Automic VaultAutomic Vault

brew

Install flawfinder with Homebrew, apk, apt, dnf, MacPorts, Nix, pacman, zypper

Examines code and reports possible security weaknesses. Version 2.0.20 via Homebrew; verified 2026-05-18.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install flawfinder

local Homebrew formula metadata

MacPortsverified · 94%
sudo port install flawfinder

MacPorts ports tree · devel/flawfinder/Portfile · source: api.github.com

Linux

Alpine Linux apkverified · 92%
sudo apk add flawfinder

Alpine Linux edge package indexes · flawfinder · source: dl-cdn.alpinelinux.org

Debian aptverified · 92%
sudo apt install flawfinder

Debian stable package indexes · flawfinder · source: deb.debian.org

Fedora dnfverified · 92%
sudo dnf install flawfinder

Fedora Rawhide package metadata · flawfinder · source: dl.fedoraproject.org

Nixverified · 92%
nix profile install nixpkgs#flawfinder

nixpkgs package indexes · pkgs/by-name/fl/flawfinder/package.nix · source: api.github.com

Arch Linux pacmanverified · 92%
sudo pacman -S flawfinder

Arch Linux sync databases · flawfinder · source: geo.mirror.pkgbuild.com

openSUSE zypperverified · 92%
sudo zypper install flawfinder

openSUSE Tumbleweed package metadata · flawfinder · source: download.opensuse.org

overview

Package summary

Examines code and reports possible security weaknesses

Commands and aliases

  • flawfinder

history

Project history and usage

flawfinder is David A. Wheeler's command-line static analysis tool for C and C++ security review. It scans source text for calls and constructs associated with possible weaknesses, ranks findings by risk, and remains a lightweight package-manager staple because it is easy to install, fast to run, and useful before deeper review.

Project history

Wheeler developed flawfinder as an open source source-code scanner for security weaknesses. The official site explains that it was created to encourage use of static analysis tools and that no one tool is sufficient; flawfinder is meant to be one simple advisor among several.

The project has long been hosted through SourceForge for source, releases, mailing lists, and issue tracking, while later documentation also references GitHub issues, pull requests, a GitHub Action, SARIF output, SonarQube integration, and modern Python packaging. The ChangeLog records the 2.0 series move to semantic versioning in 2017, Python 2.7/3 compatibility, direct pip installation through setuptools, SARIF support in 2021, and security hardening in 2.0.20 in 2026.

Adoption history

The official homepage says prepackaged versions are available for many Unix-like systems, explicitly naming Fedora, Debian, Ubuntu, Cygwin, FreeBSD Ports, OpenBSD ports, NetBSD pkgsrc, and Fink. The supplied package-manager metadata also records packaging in Homebrew, MacPorts, Nix, pacman, zypper, apk, Debian, Ubuntu, and Fedora ecosystems.

flawfinder also earned official CWE compatibility and a CII Best Practices passing badge, which helped make it recognizable in security tooling catalogs and CI pipelines.

How it is used

The basic use case is intentionally small: install with pip or a system package manager, then run `flawfinder` over a file or directory. Findings are assigned risk levels, and output formats include text, HTML, CSV, SARIF, and SonarQube-compatible output.

The tool's design trades deep semantic analysis for speed and availability. Its README notes that it can analyze programs that cannot be built or linked, while also warning that it can produce false positives and miss issues because it lacks full control-flow, data-flow, type, namespace, and scope information.

Why package nerds care

flawfinder is a classic small security package: a single-purpose scanner with no heavyweight service dependency, available through many OS package managers, pip, and CI integrations. It is especially relevant to package history because it bridges early-2000s free-software security scanning, distribution packaging, CWE-era rule classification, and modern SARIF-based code scanning.

Timeline

  • 2001: flawfinder and RATS are released simultaneously on May 21.
  • 2002: SANS review coverage appears among the official site's collected reviews.
  • 2004: Debian Security Audit Project testimonial records use of flawfinder.
  • 2017: 2.0.0 changes versioning to semantic versioning.
  • 2017: 2.0.2 adds Python 2.7 and Python 3 support.
  • 2017: 2.0.4 switches to setuptools and direct pip install support.
  • 2021: 2.0.16 adds SARIF output.
  • 2026: 2.0.20 ships security hardening, Sonar output, encoding handling improvements, and CI workflow updates.

Related projects

  • RATS is the historically closest related project; the official site says the two scanners were developed independently and released simultaneously.
  • ITS4, Warnbuf, Stumoch, CWE, SARIF, SonarQube, and GitHub code scanning are related security-analysis or reporting contexts discussed by the official documentation.

security posture

No protected-tool coverage found yet

No matching local secret-handling manifest was found for flawfinder. Nucleus package metadata is still published here so future coverage has a stable package URL.

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 1 platform targets.
  • Installs with 1 runtime dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
flawfindercliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version2.0.20
manager updated2026-05-18
local dataok
upstreamnot checked
latest detectednot detected

https://dwheeler.com/flawfinder/

install metadata

Package metadata

Package keybrew:flawfinder
Version2.0.20
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/flawfinder
Homepagehttps://dwheeler.com/flawfinder/
Repositoryhttps://sourceforge.net/p/flawfinder/code
Upstream docshttps://dwheeler.com/flawfinder
LicenseGPL-2.0-or-later
Source archivehttps://dwheeler.com/flawfinder/flawfinder-2.0.20.tar.gz
Last updated2026-05-18T00:00:27Z
Pulseupdated
Dependenciespython@3.14
Bottleavailable (on all)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nameflawfinder
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Debian apt95%

flawfinder 2.0.19-1.1

examines source code and looks for security weaknesses

https://dwheeler.com/flawfinder/

sudo apt install flawfinder
  • Section: utils
  • Architecture: all
  • 1 dependencies
  • normalized package name match
  • Matched by: Flawfinder
Debian stable package indexes · deb.debian.org · Debian stable package indexes: flawfinder from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
Nix95%

flawfinder

nix profile install nixpkgs#flawfinder
  • normalized package name match
  • Matched by: Flawfinder
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/fl/flawfinder/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
Ubuntu apt95%

flawfinder 2.0.19-1.1

examines source code and looks for security weaknesses

https://dwheeler.com/flawfinder/

sudo apt install flawfinder
  • Section: universe/utils
  • Architecture: all
  • 1 dependencies
  • normalized package name match
  • Matched by: Flawfinder
Ubuntu 24.04 LTS package indexes · archive.ubuntu.com · Ubuntu 24.04 LTS package indexes: flawfinder from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz
apk95%

flawfinder 2.0.19-r5

Examines C/C++ source code for security flaws

https://dwheeler.com/flawfinder/

sudo apk add flawfinder
  • License: GPL-2.0
  • Architecture: x86_64
  • Source Package: flawfinder
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Flawfinder
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: flawfinder from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
apk95%

flawfinder-doc 2.0.19-r5

Examines C/C++ source code for security flaws (documentation)

https://dwheeler.com/flawfinder/

sudo apk add flawfinder-doc
  • License: GPL-2.0
  • Architecture: x86_64
  • Source Package: flawfinder
  • normalized package name match
  • Matched by: Flawfinder
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: flawfinder-doc from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
apk95%

flawfinder-pyc 2.0.19-r5

Precompiled Python bytecode for flawfinder

https://dwheeler.com/flawfinder/

sudo apk add flawfinder-pyc
  • License: GPL-2.0
  • Architecture: x86_64
  • Source Package: flawfinder
  • 1 dependencies
  • normalized package name match
  • Matched by: Flawfinder
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: flawfinder-pyc from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
dnf95%

flawfinder 2.0.11-16.fc44

Examines C/C++ source code for security flaws

http://www.dwheeler.com/flawfinder/

sudo dnf install flawfinder
  • License: GPL-2.0-only
  • Category: Unspecified
  • Architecture: noarch
  • Source Package: flawfinder
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Flawfinder
Fedora Rawhide package metadata · dl.fedoraproject.org · Fedora Rawhide package metadata: flawfinder from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst
pacman95%

flawfinder 2.0.20-1

Searches through source code for potential security flaws

https://dwheeler.com/flawfinder/

sudo pacman -S flawfinder
  • License: GPL-2.0-or-later
  • Architecture: any
  • 1 dependencies
  • normalized package name match
  • Matched by: Flawfinder
Arch Linux sync databases · geo.mirror.pkgbuild.com · Arch Linux sync databases: flawfinder from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz
zypper95%

flawfinder 2.0.20-1.1

C/C++ source code security flaw examination tool

https://www.dwheeler.com/flawfinder/

sudo zypper install flawfinder
  • License: GPL-2.0-or-later
  • Category: Development/Tools/Other
  • Architecture: noarch
  • Source Package: flawfinder
  • 3 dependencies
  • 3 provides
  • normalized package name match
  • Matched by: Flawfinder
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: flawfinder from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
MacPorts95%

flawfinder

sudo port install flawfinder
  • normalized package name match
  • Matched by: Flawfinder
MacPorts ports tree · api.github.com · MacPorts ports tree: devel/flawfinder/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment