10 Best Open-Source Vulnerability Scanners for 2023

Vulnerability assessment tools scan assets for known vulnerabilities, misconfigurations, and other flaws. These scanners then output reports for IT security and application development operations (DevOps) teams that feed prioritized tasks into ticketing and workflow systems for remediation.

Open source vulnerability testing tools provide cost-effective vulnerability detection solutions. Many IT teams even deploy one or more open source tools in addition to commercial vulnerability scanning tools as backup, or as a check to verify vulnerabilities. In our analysis, here are the best open source vulnerability tools for 2023.

Open Source Website and Application Vulnerability Scanners:

Open Source Infrastructure Vulnerability Scanners:

After a discussion of the tools, this article will cover how we evaluated the open source vulnerability scanners and who shouldn’t use an open source vulnerability scanner. For those who might need a refresher on vulnerability scanning, consider reading our guide to vulnerability scanning first.

Open Source Website and Application Vulnerability Scanners

In an ever-connected world, developers continuously churn out complex websites and applications. Website and Applications (WebApp) scanners test code in various ways to catch programming errors and vulnerabilities before hackers can locate them.

Most tools will detect common, but critical vulnerabilities listed in the OWASP top 10 such as SQL Injections (SQLi) or Cross-site Scripting (XSS), but may do better in one category than another. Organizations will make their selection based upon deployment flexibility, scanning speed, scanning accuracy, and connections to other tools such as ticketing systems or programming workflow products. However, without licensing costs as a barrier, many teams will deploy several open source tools at the same time.

OSV-Scanner – Best Open Source Code Scanner

Several other Software Composition Analysis (SCA) tools significantly predate OSV Scanner’s December 13, 2022 launch date and effectively scan static software for open source programming code vulnerabilities. However, the Google-developed OSV pulls from the OSV.dev open source vulnerability database and works in a host of different ecosystems.

While a newcomer, OSV provides a broader range of vulnerability sources and languages and should be considered as either a replacement, or at least a complementary open-source scanning tool for DevOps teams.

OSV Scanner vulnerability scan interface

Key Features

  • Scans software to locate dependencies and the vulnerabilities that affect them
  • Stores information about affected versions in JSON, a machine-readable format to integrate with developer packages
  • Scans directories, software bill of materials (SBOMs), lockfiles, Debian-based docker images, or software running within Docker containers.

Pros

  • Pulls vulnerabilities from a huge number of sources: Apine, Android, crates.io, Debian, Go, Linux, Maven, npm, NuGet, OSS-Fuzz, Packagist, PyPl, RubyGems and more.
  • Shows condensed results that reduce time needed for resolution.
  • Can ignore vulnerabilities by ID number.
  • Still in active development by Google so new features will be added

Cons

  • Still in active development, so lacking full features for developer workflow integrations, C/C++ vulnerabilities
  • May not yet surpass the specialized capabilities of more focused and older open source SCA tools for their specialty programming languages:

sqlmap – Best for Database Scanning

Some DevOp teams want to scan a back-end database before hooking it up to code. sqlmap enables database vulnerability scanning and penetration testing on a wide variety of databases without distracting the DevOp team with unnecessary features and functions.

sqlmap vulnerability scan interface

Key Features

  • Automatically recognizes and uses password hashes
  • Developed in Python and can be run on any system with a python interpreter
  • Can directly attach to the database for testing via DBMS credentials, IP address, port, and database name
  • Full support for more than 35 database management systems including MySQL, Oracle, Postgre SQL, Microsoft SQL Server, IBM DB2, Sybase, SAP MaxDB, Microsoft Access, Amazon Redshift, Apache Ignite, and more.
  • Performs six types of SQL Injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries, and out-of-band.

Pros

  • Can perform password cracking
  • Can search for specific database names and tables
  • Supports execution of arbitrary commands and retrieval of standard outputs

Cons

  • Command-line tool with no graphic user interface
  • Very specialized tool
  • Requires expertise in databases to use effectively

Wapiti – Best for SQLi Testing

Wapiti performs black-box scans of websites and applications without examining code. Instead, Wapiti uses fuzzing techniques to inject payloads into scripts and check for common vulnerabilities.

Wapiti vulnerability scan interface

Key Features

  • Supports GET and POST HTTP methods for attacks
  • Modules test for SQL injections (SQLi), XPath Injections, Cross Site Scripting (XSS), file disclosure, Xml eXternal Entity injection (XXE), folder and file enumeration, and more.
  • Supports HTTP, HTTPS, and SOCKS5 proxies
  • Authentication through Basic, Digest, NTLM or GET/POST on login forms
  • Scans can be performed on domains, folders, pages, and URLs.

Pros

  • Tests a wide variety of potential vulnerabilities
  • Some tests show Wapiti detects more SQLi and Blind SQLi vulnerabilities than other open source tools such as ZAP

Cons

  • Command-line tool with no graphic user interface
  • Requires significant expertise and knowledge to use

ZAP (OWASP Zed Attack Proxy) – Best for XSS Testing

OWASP’s Zed Attack Proxy (ZAP), also available on Kali Linux, places itself between the tester’s browser and the web application to intercept requests, and act as a “proxy,.” This technique allows ZAP to test applications by modifying contents, forwarding packets, and other activities to simulate user and hacker behavior.

owasp zap

Key Features

  • Available for major operating systems and Docker
  • Docker packaged scans available for quick starts
  • Automation framework available
  • Comprehensive API available
  • Manual and automated exploration available

Pros

  • Actively maintained by OWASP teams
  • Very comprehensive
  • Both graphical and command-line interfaces are available
  • Fast learning curve and great documentation
  • Convenient for various levels, from beginners to security teams
  • Performs very well to detect XSS vulnerabilities
  • Can perform fuzzing attacks
  • ZAP is commonly used by penetration testers, so using ZAP provides an excellent idea of what vulnerabilities casual attackers might locate

Cons

  • Requires additional plugins for some features
  • Requires some expertise to use
  • Generally produces more false positives than commercial products

Open Source Infrastructure Vulnerability Scanners

Security and IT professionals first developed vulnerability scanners to seek missing patches and misconfigurations in traditional IT networking infrastructure: servers, firewalls, networking equipment, and endpoints. With the increasing complexity of the cloud, virtual machines, and connected devices vulnerability scanning tools have expanded in number and scope to keep up.

CloudSploit – Best Cloud Resource Scanner

Aqua open-sourced the core scanning engine for their CloudSploit so that users can download, modify, and enjoy the benefits of the basic tool. CloudSploit scans can be performed on-demand or configured to run continuously and feed alerts to security and DevOp teams.

CloudSploit vulnerability scan interface

Key Features

  • Uses RESTful interface for APIs
  • API can be called from the command line, scripts, or build systems (Jenkins, CircleCL, AWS CodeBuild, etc.)
  • Read/write controls can provide each API key with specific permissions
  • Each API call is separately trackable
  • Continuous CIS Benchmark auditing for AWS, Azure, and Google Cloud
  • Continuous scans can deliver alerts on changes to the cloud infrastructure that introduce vulnerabilities as they occur such as changed security groups, new trusted SSH keys, MFA devices deactivated, deleted logs, and more.

Pros

  • Real-time results
  • Secure HMAC256 signatures for authentication for API Keys
  • Scans for over 95 security risks in seconds
  • Intuitive Web GUI
  • Supports HIPAA and PCI (DSS) compliance frameworks
  • Integrates to send alerts via Slack, Splunk, OpsGenie, Amazon SNS, email, and more.

Cons

  • Not available through GitHub
  • Automatic update push, some reporting tools, and some integration may only be available with the paid product (additional features are not open source).

Firmwalker – Best for IoT Scanning

A few open source teams developed various tools to scan the firmware and settings for network equipment and the internet of things (IoT). Yet, most tend to lean more towards security tools than vulnerability scanners. However, Firmwalker can search through extracted or mounted firmware and report on potential vulnerabilities.

Firmwalker vulnerability scan interface

Key Features

  • Can search for SSl related files and etc/ssl directories
  • Can search for configuration, script, and pin files
  • Can recognize and report on keywords such as admin, password, and remote.
  • Can search for URLs, email addresses and IP addresses

Pros

  • Performs a security audit of IoT, networking, OT, and other firmware
  • Can locate unexpected files, embedded passwords, or hidden URLs
  • Available as a bash script

Cons

  • Requires some programming skills to use effectively
  • No GUI available
  • Shodan API support is currently experimental

Nikto2 – Best Web Server Scanner

Nikto2 is an open-source web server scanner that can spot dangerous files and programs as well as server misconfigurations hackers want to exploit. Users can also access Nikto on Kali Linux.

nikto screenshot

Key Features

  • Checks for over 6,700 potentially dangerous files and programs
  • Tests for more than 1,250 outdated server versions and 270 version specific problems
  • Checks for multiple index files, HTTP server options
  • Verifies installed web servers and software
  • Can perform credentials guessing
  • Techniques available to reduce false-positives
  • Outputs to TST, XML, HTML, NBE or CSV file formats

Pros

  • Small and lightweight software but still powerful
  • Supports files for input and output
  • Scan items and plugins are frequently updated but update automatically
  • Detects and flags many common issues with web servers
  • SSL support for Unix and Windows OS, HTTP Proxy Support
  • Option to deploy encoding techniques for intrusion detection system (IDS) evasion and testing

Cons

  • No interface, only command lines
  • Very specific, which can be confusing for beginners
  • Searches are more limited than some commercial tools
  • Thorough scans can take more than 45 minutes to complete

OpenSCAP – Best for Compliance-Focused Scanning

OpenSCAP is an open-source framework for Linux platform based on the Security Content Automation Protocol (SCAP) maintained by the US National Institute of Standards and Technology (NIST). The OpenSCAP project creates open-source tools for implementing and enforcing this open standard used to enumerate flaws and misconfigurations.

The scanner provides an extensive range of tools that support scanning on web applications, network infrastructure, databases, and hosts. Unlike most scanners that test for Common Vulnerabilities and Exposures (CVEs), OpenSCAP tests the device against the SCAP standard.

Openscap screenshot

Key Features

  • Performs vulnerability assessments on systems
  • Accesses public databases of vulnerabilities
  • The OpenSCAP Base tool provides a NIST-certified command line scanning tool, a graphical user interface (GUI) is available for more ease of use
  • The OpenSCAP Daemon can continuously scan infrastructure for SCAP policy compliance
  • Other OpenSCAP tools provide desktop scanning, centralized scan results, or compliant computer images
  • Integrates with systems management solutions such as Red Hat Satellite 6, RH Access Insights and more
  • The Atomic Scan option can scan containers for security vulnerabilities and compliance issues.

Pros

  • Quick identification of security issues and instant corrective operations
  • Supported by Red Hat and other open-source vendors
  • Combines security vulnerability and compliance scanning
  • Can scan docker container images

Cons

  • Significantly harder to learn than many other tools
  • The multiple tools in the OpenSCAP system can be confusing
  • Users need to know the security policy that matches their needs
  • Many tools only run on Linux, and some some tools only run on specific Linux distributions

OpenVAS logo

OpenVAS – Best for Endpoint and Network Scanning

Developers created OpenVAS as a multi-purpose scanner by using the last available open source code for Nessus, now a market-leading commercial product released by Tenable. OpenVAS maintains high capabilities to perform large-scale assessments and network vulnerability tests on traditional endpoints and networks. The tool collects insights from a massive range of sources and an extensive database of vulnerabilities.

OpenVAS interface

Key Features

  • Scans systems for known vulnerabilities and missing patches
  • Web-based management console
  • Can be installed on any local or cloud-based machine
  • Provides insights on each vulnerability such as how to eliminate the vulnerability or how attackers might exploit the vulnerability

Pros

  • Actively maintained by Greenbone
  • Covers many CVEs (common vulnerabilities and exposures)
  • The scan database is updated regularly
  • Large community for peer support
  • Organizations that outgrow the Community Edition can upgrade to the Greenbone Enterprise Appliance or Greenbone Cloud Service.

Cons

  • Can be overwhelming for beginners and requires some expertise
  • Large numbers of concurrent scans can crash the program
  • No policy management
  • Greenbone Community Edition only scans basic endpoint assets, or Home Application Products, such as Ubuntu Linux, MS Office, etc.
  • To scan enterprise products or obtain access to Policies, organizations need to upgrade to the for-pay Greenbone Enterprise version.

Nmap – Best for Network and Port Scanning

The Nmap Security Scanner supports binary packages for Windows, macOS, and Linux and is included in many Linux builds. Nmap uses IP packets to scan device ports and determine what hosts, services, and operating systems are available from the asset under inspection. Penetration testers and IT teams value nmap as a quick, effective, and light-weight tool to list open ports on a system.

For more information, see also: Nmap Vulnerability Scanning Made Easy: Tutorial

NMAP scan

Key Features

  • Host discovery quickly determines IP addresses up and available on a network.
  • Uses TCP/IP stack characteristics to guess device operating systems
  • Growing library of 500 scripts for enhanced network discovery and vulnerability assessment

Pros

  • Quickly scans open ports on a system and determines available TCP/UDP services
  • Interrogates ports to determine running protocols, applications and version numbers
  • Large user base and open source community

Cons

  • No formal support for customers
  • Requires some expertise and IT knowledge to use effectively

Also Read: Nmap Vulnerability Scanning Made Easy: Tutorial

How We Evaluated the Open Source Vulnerability Scanners

The writing team at eSecurity Planet researched a variety of open source vulnerability scanning tools for this article. We used content from community forums, tool websites, and other resources to obtain industry feedback on the tools.

To be included, tools needed to be primarily vulnerability scanning tools so penetration testing or security tools (endpoint, network, etc.) that merely include a vulnerability scanning function were not generally included. We assume the readers are looking for specific tools for vulnerability scanning and we have published other articles on those topics.

Also, the open-source project needed to be updated relatively recently to demonstrate that the tool is keeping pace with the discovery of vulnerabilities. Many popular open source tools such as Arachni, Lynis, Vega, and w3af could not be included because they have not been updated in several years.

Where possible, a winner was selected for a category. However, if a winner could not be selected and another tool on our recommended list could perform some of the functions, then we dropped the category.

For example, many developers created open source container-vulnerability scanning tools such as Anchore, Clair, Dagda, and Trivy. While reviews cite effective results, they also cite significant missing features and difficulty with use or integration. Since OpenSCAP and OSV-Scanner both have some ability to scan containers, we dropped an exclusive container vulnerability scanning tool category for this year.

Who Shouldn’t Use an Open Source Vulnerability Scanner?

Open Source tools can often be downloaded, modified, and used for free. So why shouldn’t everyone use them?

Open source scanners tend to require more technical expertise, more time, and more effort from the IT team members using the tool. Even organizations with expertise in-house often purchase commercial vulnerability scanning tools or vulnerability-management-as-a-service (VMaaS) instead to save time and the hidden labor costs.

In general open source tools will not have the same features, integrations, and capabilities of commercial tools. Open source tools will also lack formal technical support, but some consultants and for-profit companies, such as Greenbone for OpenVAS, provide service and support for a fee. Open source tools may have robust communities available for peer-to-peer support, but the response time to questions can vary and there is no guarantee of helpful responses.

Open source tools also generally rely upon open source databases. This might mean that these tools lag behind commercial tools that have employees dedicated to updating vulnerability databases and in-house research. However, researchers often contribute vulnerabilities to these databases as well, so there are some open source tools that lag only the most aggressively updated commercial tools.

An issue not exclusive to Open Source is that most open source projects rely upon open source building blocks in their development. Contributors regularly police the libraries and work to eliminate vulnerabilities in the code as they are discovered in the software bill of materials (SBOM). However, whether commercial software may or may not be more aggressive than open source teams in closing off potential vulnerabilities needs to be evaluated on a case-by-case basis.

Can Penetration Testing Tools Be Used for Vulnerability Scans?

Many blogs and lists of open source vulnerability scanning tools include a variety of penetration testing tools such as: Wireshark, Metasploit, and Aircrack-Ng. While penetration testing tools can be used to locate vulnerabilities, most of these tools have not been designed to integrate with ticketing systems, provide any ranking or prioritization of vulnerabilities, or incorporate the likelihood of exploitation.

Penetration testing tools work great, but were designed for a different purpose. Engineers and technicians that use penetration testing tools for vulnerability assessments do so more out of habit and comfort level than because they are efficient vulnerability scanning tools.

Also read:

Bottom Line: Just Start Scanning

The most important step in vulnerability management is to start. Whether or not an organization chooses open source or commercial tools will depend upon their resources and preferences, but the tools should be deployed and used regularly. Regular use of vulnerability scanning tools can detect issues before attackers and provide internal teams the time to remediate the issues.

Fortunately, the low cost of open source tools allows for IT, security, and DevOps teams to deploy multiple open source tools even if they also use commercial tools. Hackers often use open source tools to scan systems and software for exploitation, so periodically using these open source tools provides insight into a hacker’s viewpoint and priorities. Even though these tools can demand more effort and expertise, open source vulnerability tools provide a valuable resource to any organization that can effectively use them.

Julien Maury contributed to this report.

For related information consider reading:

Chad Kime
Chad Kime
eSecurity Planet Lead Writer Chad Kime combines his Electrical Engineering and MBA degrees to translate between technical language and common English. After managing over 200 foreign language eDiscovery projects, Chad values practicality over idealism. He has written on cybersecurity, risk, compliance, network security hardware, endpoint monitoring software, anime DVDs, industrial hard drive equipment, and legal forensic services.

Latest articles

Top Cybersecurity Companies

Related articles