# Install tern with Homebrew

Software Bill of Materials (SBOM) tool. Version 2.12.1 via Homebrew; verified from local package data.

## Install

```sh
sudo av install brew:tern
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install tern
```

  Evidence: local Homebrew formula metadata

## Package facts

- **Package key:** brew:tern
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/tern>
- **Version:** 2.12.1
- **Source summary:** Software Bill of Materials (SBOM) tool
- **Homepage:** <https://github.com/tern-tools/tern>
- **Repository:** <https://github.com/tern-tools/tern>
- **Upstream docs:** <https://github.com/tern-tools/tern#readme>
- **License:** BSD-2-Clause
- **Source archive:** <https://files.pythonhosted.org/packages/f8/4b/123b2ca469126b45e61853acf028fe1d466f4fe1d5e7afd1d4972c151b4d/tern-2.12.1.tar.gz>
- **Generated:** 2026-07-09T07:20:21+00:00

## Executables

- tern (cli)
- tern (alias)

## Dependencies

- certifi
- libyaml
- python@3.14

## Install behavior

- Post-install hook: not defined
- Caveats: tern requires root privileges so you will need to run `sudo tern`. You should be certain that you trust any software you grant root privileges.
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-09
- Package-manager version: 2.12.1
- Local data: ok
- Upstream repository: https://github.com/tern-tools/tern
- info: No package-manager update timestamp was available.
- info: No cached GitHub release or tag data was available.
## Project history and usage

Tern is a Python-based software composition analysis tool for container images and Dockerfiles. It began as an open-source compliance and package-inspection tool for containers and evolved into an SBOM generator with support for multiple report formats, including SPDX and CycloneDX.

### Project history

The repository was created in November 2017 and Tern's first GitHub release was published in July 2018. The FAQ states that Tern was created to help developers meet open-source compliance requirements for containers, where reused filesystem layers make knowing the bill of materials harder.

The README describes Tern's core model: inspect a container image layer by layer, identify distro/package-manager metadata, execute package-manager command-library scripts in a chroot-like environment, and generate reports of package metadata. It can also use a Dockerfile to connect file-system layers back to the lines that produced them.

By the 2.x series, Tern had become explicitly SBOM-focused. Release notes document support for distroless containers and per-layer SBOM output in v2.5.0, build-time inventory of mounted container filesystems in v2.6.1, and SPDX report updates for NTIA minimum SBOM elements and Package URL external references in v2.12.0.

### Adoption history

Tern is distributed as a Python package and a CLI, with README instructions for Linux virtual environments, Docker-based execution, Kubernetes Jobs, Vagrant development environments, and a GitHub Action for scanning Docker container images. Its GitHub metadata and docs place it in the container compliance, supply-chain-security, SPDX, CycloneDX, and SBOM toolchain niche.

### How it is used

Typical usage is `tern report -i <image>` to generate a report for a container image, with output formats including human-readable, JSON, HTML, YAML, SPDX tag-value, SPDX JSON, and CycloneDX JSON. The README also documents Dockerfile analysis, locked Dockerfile generation, extensions such as Scancode and cve-bin-tool, and workflows for Docker and Kubernetes environments.

### Why package nerds care

Tern matters to package and dependency specialists because it tries to reconstruct package inventories from container layers rather than only scanning files. That makes it a bridge between OS package-manager metadata, container build history, license/compliance reporting, and modern SBOM interchange formats.

### Timeline

- 2017: GitHub repository created.
- 2018: v0.1.0, named Tern's first release, published.
- 2019: v1.0.0 released.
- 2020: v2.0.0 released.
- 2021: v2.5.0 added distroless-container support and per-layer SBOM output.
- 2021: v2.6.1 added build-time SBOM inventory for mounted container filesystems.
- 2023: v2.12.0 updated SPDX output for NTIA minimum SBOM elements and Package URL external references.

### Related projects

- The README documents integrations or extensions with Scancode and cve-bin-tool.
- The README also points to a Tern GitHub Action maintained separately for scanning Docker container images.

### Sources

- <https://api.github.com/repos/tern-tools/tern>
- <https://api.github.com/repos/tern-tools/tern/releases?per_page=100>
- <https://github.com/tern-tools/tern>
- <https://raw.githubusercontent.com/tern-tools/tern/main/README.md>
- <https://raw.githubusercontent.com/tern-tools/tern/main/docs/faq.md>
- <https://raw.githubusercontent.com/tern-tools/tern/main/docs/releases/v2_12_0.md>
- <https://raw.githubusercontent.com/tern-tools/tern/main/docs/releases/v2_5_0.md>
- <https://raw.githubusercontent.com/tern-tools/tern/main/docs/releases/v2_6_1.md>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** tern
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable


## Related links

- [Cloud CLI packages](https://www.automicvault.com/pkg/cloud-clis/) - Belongs to a cloud or infrastructure command family.
- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Language runtime packages](https://www.automicvault.com/pkg/language-runtime-packages/) - Matched language runtime, compiler, or interpreter metadata.
- [python@3.14](https://www.automicvault.com/pkg/brew/python-3-14/) - Runtime dependency declared by Homebrew.
- [cyclonedx-python](https://www.automicvault.com/pkg/brew/cyclonedx-python/) - Shares av.db curated category or tags: cli, cyclonedx, python, sbom, security.
- [cyclonedx-gomod](https://www.automicvault.com/pkg/brew/cyclonedx-gomod/) - Shares av.db curated category or tags: cli, cyclonedx, sbom, security, software-supply-chain.
- [sbom-tool](https://www.automicvault.com/pkg/brew/sbom-tool/) - Shares av.db curated category or tags: cli, sbom, security, software-supply-chain.
- [bom](https://www.automicvault.com/pkg/brew/bom/) - Shares av.db curated category or tags: cli, sbom, security, software-supply-chain, spdx.
- [cargo-cyclonedx](https://www.automicvault.com/pkg/brew/cargo-cyclonedx/) - Shares av.db curated category or tags: cli, cyclonedx, sbom, security, software-composition-analysis.
- [cdxgen](https://www.automicvault.com/pkg/brew/cdxgen/) - Shares av.db curated category or tags: cli, cyclonedx, sbom, security, software-supply-chain.
- [syft](https://www.automicvault.com/pkg/brew/syft/) - Shares av.db curated category or tags: cli, containers, sbom, security, software-supply-chain.
- [chainloop-cli](https://www.automicvault.com/pkg/brew/chainloop-cli/) - Shares av.db curated category or tags: cli, sbom, security, software-supply-chain.
- [tern](https://www.automicvault.com/pkg/npm/tern/) - Same normalized package name appears in another local ecosystem. Shared terms: analysis, cli, tern.
- [tern](https://www.automicvault.com/pkg/npm/tern/) - Same normalized package name in another local ecosystem.

## Combined YAML source

View the package source record on GitHub. [combined/tern.yml](https://github.com/automic-vault/db/blob/main/combined/tern.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- cross-ecosystem install command graph
