# Install gotestwaf with Homebrew, Nix

Tool for API and OWASP attack simulation. Version 0.5.8 via Homebrew; verified from local package data.

## Install

```sh
sudo av install brew:gotestwaf
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install gotestwaf
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#gotestwaf
```

  Evidence: nixpkgs package indexes: pkgs/by-name/go/gotestwaf/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:gotestwaf
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/gotestwaf>
- **Version:** 0.5.8
- **Source summary:** Tool for API and OWASP attack simulation
- **Homepage:** <https://lab.wallarm.com/test-your-waf-before-hackers/>
- **Repository:** <https://github.com/wallarm/gotestwaf>
- **Upstream docs:** <https://github.com/wallarm/gotestwaf#readme>
- **License:** MIT
- **Source archive:** <https://github.com/wallarm/gotestwaf/archive/refs/tags/v0.5.8.tar.gz>
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- gotestwaf (cli)
- gotestwaf (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, sonoma, ventura, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.5.8
- Local data: ok
- Upstream repository: https://github.com/wallarm/gotestwaf
- Upstream latest detected: v0.5.8 (current)
- info: No package-manager update timestamp was available.
## Project history and usage

GoTestWAF is Wallarm's Go-based command-line tool for simulating API and OWASP-style attacks against web application firewalls, API gateways, IPS products, and related application-security controls.

### Project history

The repository was created in January 2020. The README describes a scanner that generates malicious requests by combining payloads, encoders, and request placeholders, then records how the evaluated security solution handled those requests.

### Adoption history

The project is packaged as a Docker image and a Homebrew formula, which matches its evaluation-tool use case: users can run it near the target application or security appliance without embedding it into application code.

### How it is used

Users point GoTestWAF at an evaluated URL and run built-in test sets such as OWASP Top 10 and OWASP API, or supply custom YAML test cases. Reports can be generated locally, and releases in 2024 and 2025 emphasize report-format and validation work.

### Why package nerds care

For package catalogs, GoTestWAF is a niche but useful security-testing CLI: it packages repeatable malicious-request generation as a portable Go binary and container, rather than as a SaaS-only scanner.

### Timeline

- 2020: Repository created.
- 2022: README badge identifies GoTestWAF with Black Hat Arsenal USA 2022.
- 2024: v0.4.19 and v0.5.x releases published through GitHub releases.
- 2025: v0.5.8 release fixed HTML report validation.

### Related projects

- OWASP test categories and API-security scenarios shape the bundled test cases.
- Wallarm publishes the project and Docker image for WAF and API-security evaluation workflows.

### Sources

- <https://formulae.brew.sh/formula/gotestwaf>
- <https://github.com/wallarm/gotestwaf>
- <https://github.com/wallarm/gotestwaf#readme>
- <https://github.com/wallarm/gotestwaf/releases>
- <https://github.com/wallarm/gotestwaf/tree/master/docs>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: config.yaml
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** gotestwaf
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - gotestwaf: normalized package name match | nixpkgs package indexes: pkgs/by-name/go/gotestwaf/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Developer build packages](https://www.automicvault.com/pkg/developer-build-tools/) - Matched build, compiler, generator, or developer workflow metadata.
- [Language runtime packages](https://www.automicvault.com/pkg/language-runtime-packages/) - Matched language runtime, compiler, or interpreter metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [modsecurity](https://www.automicvault.com/pkg/brew/modsecurity/) - Shares av.db curated category or tags: cli, owasp, security, waf.
- [sqlmap](https://www.automicvault.com/pkg/brew/sqlmap/) - Shares av.db curated category or tags: application-security, cli, security, testing.
- [cycode](https://www.automicvault.com/pkg/brew/cycode/) - Shares av.db curated category or tags: application-security, cli, security.
- [dependency-check](https://www.automicvault.com/pkg/brew/dependency-check/) - Shares av.db curated category or tags: cli, owasp, security.
- [favirecon](https://www.automicvault.com/pkg/brew/favirecon/) - Shares av.db curated category or tags: cli, go, security.
- [garble](https://www.automicvault.com/pkg/brew/garble/) - Shares av.db curated category or tags: cli, go, security.
- [gau](https://www.automicvault.com/pkg/brew/gau/) - Shares av.db curated category or tags: cli, go, security.
- [gobuster](https://www.automicvault.com/pkg/brew/gobuster/) - Shares av.db curated category or tags: cli, go, security.
- [noir](https://www.automicvault.com/pkg/brew/noir/) - Security-sensitive metadata or terminology overlaps. Shared terms: api, api-security, attack, cli, security.

## Combined YAML source

View the package source record on GitHub. [combined/gotestwaf.yml](https://github.com/automic-vault/db/blob/main/combined/gotestwaf.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
