Catalog

Vulnerability scanning tools

DAST, SAST, SCA, IAST, container, IaC, and secrets scanners — open-source and commercial.

DAST · 4 tools

OWASP ZAP

Open Source

Mature open-source web application scanner and proxy.

zaproxy.org

Burp Suite

Commercial

Industry-standard web vulnerability scanner and testing platform.

portswigger.net

Nuclei

Open Source

Template-based fast vulnerability scanner.

projectdiscovery.io

Acunetix

Commercial

Automated web vulnerability scanning with broad coverage.

acunetix.com

SAST · 4 tools

Semgrep

Freemium

Lightweight static analysis with custom rule support.

semgrep.dev

SonarQube

Freemium

Code quality and security analysis across many languages.

sonarsource.com

CodeQL

Freemium

Semantic code analysis engine maintained by GitHub.

codeql.github.com

Checkmarx

Commercial

Enterprise SAST with broad language and framework coverage.

checkmarx.com

SCA · 2 tools

Snyk Open Source

Freemium

Dependency vulnerability scanning with developer-friendly fixes.

snyk.io

OWASP Dependency-Check

Open Source

Identifies known-vulnerable dependencies via NVD data.

owasp.org

IAST · 1 tools

Contrast Assess

Commercial

Interactive application security testing via runtime instrumentation.

contrastsecurity.com

Container · 1 tools

Trivy

Open Source

All-in-one scanner for containers, IaC, and dependencies.

trivy.dev

IaC · 1 tools

Checkov

Open Source

Policy-as-code IaC scanner for Terraform, CloudFormation, K8s.

checkov.io

Secrets · 1 tools

Gitleaks

Open Source

Detects hardcoded secrets in git history and working trees.

gitleaks.io