macOS
brew install noirlocal Homebrew formula metadata
brew
Attack surface detector that identifies endpoints by static analysis. Version 1.1.0 via Homebrew; verified 2026-06-15.
install
brew install noirlocal Homebrew formula metadata
overview
Attack surface detector that identifies endpoints by static analysis
history
OWASP Noir is a Crystal-based SAST tool that reads source code and extracts application endpoints: paths, methods, parameters, headers, cookies, and source-file locations. It is aimed at attack-surface inventory, shadow API discovery, and feeding DAST or AI-assisted review pipelines with a focused route list.
The Noir README gives a clear project timeline: it started as Hahwul's personal project in August 2023, moved to the `noir-cr` GitHub organization in November 2023, joined OWASP in June 2024, and released v1.0.0 in May 2026. The same README says OWASP membership included renaming the GitHub organization from `noir-cr` to `owasp-noir` and moving to co-leadership with `ksg97031`.
The project scope widened from a WhiteBox testing aid into an inventory consumed by human reviewers, AI auditors, and DAST tools. The README describes support for 50+ frameworks, LLM fallback for unsupported routing patterns, output formats including JSON, YAML, OpenAPI, SARIF, cURL, Postman, and HTML, and direct handoffs to ZAP, Burp Suite, and Caido.
By 2026-07-01, GitHub metadata reported 1345 stars and 140 forks for `owasp-noir/noir`. Homebrew's formula API reported stable version 1.1.0 and 755 installs over 365 days. Those are early-project numbers, but the OWASP project page and the 1.0.0 release milestone show the tool crossing from personal/security-community project into a packaged security tool.
Noir's adoption is tied to a practical gap in API security testing: crawlers and DAST tools miss routes hidden in server code, deprecated handlers, or framework-specific routing conventions. Noir extracts the code-side route inventory so scanners and reviewers start from a better endpoint map.
The minimal usage is `noir -b <source_dir>`. Security teams use the output to review attacker-reachable handlers, generate OpenAPI or SARIF artifacts, feed ZAP/Burp/Caido, and provide compact context to LLM-based SAST agents. CI usage is supported through a GitHub Action, SARIF output, and exit codes.
The package-nerd detail is that Noir is source-inventory glue. It is not a replacement for DAST or a general-purpose code scanner; it turns static framework knowledge into endpoint artifacts that downstream tools already understand.
Noir is still young enough that its history should stay close to maintainer-provided timelines. The useful enrichment is the OWASP transition, stable 1.x release, supported-output ecosystem, and the exact niche: static endpoint extraction for attack-surface mapping.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
noir | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/owasp-noir/noir
install metadata
| Package key | brew:noir |
|---|---|
| Version | 1.1.0 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/noir |
| Homepage | https://owasp.org/www-project-noir/ |
| Repository | https://github.com/owasp-noir/noir |
| Upstream docs | https://owasp-noir.github.io/noir |
| License | MIT |
| Source archive | https://github.com/owasp-noir/noir/archive/refs/tags/v1.1.0.tar.gz |
| Last updated | 2026-06-15T14:49:00Z |
| Pulse | updated |
| Dependencies | bdw-gc, libevent, libyaml, openssl@3, pcre2 |
| Build dependencies | crystal, pkgconf |
| Uses from macOS | libxml2 |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | noir |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.