# Install opensca-cli with Homebrew, scoop, winget

OpenSCA is a supply-chain security tool for security researchers and developers. Version 3.0.11 via Homebrew; verified 2026-05-15.

## Install

```sh
sudo av install brew:opensca-cli
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install opensca-cli
```

  Evidence: local Homebrew formula metadata

### Windows

- Scoop (92%):

```sh
scoop install extras/opensca-cli
```

  Evidence: Scoop official bucket manifest trees: bucket/opensca-cli.json from https://api.github.com/repos/ScoopInstaller/Extras/git/trees/master?recursive=1

- winget (92%):

```sh
winget install --id XmirrorSecurity.OpenSCA-cli -e
```

  Evidence: Windows Package Manager source index: XmirrorSecurity.OpenSCA-cli from https://cdn.winget.microsoft.com/cache/source.msix

## Package facts

- **Package key:** brew:opensca-cli
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/opensca-cli>
- **Version:** 3.0.11
- **Source summary:** OpenSCA is a supply-chain security tool for security researchers and developers
- **Homepage:** <https://opensca.xmirror.cn>
- **Repository:** <https://github.com/XmirrorSecurity/OpenSCA-cli>
- **Upstream docs:** <https://github.com/XmirrorSecurity/OpenSCA-cli/blob/master/README.md>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/XmirrorSecurity/OpenSCA-cli/archive/refs/tags/v3.0.11.tar.gz>
- **Last updated:** 2026-05-15T13:18:50Z
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- opensca-cli (cli)
- opensca-cli (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 3.0.11
- Package-manager updated: 2026-05-15
- Local data: ok
- Upstream repository: https://github.com/XmirrorSecurity/OpenSCA-cli
- Upstream latest detected: v3.0.11 (current)
## Project history and usage

OpenSCA CLI is a Go-based software-composition-analysis command line tool from XmirrorSecurity. It scans project dependency manifests for third-party components, vulnerabilities, license issues, and SBOM-oriented inventory data, putting it in the practical DevSecOps family of tools alongside package scanners and bill-of-material generators.

### Project history

The public GitHub repository was created on December 30, 2021. Its README describes the project as an open source way to govern open source risk, and the English README frames the CLI as a scanner for third-party dependencies, vulnerabilities, and licenses.

The 3.x series moved more configuration into config files and added SaaS synchronization support through project tokens, showing an evolution from a local scanner into a tool that can feed centralized asset and risk management workflows.

### How it is used

Developers run `opensca-cli` against a source tree with `-path`, optionally point it at a config file, and emit reports by suffix. Supported report outputs include JSON, XML, HTML, SQLite, CSV, SARIF, and SBOM formats such as SPDX, CycloneDX, SWID, and DSDX.

The scanner parses common package-manager files across Java, JavaScript, PHP, Ruby, Go, Rust, Erlang, and Python ecosystems. It can be installed from GitHub releases, an install script, Homebrew, source builds, or Docker, which makes it useful in local terminals and CI jobs.

### Why package nerds care

For package metadata work, OpenSCA CLI is interesting because it treats manifests, package-manager lockfiles, vulnerability databases, and SBOM export formats as first-class inputs and outputs. It is a small but concrete example of the post-Log4Shell package-security tooling wave becoming installable as a normal CLI formula.

### Timeline

- 2021-12-30: The GitHub repository for XmirrorSecurity/OpenSCA-cli was created.
- 2025-2026: The v3.0.x release line added and refined report, ignore, cloud database, and SaaS synchronization behavior documented in the README and release metadata.

### Related projects

- OpenSCA CLI sits near SBOM and SCA tools that emit SPDX, CycloneDX, SWID, SARIF, and other interchange formats. The project also links to Docker Hub and editor integrations, indicating a tooling surface beyond the single `opensca-cli` executable.

### Sources

- <https://api.github.com/repos/XmirrorSecurity/OpenSCA-cli>
- <https://api.github.com/repos/XmirrorSecurity/OpenSCA-cli/releases?per_page=5>
- <https://formulae.brew.sh/api/formula/opensca-cli.json>
- <https://formulae.brew.sh/formula/opensca-cli>
- <https://github.com/XmirrorSecurity/OpenSCA-cli>
- <https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/.github/README.md>


## Security Notes

No matching local secret-handling manifest was found for opensca-cli. Nucleus package metadata is still published here so future coverage has a stable package URL.


## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** opensca-cli
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Scoop - extras/opensca-cli: normalized package name match | Scoop official bucket manifest trees: bucket/opensca-cli.json from https://api.github.com/repos/ScoopInstaller/Extras/git/trees/master?recursive=1
- winget - XmirrorSecurity.OpenSCA-cli: normalized package name match | Windows Package Manager source index: XmirrorSecurity.OpenSCA-cli from https://cdn.winget.microsoft.com/cache/source.msix


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [Homebrew utility packages](https://www.automicvault.com/pkg/brew-utility-packages/) - Matched Homebrew package provider.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [chain-bench](https://www.automicvault.com/pkg/brew/chain-bench/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [parlay](https://www.automicvault.com/pkg/brew/parlay/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [ratify](https://www.automicvault.com/pkg/brew/ratify/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [slsa-verifier](https://www.automicvault.com/pkg/brew/slsa-verifier/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [vet](https://www.automicvault.com/pkg/brew/vet/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [witness](https://www.automicvault.com/pkg/brew/witness/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [zizmor](https://www.automicvault.com/pkg/brew/zizmor/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [frizbee](https://www.automicvault.com/pkg/brew/frizbee/) - Shares av.db curated category or tags: cli, security, supply-chain.
- [pip-audit](https://www.automicvault.com/pkg/brew/pip-audit/) - Security-sensitive metadata or terminology overlaps. Shared terms: chain, cli, scanning, security, supply.

## Combined YAML source

View the package source record on GitHub. [combined/opensca-cli.yml](https://github.com/automic-vault/db/blob/main/combined/opensca-cli.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
