encourage use of static analysis tools and that no one tool is sufficient; flawfinder is meant to be one simple advisor among several.
The project has long been hosted through SourceForge for source, releases, mailing lists, and issue tracking, while later documentation also references GitHub issues, pull requests, a GitHub Action, SARIF output, SonarQube integration, and modern Python packaging. The ChangeLog records the 2.0 series move to semantic versioning in 2017, Python 2.7/3 compatibility, direct pip installation through setuptools, SARIF support in 2021, and security hardening in 2.0.20 in 2026.
The official homepage says prepackaged versions are available for many Unix-like systems, explicitly naming Fedora, Debian, Ubuntu, Cygwin, FreeBSD Ports, OpenBSD ports, NetBSD pkgsrc, and Fink. The supplied package-manager metadata also records packaging in Homebrew, MacPorts, Nix, pacman, zypper, apk, Debian, Ubuntu, and Fedora ecosystems.
flawfinder also earned official CWE compatibility and a CII Best Practices passing badge, which helped make it recognizable in security tooling catalogs and CI pipelines.
The basic use case is intentionally small: install with pip or a system package manager, then run `flawfinder` over a file or directory. Findings are assigned risk levels, and output formats include text, HTML, CSV, SARIF, and SonarQube-compatible output.
The tool's design trades deep semantic analysis for speed and availability. Its README notes that it can analyze programs that cannot be built or linked, while also warning that it can produce false positives and miss issues because it lacks full control-flow, data-flow, type, namespace, and scope information.
flawfinder is a classic small security package: a single-purpose scanner with no heavyweight service dependency, available through many OS package managers, pip, and CI integrations. It is especially relevant to package history because it bridges early-2000s free-software security scanning, distribution packaging, CWE-era rule classification, and modern SARIF-based code scanning.
security posture
No matching local secret-handling manifest was found for flawfinder. Nucleus package metadata is still published here so future coverage has a stable package URL.
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
flawfinder | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://dwheeler.com/flawfinder/
install metadata
| Package key | brew:flawfinder |
|---|---|
| Version | 2.0.20 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/flawfinder |
| Homepage | https://dwheeler.com/flawfinder/ |
| Repository | https://sourceforge.net/p/flawfinder/code |
| Upstream docs | https://dwheeler.com/flawfinder |
| License | GPL-2.0-or-later |
| Source archive | https://dwheeler.com/flawfinder/flawfinder-2.0.20.tar.gz |
| Last updated | 2026-05-18T00:00:27Z |
| Pulse | updated |
| Dependencies | python@3.14 |
| Bottle | available (on all) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | flawfinder |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
flawfinder 2.0.19-1.1
examines source code and looks for security weaknesses
https://dwheeler.com/flawfinder/
sudo apt install flawfinderflawfinder
nix profile install nixpkgs#flawfinderflawfinder 2.0.19-1.1
examines source code and looks for security weaknesses
https://dwheeler.com/flawfinder/
sudo apt install flawfinderflawfinder 2.0.19-r5
Examines C/C++ source code for security flaws
https://dwheeler.com/flawfinder/
sudo apk add flawfinderflawfinder-doc 2.0.19-r5
Examines C/C++ source code for security flaws (documentation)
https://dwheeler.com/flawfinder/
sudo apk add flawfinder-docflawfinder-pyc 2.0.19-r5
Precompiled Python bytecode for flawfinder
https://dwheeler.com/flawfinder/
sudo apk add flawfinder-pycflawfinder 2.0.11-16.fc44
Examines C/C++ source code for security flaws
http://www.dwheeler.com/flawfinder/
sudo dnf install flawfinderflawfinder 2.0.20-1
Searches through source code for potential security flaws
https://dwheeler.com/flawfinder/
sudo pacman -S flawfinderflawfinder 2.0.20-1.1
C/C++ source code security flaw examination tool
https://www.dwheeler.com/flawfinder/
sudo zypper install flawfinderflawfinder
sudo port install flawfindersource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.