# Install flawfinder with Homebrew, apk, apt, dnf, MacPorts, Nix, pacman, zypper

Examines code and reports possible security weaknesses. Version 2.0.20 via Homebrew; verified 2026-05-18.

## Install

```sh
sudo av install brew:flawfinder
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install flawfinder
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install flawfinder
```

  Evidence: MacPorts ports tree: devel/flawfinder/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add flawfinder
```

  Evidence: Alpine Linux edge package indexes: flawfinder from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz

- Debian apt (92%):

```sh
sudo apt install flawfinder
```

  Evidence: Debian stable package indexes: flawfinder from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install flawfinder
```

  Evidence: Fedora Rawhide package metadata: flawfinder from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#flawfinder
```

  Evidence: nixpkgs package indexes: pkgs/by-name/fl/flawfinder/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S flawfinder
```

  Evidence: Arch Linux sync databases: flawfinder from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

- zypper (92%):

```sh
sudo zypper install flawfinder
```

  Evidence: openSUSE Tumbleweed package metadata: flawfinder from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

## Package facts

- **Package key:** brew:flawfinder
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/flawfinder>
- **Version:** 2.0.20
- **Source summary:** Examines code and reports possible security weaknesses
- **Homepage:** <https://dwheeler.com/flawfinder/>
- **Repository:** <https://sourceforge.net/p/flawfinder/code>
- **Upstream docs:** <https://dwheeler.com/flawfinder>
- **License:** GPL-2.0-or-later
- **Source archive:** <https://dwheeler.com/flawfinder/flawfinder-2.0.20.tar.gz>
- **Last updated:** 2026-05-18T00:00:27Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- flawfinder (cli)
- flawfinder (alias)

## Dependencies

- python@3.14

## Install behavior

- Post-install hook: not defined
- Bottle: available on all

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 2.0.20
- Package-manager updated: 2026-05-18
- Local data: ok
- Upstream repository: https://dwheeler.com/flawfinder/
- info: Release/tag comparison is only available for GitHub repositories.
## Project history and usage

flawfinder is David A. Wheeler's command-line static analysis tool for C and C++ security review. It scans source text for calls and constructs associated with possible weaknesses, ranks findings by risk, and remains a lightweight package-manager staple because it is easy to install, fast to run, and useful before deeper review.

### Project history

Wheeler developed flawfinder as an open source source-code scanner for security weaknesses. The official site explains that it was created to encourage use of static analysis tools and that no one tool is sufficient; flawfinder is meant to be one simple advisor among several.

The project has long been hosted through SourceForge for source, releases, mailing lists, and issue tracking, while later documentation also references GitHub issues, pull requests, a GitHub Action, SARIF output, SonarQube integration, and modern Python packaging. The ChangeLog records the 2.0 series move to semantic versioning in 2017, Python 2.7/3 compatibility, direct pip installation through setuptools, SARIF support in 2021, and security hardening in 2.0.20 in 2026.

### Adoption history

The official homepage says prepackaged versions are available for many Unix-like systems, explicitly naming Fedora, Debian, Ubuntu, Cygwin, FreeBSD Ports, OpenBSD ports, NetBSD pkgsrc, and Fink. The supplied package-manager metadata also records packaging in Homebrew, MacPorts, Nix, pacman, zypper, apk, Debian, Ubuntu, and Fedora ecosystems.

flawfinder also earned official CWE compatibility and a CII Best Practices passing badge, which helped make it recognizable in security tooling catalogs and CI pipelines.

### How it is used

The basic use case is intentionally small: install with pip or a system package manager, then run `flawfinder` over a file or directory. Findings are assigned risk levels, and output formats include text, HTML, CSV, SARIF, and SonarQube-compatible output.

The tool's design trades deep semantic analysis for speed and availability. Its README notes that it can analyze programs that cannot be built or linked, while also warning that it can produce false positives and miss issues because it lacks full control-flow, data-flow, type, namespace, and scope information.

### Why package nerds care

flawfinder is a classic small security package: a single-purpose scanner with no heavyweight service dependency, available through many OS package managers, pip, and CI integrations. It is especially relevant to package history because it bridges early-2000s free-software security scanning, distribution packaging, CWE-era rule classification, and modern SARIF-based code scanning.

### Timeline

- 2001: flawfinder and RATS are released simultaneously on May 21.
- 2002: SANS review coverage appears among the official site's collected reviews.
- 2004: Debian Security Audit Project testimonial records use of flawfinder.
- 2017: 2.0.0 changes versioning to semantic versioning.
- 2017: 2.0.2 adds Python 2.7 and Python 3 support.
- 2017: 2.0.4 switches to setuptools and direct pip install support.
- 2021: 2.0.16 adds SARIF output.
- 2026: 2.0.20 ships security hardening, Sonar output, encoding handling improvements, and CI workflow updates.

### Related projects

- RATS is the historically closest related project; the official site says the two scanners were developed independently and released simultaneously.
- ITS4, Warnbuf, Stumoch, CWE, SARIF, SonarQube, and GitHub code scanning are related security-analysis or reporting contexts discussed by the official documentation.

### Sources

- <https://dwheeler.com/flawfinder>
- <https://dwheeler.com/flawfinder/flawfinder.pdf>
- <https://formulae.brew.sh/formula/flawfinder>
- <https://sourceforge.net/p/flawfinder/code>
- <https://sourceforge.net/p/flawfinder/code/ci/master/tree/ChangeLog?format=raw>
- <https://sourceforge.net/p/flawfinder/code/ci/master/tree/README.md?format=raw>


## Security Notes

No matching local secret-handling manifest was found for flawfinder. Nucleus package metadata is still published here so future coverage has a stable package URL.


## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** flawfinder
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Debian apt - flawfinder - 2.0.19-1.1: normalized package name match | Debian stable package indexes: flawfinder from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | examines source code and looks for security weaknesses | https://dwheeler.com/flawfinder/
- Nix - flawfinder: normalized package name match | nixpkgs package indexes: pkgs/by-name/fl/flawfinder/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- Ubuntu apt - flawfinder - 2.0.19-1.1: normalized package name match | Ubuntu 24.04 LTS package indexes: flawfinder from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | examines source code and looks for security weaknesses | https://dwheeler.com/flawfinder/
- apk - flawfinder - 2.0.19-r5: normalized package name match | Alpine Linux edge package indexes: flawfinder from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Examines C/C++ source code for security flaws | https://dwheeler.com/flawfinder/
- apk - flawfinder-doc - 2.0.19-r5: normalized package name match | Alpine Linux edge package indexes: flawfinder-doc from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Examines C/C++ source code for security flaws (documentation) | https://dwheeler.com/flawfinder/
- apk - flawfinder-pyc - 2.0.19-r5: normalized package name match | Alpine Linux edge package indexes: flawfinder-pyc from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Precompiled Python bytecode for flawfinder | https://dwheeler.com/flawfinder/
- dnf - flawfinder - 2.0.11-16.fc44: normalized package name match | Fedora Rawhide package metadata: flawfinder from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Examines C/C++ source code for security flaws | http://www.dwheeler.com/flawfinder/
- pacman - flawfinder - 2.0.20-1: normalized package name match | Arch Linux sync databases: flawfinder from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | Searches through source code for potential security flaws | https://dwheeler.com/flawfinder/
- zypper - flawfinder - 2.0.20-1.1: normalized package name match | openSUSE Tumbleweed package metadata: flawfinder from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | C/C++ source code security flaw examination tool | https://www.dwheeler.com/flawfinder/
- MacPorts - flawfinder: normalized package name match | MacPorts ports tree: devel/flawfinder/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Developer build packages](https://www.automicvault.com/pkg/developer-build-tools/) - Matched build, compiler, generator, or developer workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [python@3.14](https://www.automicvault.com/pkg/brew/python-3-14/) - Runtime dependency declared by Homebrew.
- [bandit](https://www.automicvault.com/pkg/brew/bandit/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [caracal](https://www.automicvault.com/pkg/brew/caracal/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [cargo-geiger](https://www.automicvault.com/pkg/brew/cargo-geiger/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [gosec](https://www.automicvault.com/pkg/brew/gosec/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [joern](https://www.automicvault.com/pkg/brew/joern/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [tfsec](https://www.automicvault.com/pkg/brew/tfsec/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [ghalint](https://www.automicvault.com/pkg/brew/ghalint/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [noir](https://www.automicvault.com/pkg/brew/noir/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [checkov](https://www.automicvault.com/pkg/brew/checkov/) - Both packages touch the same language runtime or ecosystem. Shared terms: analysis, cli, code, python, python-3-14.
- [slither-analyzer](https://www.automicvault.com/pkg/brew/slither-analyzer/) - Both packages touch the same language runtime or ecosystem. Shared terms: analysis, cli, python, python-3-14, security.

## Combined YAML source

View the package source record on GitHub. [combined/flawfinder.yml](https://github.com/automic-vault/db/blob/main/combined/flawfinder.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
