# Install xeol with Homebrew, Nix

Xcanner for end-of-life software in container images, filesystems, and SBOMs. Version 0.10.8 via Homebrew; verified 2026-06-15.

## Install

```sh
sudo av install brew:xeol
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install xeol
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#xeol
```

  Evidence: nixpkgs package indexes: pkgs/by-name/xe/xeol/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:xeol
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/xeol>
- **Version:** 0.10.8
- **Source summary:** Xcanner for end-of-life software in container images, filesystems, and SBOMs
- **Homepage:** <https://www.xeol.io/>
- **Repository:** <https://github.com/xeol-io/xeol>
- **Upstream docs:** <https://github.com/xeol-io/xeol#readme>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/xeol-io/xeol/archive/refs/tags/v0.10.8.tar.gz>
- **Last updated:** 2026-06-15T10:21:24-04:00
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- xeol (cli)
- xeol (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, sonoma, ventura, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.10.8
- Package-manager updated: 2026-06-15
- Local data: ok
- Upstream repository: https://github.com/xeol-io/xeol
- Upstream latest detected: v0.10.8 (current)
## Project history and usage

Xeol is a Go CLI for finding end-of-life software in container images, filesystems, and SBOMs. Its niche is adjacent to vulnerability scanners: instead of asking only whether a package has a known CVE, it asks whether the software line is out of vendor support.

### Project history

The xeol repository was created in December 2022, with v0.1.0 published at the end of that month. The README describes a scanner for EOL packages and documents inputs that include Docker and Podman images, OCI archives, Singularity images, directories, Syft/SPDX/CycloneDX SBOMs, registries, and attestations.

### Adoption history

Xeol grew in the SBOM and container-security moment when teams already had image inventories and wanted policy checks beyond CVE matching. Its GitHub Action packages that workflow directly for CI, including an option to fail pipelines when EOL software is found.

### How it is used

Typical use is `xeol <image>` for a container image, `xeol dir:path` for a filesystem, or `xeol sbom:file` for an existing SBOM. It maintains a local SQLite EOL database sourced from endoflife.date, package registries, vendor-package feeds, and browser data, with automatic update and offline-management commands.

### Why package nerds care

Xeol matters to package nerds because it treats lifecycle metadata as a first-class scan target. It connects package identity, SBOM formats, vendor support windows, and CI policy into one small CLI rather than leaving EOL status as a spreadsheet or wiki chore.

### Timeline

- 2022-12-23: GitHub repository is created.
- 2022-12-31: v0.1.0 is published.
- 2023: GitHub issues and the Marketplace action show CI and automation use cases forming around the scanner.
- 2025-03-05: v0.10.8 is published as the latest GitHub release visible from the repository page.

### Related projects

- endoflife.date is one of the aggregator sources for Xeol's EOL database.
- Syft is a supported SBOM input source and format producer.
- SPDX and CycloneDX are SBOM formats Xeol can read.
- Grype is a related Anchore vulnerability scanner; Xeol covers the lifecycle-status dimension instead.

### Sources

- <https://api.github.com/repos/xeol-io/xeol>
- <https://api.github.com/repos/xeol-io/xeol/releases?per_page=100>
- <https://github.com/marketplace/actions/xeol-end-of-life-eol-scan>
- <https://github.com/xeol-io/xeol>
- <https://www.xeol.io/end-of-life>


## Security Notes

broad file, network, media, or database tool signal. infrastructure mutation or orchestration signal.

- **Geiger risk:** orange / medium
- broad file, network, media, or database tool signal
- infrastructure mutation or orchestration signal

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** xeol
- **Version Scheme:** 0
- **Revision:** 0
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** stable

## Other Package-Manager Records

- Nix - xeol: normalized package name match | nixpkgs package indexes: pkgs/by-name/xe/xeol/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1


## Related links

- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [bomber](https://www.automicvault.com/pkg/brew/bomber/) - Shares av.db curated category or tags: cli, sbom, security.
- [checkov](https://www.automicvault.com/pkg/brew/checkov/) - Shares av.db curated category or tags: cli, compliance, security.
- [copa](https://www.automicvault.com/pkg/brew/copa/) - Shares av.db curated category or tags: cli, security, vulnerability-management.
- [feluda](https://www.automicvault.com/pkg/brew/feluda/) - Shares av.db curated category or tags: cli, sbom, security.
- [intercept](https://www.automicvault.com/pkg/brew/intercept/) - Shares av.db curated category or tags: cli, compliance, security.
- [kics](https://www.automicvault.com/pkg/brew/kics/) - Shares av.db curated category or tags: cli, compliance, security.
- [kube-bench](https://www.automicvault.com/pkg/brew/kube-bench/) - Shares av.db curated category or tags: cli, compliance, security.
- [kubescape](https://www.automicvault.com/pkg/brew/kubescape/) - Shares av.db curated category or tags: cli, compliance, security.
- [grype](https://www.automicvault.com/pkg/brew/grype/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, container, filesystems, images, scanning.
- [snyk-cli](https://www.automicvault.com/pkg/brew/snyk-cli/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, container, container-scanning, scanning, security.

## Combined YAML source

View the package source record on GitHub. [combined/xeol.yml](https://github.com/automic-vault/db/blob/main/combined/xeol.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
