macOS
brew install ternlocal Homebrew formula metadata
brew
Software Bill of Materials (SBOM) tool. Version 2.12.1 via Homebrew; verified from local package data.
install
brew install ternlocal Homebrew formula metadata
overview
Software Bill of Materials (SBOM) tool
history
Tern is a Python-based software composition analysis tool for container images and Dockerfiles. It began as an open-source compliance and package-inspection tool for containers and evolved into an SBOM generator with support for multiple report formats, including SPDX and CycloneDX.
The repository was created in November 2017 and Tern's first GitHub release was published in July 2018. The FAQ states that Tern was created to help developers meet open-source compliance requirements for containers, where reused filesystem layers make knowing the bill of materials harder.
The README describes Tern's core model: inspect a container image layer by layer, identify distro/package-manager metadata, execute package-manager command-library scripts in a chroot-like environment, and generate reports of package metadata. It can also use a Dockerfile to connect file-system layers back to the lines that produced them.
By the 2.x series, Tern had become explicitly SBOM-focused. Release notes document support for distroless containers and per-layer SBOM output in v2.5.0, build-time inventory of mounted container filesystems in v2.6.1, and SPDX report updates for NTIA minimum SBOM elements and Package URL external references in v2.12.0.
Tern is distributed as a Python package and a CLI, with README instructions for Linux virtual environments, Docker-based execution, Kubernetes Jobs, Vagrant development environments, and a GitHub Action for scanning Docker container images. Its GitHub metadata and docs place it in the container compliance, supply-chain-security, SPDX, CycloneDX, and SBOM toolchain niche.
Typical usage is `tern report -i <image>` to generate a report for a container image, with output formats including human-readable, JSON, HTML, YAML, SPDX tag-value, SPDX JSON, and CycloneDX JSON. The README also documents Dockerfile analysis, locked Dockerfile generation, extensions such as Scancode and cve-bin-tool, and workflows for Docker and Kubernetes environments.
Tern matters to package and dependency specialists because it tries to reconstruct package inventories from container layers rather than only scanning files. That makes it a bridge between OS package-manager metadata, container build history, license/compliance reporting, and modern SBOM interchange formats.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
tern | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/tern-tools/tern
install metadata
| Package key | brew:tern |
|---|---|
| Version | 2.12.1 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/tern |
| Homepage | https://github.com/tern-tools/tern |
| Repository | https://github.com/tern-tools/tern |
| Upstream docs | https://github.com/tern-tools/tern#readme |
| License | BSD-2-Clause |
| Source archive | https://files.pythonhosted.org/packages/f8/4b/123b2ca469126b45e61853acf028fe1d466f4fe1d5e7afd1d4972c151b4d/tern-2.12.1.tar.gz |
| Dependencies | certifi, libyaml, python@3.14 |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
| Caveats | tern requires root privileges so you will need to run `sudo tern`. You should be certain that you trust any software you grant root privileges. |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | tern |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.