# Install noir with Homebrew

Attack surface detector that identifies endpoints by static analysis. Version 1.1.0 via Homebrew; verified 2026-06-15.

## Install

```sh
sudo av install brew:noir
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install noir
```

  Evidence: local Homebrew formula metadata

## Package facts

- **Package key:** brew:noir
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/noir>
- **Version:** 1.1.0
- **Source summary:** Attack surface detector that identifies endpoints by static analysis
- **Homepage:** <https://owasp.org/www-project-noir/>
- **Repository:** <https://github.com/owasp-noir/noir>
- **Upstream docs:** <https://owasp-noir.github.io/noir>
- **License:** MIT
- **Source archive:** <https://github.com/owasp-noir/noir/archive/refs/tags/v1.1.0.tar.gz>
- **Last updated:** 2026-06-15T14:49:00Z
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- noir (cli)
- noir (alias)

## Dependencies

- bdw-gc
- libevent
- libyaml
- openssl@3
- pcre2

## Build dependencies

- crystal
- pkgconf

## Uses from macOS

- libxml2

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.1.0
- Package-manager updated: 2026-06-15
- Local data: ok
- Upstream repository: https://github.com/owasp-noir/noir
- Upstream latest detected: v1.1.0 (current)
## Project history and usage

OWASP Noir is a Crystal-based SAST tool that reads source code and extracts application endpoints: paths, methods, parameters, headers, cookies, and source-file locations. It is aimed at attack-surface inventory, shadow API discovery, and feeding DAST or AI-assisted review pipelines with a focused route list.

### Project history

The Noir README gives a clear project timeline: it started as Hahwul's personal project in August 2023, moved to the `noir-cr` GitHub organization in November 2023, joined OWASP in June 2024, and released v1.0.0 in May 2026. The same README says OWASP membership included renaming the GitHub organization from `noir-cr` to `owasp-noir` and moving to co-leadership with `ksg97031`.

The project scope widened from a WhiteBox testing aid into an inventory consumed by human reviewers, AI auditors, and DAST tools. The README describes support for 50+ frameworks, LLM fallback for unsupported routing patterns, output formats including JSON, YAML, OpenAPI, SARIF, cURL, Postman, and HTML, and direct handoffs to ZAP, Burp Suite, and Caido.

### Adoption history

By 2026-07-01, GitHub metadata reported 1345 stars and 140 forks for `owasp-noir/noir`. Homebrew's formula API reported stable version 1.1.0 and 755 installs over 365 days. Those are early-project numbers, but the OWASP project page and the 1.0.0 release milestone show the tool crossing from personal/security-community project into a packaged security tool.

Noir's adoption is tied to a practical gap in API security testing: crawlers and DAST tools miss routes hidden in server code, deprecated handlers, or framework-specific routing conventions. Noir extracts the code-side route inventory so scanners and reviewers start from a better endpoint map.

### How it is used

The minimal usage is `noir -b <source_dir>`. Security teams use the output to review attacker-reachable handlers, generate OpenAPI or SARIF artifacts, feed ZAP/Burp/Caido, and provide compact context to LLM-based SAST agents. CI usage is supported through a GitHub Action, SARIF output, and exit codes.

The package-nerd detail is that Noir is source-inventory glue. It is not a replacement for DAST or a general-purpose code scanner; it turns static framework knowledge into endpoint artifacts that downstream tools already understand.

### Why package nerds care

Noir is still young enough that its history should stay close to maintainer-provided timelines. The useful enrichment is the OWASP transition, stable 1.x release, supported-output ecosystem, and the exact niche: static endpoint extraction for attack-surface mapping.

### Timeline

- 2023-08: Noir started as Hahwul's personal project, according to the project README.
- 2023-11: The repository moved to the `noir-cr` GitHub organization.
- 2024-06: Noir joined OWASP and the organization was renamed to `owasp-noir`.
- 2026-05-24: GitHub releases list v1.0.0.
- 2026-06-15: GitHub releases list v1.1.0.
- 2026-07-01: Homebrew formula API reported stable version 1.1.0.

### Related projects

- OWASP ZAP
- Burp Suite
- Caido
- SARIF
- OpenAPI

### Sources

- <https://api.github.com/repos/owasp-noir/noir>
- <https://formulae.brew.sh/api/formula/noir.json>
- <https://github.com/owasp-noir/noir>
- <https://github.com/owasp-noir/noir/releases>
- <https://owasp-noir.github.io/noir/>
- <https://owasp.org/www-project-noir/>
- <https://raw.githubusercontent.com/owasp-noir/noir/main/README.md>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** noir
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [Homebrew utility packages](https://www.automicvault.com/pkg/brew-utility-packages/) - Matched Homebrew package provider.
- [libevent](https://www.automicvault.com/pkg/brew/libevent/) - Runtime dependency declared by Homebrew.
- [openssl@3](https://www.automicvault.com/pkg/brew/openssl-3/) - Runtime dependency declared by Homebrew.
- [pcre2](https://www.automicvault.com/pkg/brew/pcre2/) - Runtime dependency declared by Homebrew.
- [crystal](https://www.automicvault.com/pkg/brew/crystal/) - Build dependency declared by Homebrew.
- [pkgconf](https://www.automicvault.com/pkg/brew/pkgconf/) - Build dependency declared by Homebrew.
- [gosec](https://www.automicvault.com/pkg/brew/gosec/) - Shares av.db curated category or tags: cli, sast, security, static-analysis.
- [bandit](https://www.automicvault.com/pkg/brew/bandit/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [caracal](https://www.automicvault.com/pkg/brew/caracal/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [cargo-geiger](https://www.automicvault.com/pkg/brew/cargo-geiger/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [flawfinder](https://www.automicvault.com/pkg/brew/flawfinder/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [ghalint](https://www.automicvault.com/pkg/brew/ghalint/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [joern](https://www.automicvault.com/pkg/brew/joern/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [tfsec](https://www.automicvault.com/pkg/brew/tfsec/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [amass](https://www.automicvault.com/pkg/brew/amass/) - Security-sensitive metadata or terminology overlaps. Shared terms: attack, cli, security, surface.

## Combined YAML source

View the package source record on GitHub. [combined/noir.yml](https://github.com/automic-vault/db/blob/main/combined/noir.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- cross-ecosystem install command graph
