macOS
brew install opensca-clilocal Homebrew formula metadata
brew
OpenSCA is a supply-chain security tool for security researchers and developers. Version 3.0.11 via Homebrew; verified 2026-05-15.
install
brew install opensca-clilocal Homebrew formula metadata
scoop install extras/opensca-cliScoop official bucket manifest trees · bucket/opensca-cli.json · source: api.github.com
winget install --id XmirrorSecurity.OpenSCA-cli -eWindows Package Manager source index · XmirrorSecurity.OpenSCA-cli · source: cdn.winget.microsoft.com
overview
OpenSCA is a supply-chain security tool for security researchers and developers
history
OpenSCA CLI is a Go-based software-composition-analysis command line tool from XmirrorSecurity. It scans project dependency manifests for third-party components, vulnerabilities, license issues, and SBOM-oriented inventory data, putting it in the practical DevSecOps family of tools alongside package scanners and bill-of-material generators.
The public GitHub repository was created on December 30, 2021. Its README describes the project as an open source way to govern open source risk, and the English README frames the CLI as a scanner for third-party dependencies, vulnerabilities, and licenses.
The 3.x series moved more configuration into config files and added SaaS synchronization support through project tokens, showing an evolution from a local scanner into a tool that can feed centralized asset and risk management workflows.
Developers run `opensca-cli` against a source tree with `-path`, optionally point it at a config file, and emit reports by suffix. Supported report outputs include JSON, XML, HTML, SQLite, CSV, SARIF, and SBOM formats such as SPDX, CycloneDX, SWID, and DSDX.
The scanner parses common package-manager files across Java, JavaScript, PHP, Ruby, Go, Rust, Erlang, and Python ecosystems. It can be installed from GitHub releases, an install script, Homebrew, source builds, or Docker, which makes it useful in local terminals and CI jobs.
For package metadata work, OpenSCA CLI is interesting because it treats manifests, package-manager lockfiles, vulnerability databases, and SBOM export formats as first-class inputs and outputs. It is a small but concrete example of the post-Log4Shell package-security tooling wave becoming installable as a normal CLI formula.
security posture
No matching local secret-handling manifest was found for opensca-cli. Nucleus package metadata is still published here so future coverage has a stable package URL.
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
opensca-cli | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/XmirrorSecurity/OpenSCA-cli
install metadata
| Package key | brew:opensca-cli |
|---|---|
| Version | 3.0.11 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/opensca-cli |
| Homepage | https://opensca.xmirror.cn |
| Repository | https://github.com/XmirrorSecurity/OpenSCA-cli |
| Upstream docs | https://github.com/XmirrorSecurity/OpenSCA-cli/blob/master/README.md |
| License | Apache-2.0 |
| Source archive | https://github.com/XmirrorSecurity/OpenSCA-cli/archive/refs/tags/v3.0.11.tar.gz |
| Last updated | 2026-05-15T13:18:50Z |
| Pulse | updated |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | opensca-cli |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
extras/opensca-cli
scoop install extras/opensca-cliXmirrorSecurity.OpenSCA-cli
winget install --id XmirrorSecurity.OpenSCA-cli -esource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.