Automic VaultAutomic Vault

brew

Install tern with Homebrew

Software Bill of Materials (SBOM) tool. Version 2.12.1 via Homebrew; verified from local package data.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install tern

local Homebrew formula metadata

overview

Package summary

Software Bill of Materials (SBOM) tool

Commands and aliases

  • tern

history

Project history and usage

Tern is a Python-based software composition analysis tool for container images and Dockerfiles. It began as an open-source compliance and package-inspection tool for containers and evolved into an SBOM generator with support for multiple report formats, including SPDX and CycloneDX.

Project history

The repository was created in November 2017 and Tern's first GitHub release was published in July 2018. The FAQ states that Tern was created to help developers meet open-source compliance requirements for containers, where reused filesystem layers make knowing the bill of materials harder.

The README describes Tern's core model: inspect a container image layer by layer, identify distro/package-manager metadata, execute package-manager command-library scripts in a chroot-like environment, and generate reports of package metadata. It can also use a Dockerfile to connect file-system layers back to the lines that produced them.

By the 2.x series, Tern had become explicitly SBOM-focused. Release notes document support for distroless containers and per-layer SBOM output in v2.5.0, build-time inventory of mounted container filesystems in v2.6.1, and SPDX report updates for NTIA minimum SBOM elements and Package URL external references in v2.12.0.

Adoption history

Tern is distributed as a Python package and a CLI, with README instructions for Linux virtual environments, Docker-based execution, Kubernetes Jobs, Vagrant development environments, and a GitHub Action for scanning Docker container images. Its GitHub metadata and docs place it in the container compliance, supply-chain-security, SPDX, CycloneDX, and SBOM toolchain niche.

How it is used

Typical usage is `tern report -i <image>` to generate a report for a container image, with output formats including human-readable, JSON, HTML, YAML, SPDX tag-value, SPDX JSON, and CycloneDX JSON. The README also documents Dockerfile analysis, locked Dockerfile generation, extensions such as Scancode and cve-bin-tool, and workflows for Docker and Kubernetes environments.

Why package nerds care

Tern matters to package and dependency specialists because it tries to reconstruct package inventories from container layers rather than only scanning files. That makes it a bridge between OS package-manager metadata, container build history, license/compliance reporting, and modern SBOM interchange formats.

Timeline

  • 2017: GitHub repository created.
  • 2018: v0.1.0, named Tern's first release, published.
  • 2019: v1.0.0 released.
  • 2020: v2.0.0 released.
  • 2021: v2.5.0 added distroless-container support and per-layer SBOM output.
  • 2021: v2.6.1 added build-time SBOM inventory for mounted container filesystems.
  • 2023: v2.12.0 updated SPDX output for NTIA minimum SBOM elements and Package URL external references.

Related projects

  • The README documents integrations or extensions with Scancode and cve-bin-tool.
  • The README also points to a Tern GitHub Action maintained separately for scanning Docker container images.

Sources

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Installs with 3 runtime dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
terncliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version2.12.1
manager updated
local dataok
upstreamnot checked
latest detectednot detected

https://github.com/tern-tools/tern

  • infoNo package-manager update timestamp was available.low confidence
  • infoNo cached GitHub release or tag data was available.https://github.com/tern-tools/ternnone confidence

install metadata

Package metadata

Package keybrew:tern
Version2.12.1
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/tern
Homepagehttps://github.com/tern-tools/tern
Repositoryhttps://github.com/tern-tools/tern
Upstream docshttps://github.com/tern-tools/tern#readme
LicenseBSD-2-Clause
Source archivehttps://files.pythonhosted.org/packages/f8/4b/123b2ca469126b45e61853acf028fe1d466f4fe1d5e7afd1d4972c151b4d/tern-2.12.1.tar.gz
Dependenciescertifi, libyaml, python@3.14
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared
Caveatstern requires root privileges so you will need to run `sudo tern`. You should be certain that you trust any software you grant root privileges.

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nametern
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • package relationship graph
  • package version freshness
  • package-page enrichment