Automic VaultAutomic Vault

brew

Install xeol with Homebrew, Nix

Xcanner for end-of-life software in container images, filesystems, and SBOMs. Version 0.10.8 via Homebrew; verified 2026-06-15.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install xeol

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#xeol

nixpkgs package indexes · pkgs/by-name/xe/xeol/package.nix · source: api.github.com

overview

Package summary

Xcanner for end-of-life software in container images, filesystems, and SBOMs

Commands and aliases

  • xeol

history

Project history and usage

Xeol is a Go CLI for finding end-of-life software in container images, filesystems, and SBOMs. Its niche is adjacent to vulnerability scanners: instead of asking only whether a package has a known CVE, it asks whether the software line is out of vendor support.

Project history

The xeol repository was created in December 2022, with v0.1.0 published at the end of that month. The README describes a scanner for EOL packages and documents inputs that include Docker and Podman images, OCI archives, Singularity images, directories, Syft/SPDX/CycloneDX SBOMs, registries, and attestations.

Adoption history

Xeol grew in the SBOM and container-security moment when teams already had image inventories and wanted policy checks beyond CVE matching. Its GitHub Action packages that workflow directly for CI, including an option to fail pipelines when EOL software is found.

How it is used

Typical use is `xeol <image>` for a container image, `xeol dir:path` for a filesystem, or `xeol sbom:file` for an existing SBOM. It maintains a local SQLite EOL database sourced from endoflife.date, package registries, vendor-package feeds, and browser data, with automatic update and offline-management commands.

Why package nerds care

Xeol matters to package nerds because it treats lifecycle metadata as a first-class scan target. It connects package identity, SBOM formats, vendor support windows, and CI policy into one small CLI rather than leaving EOL status as a spreadsheet or wiki chore.

Timeline

  • 2022-12-23: GitHub repository is created.
  • 2022-12-31: v0.1.0 is published.
  • 2023: GitHub issues and the Marketplace action show CI and automation use cases forming around the scanner.
  • 2025-03-05: v0.10.8 is published as the latest GitHub release visible from the repository page.

Related projects

  • endoflife.date is one of the aggregator sources for Xeol's EOL database.
  • Syft is a supported SBOM input source and format producer.
  • SPDX and CycloneDX are SBOM formats Xeol can read.
  • Grype is a related Anchore vulnerability scanner; Xeol covers the lifecycle-status dimension instead.

security posture

Risk level: orange

broad file, network, media, or database tool signal. infrastructure mutation or orchestration signal.

Risk classifier

orange risk · medium confidence · infrastructure

Why

  • broad file, network, media, or database tool signal
  • infrastructure mutation or orchestration signal

Signals

  • text:container
  • text:image

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 8 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
xeolcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.10.8
manager updated2026-06-15
local dataok
upstreamcurrent
latest detectedv0.10.8

https://github.com/xeol-io/xeol

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:xeol
Version0.10.8
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/xeol
Homepagehttps://www.xeol.io/
Repositoryhttps://github.com/xeol-io/xeol
Upstream docshttps://github.com/xeol-io/xeol#readme
LicenseApache-2.0
Source archivehttps://github.com/xeol-io/xeol/archive/refs/tags/v0.10.8.tar.gz
Last updated2026-06-15T10:21:24-04:00
Pulseupdated
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, sonoma, ventura, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namexeol
Version Scheme0
Revision0
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

xeol

nix profile install nixpkgs#xeol
  • normalized package name match
  • Matched by: Xeol
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/xe/xeol/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment