Security

Packages. Config. System.
All audited.

CVEs in your packages. Misconfigurations in your system. BrewBox finds both.

Three databases. One scan.

BrewBox cross-references every package you've installed against OSV.dev, the National Vulnerability Database (NVD), and GitHub's Security Advisory database simultaneously.

Most developers are running vulnerable packages and don't know it. Package managers don't warn you. Your IDE doesn't warn you. BrewBox does.

Scans run in the background. Every CVE is ranked by CVSS score. Fix commands are pre-generated. Your job is just to review and approve.

26K+
CVEs disclosed in 2024
16
Package managers scanned
5
System security checks
How it works

Four layers of protection

1

Full package inventory

BrewBox enumerates every installed package across all 16 managers — including exact versions. This is the foundation. No version = no CVE match.

brew list --versions · pip list · npm ls -g
2

Database cross-reference

Each package + version is checked against OSV.dev (open-source), NVD (NIST), and GitHub Advisory. Results are deduplicated and merged by CVE ID.

OSV.dev · NVD · GitHub Advisory
3

CVSS scoring & triage

Every CVE gets its CVSS v3 score. Critical (9.0+), High (7.0-8.9), Medium (4.0-6.9), Low (under 4.0). You see the most important issues first.

4

Fix command generation

BrewBox generates the exact upgrade command for each vulnerable package. One tap to copy. You stay in control — no automatic changes.

brew upgrade openssl · pip install --upgrade requests
Mac Security Audit

Beyond packages — your system config matters too.

CVEs are only half the picture. Misconfigured system settings are equally dangerous — and much easier to overlook.

Account & sudo rules

Detects NOPASSWD entries in /etc/sudoers and sudoers.d. Flags accounts with no login password. Highlights users with unexpected admin privileges.

sudo -l · /etc/sudoers · dscl

Firewall & network exposure

Checks whether the macOS Application Firewall is enabled, stealth mode is active, and which apps have incoming connection exceptions.

/usr/libexec/ApplicationFirewall/socketfilterfw

SSH configuration

Reads /etc/ssh/sshd_config to detect PermitRootLogin yes, PasswordAuthentication yes, and empty AllowUsers lists — the most common SSH misconfigurations.

/etc/ssh/sshd_config · Remote Login preference

FileVault, Gatekeeper & SIP

Confirms full-disk encryption is active (fdesetup status), Gatekeeper is enforcing app signing (spctl --status), and System Integrity Protection has not been disabled (csrutil status).

fdesetup · spctl · csrutil

World-writable PATH entries

Scans every directory in your PATH for world-writable permissions. A world-writable PATH entry lets any process on your Mac silently replace system binaries — a classic privilege escalation vector.

ls -ld $PATH_ENTRY | awk '{print $1}'

Fully local. Nothing leaves your Mac.

BrewBox reads your package list locally and queries public vulnerability databases. Your package list, paths, and environment variables are never transmitted to any server.

Know what's vulnerable.

CVE scanning requires BrewBox Pro. Start your 5-day free trial today.

Start 5-day trial View Pricing