Automic VaultAutomic Vault

brew

Install opensca-cli with Homebrew, scoop, winget

OpenSCA is a supply-chain security tool for security researchers and developers. Version 3.0.11 via Homebrew; verified 2026-05-15.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install opensca-cli

local Homebrew formula metadata

Windows

Scoopverified · 92%
scoop install extras/opensca-cli

Scoop official bucket manifest trees · bucket/opensca-cli.json · source: api.github.com

Windows Package Managerverified · 92%
winget install --id XmirrorSecurity.OpenSCA-cli -e

Windows Package Manager source index · XmirrorSecurity.OpenSCA-cli · source: cdn.winget.microsoft.com

overview

Package summary

OpenSCA is a supply-chain security tool for security researchers and developers

Commands and aliases

  • opensca-cli

history

Project history and usage

OpenSCA CLI is a Go-based software-composition-analysis command line tool from XmirrorSecurity. It scans project dependency manifests for third-party components, vulnerabilities, license issues, and SBOM-oriented inventory data, putting it in the practical DevSecOps family of tools alongside package scanners and bill-of-material generators.

Project history

The public GitHub repository was created on December 30, 2021. Its README describes the project as an open source way to govern open source risk, and the English README frames the CLI as a scanner for third-party dependencies, vulnerabilities, and licenses.

The 3.x series moved more configuration into config files and added SaaS synchronization support through project tokens, showing an evolution from a local scanner into a tool that can feed centralized asset and risk management workflows.

How it is used

Developers run `opensca-cli` against a source tree with `-path`, optionally point it at a config file, and emit reports by suffix. Supported report outputs include JSON, XML, HTML, SQLite, CSV, SARIF, and SBOM formats such as SPDX, CycloneDX, SWID, and DSDX.

The scanner parses common package-manager files across Java, JavaScript, PHP, Ruby, Go, Rust, Erlang, and Python ecosystems. It can be installed from GitHub releases, an install script, Homebrew, source builds, or Docker, which makes it useful in local terminals and CI jobs.

Why package nerds care

For package metadata work, OpenSCA CLI is interesting because it treats manifests, package-manager lockfiles, vulnerability databases, and SBOM export formats as first-class inputs and outputs. It is a small but concrete example of the post-Log4Shell package-security tooling wave becoming installable as a normal CLI formula.

Timeline

  • 2021-12-30: The GitHub repository for XmirrorSecurity/OpenSCA-cli was created.
  • 2025-2026: The v3.0.x release line added and refined report, ignore, cloud database, and SaaS synchronization behavior documented in the README and release metadata.

Related projects

  • OpenSCA CLI sits near SBOM and SCA tools that emit SPDX, CycloneDX, SWID, SARIF, and other interchange formats. The project also links to Docker Hub and editor integrations, indicating a tooling surface beyond the single `opensca-cli` executable.

security posture

No protected-tool coverage found yet

No matching local secret-handling manifest was found for opensca-cli. Nucleus package metadata is still published here so future coverage has a stable package URL.

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
opensca-clicliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version3.0.11
manager updated2026-05-15
local dataok
upstreamcurrent
latest detectedv3.0.11

https://github.com/XmirrorSecurity/OpenSCA-cli

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:opensca-cli
Version3.0.11
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/opensca-cli
Homepagehttps://opensca.xmirror.cn
Repositoryhttps://github.com/XmirrorSecurity/OpenSCA-cli
Upstream docshttps://github.com/XmirrorSecurity/OpenSCA-cli/blob/master/README.md
LicenseApache-2.0
Source archivehttps://github.com/XmirrorSecurity/OpenSCA-cli/archive/refs/tags/v3.0.11.tar.gz
Last updated2026-05-15T13:18:50Z
Pulseupdated
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nameopensca-cli
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Scoop95%

extras/opensca-cli

scoop install extras/opensca-cli
  • normalized package name match
  • Matched by: Opensca Cli
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/opensca-cli.json from https://api.github.com/repos/ScoopInstaller/Extras/git/trees/master?recursive=1
winget95%

XmirrorSecurity.OpenSCA-cli

winget install --id XmirrorSecurity.OpenSCA-cli -e
  • normalized package name match
  • Matched by: Opensca Cli
Windows Package Manager source index · cdn.winget.microsoft.com · Windows Package Manager source index: XmirrorSecurity.OpenSCA-cli from https://cdn.winget.microsoft.com/cache/source.msix

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment