Vulnerability assessment tools scan assets for known vulnerabilities, misconfigurations, and other flaws. These scanners then output reports for IT security and application development operations (DevOps) teams that feed prioritized tasks into ticketing and workflow systems for remediation.
Open source vulnerability testing tools provide cost-effective vulnerability detection solutions. Many IT teams even deploy one or more open source tools in addition to commercial vulnerability scanning tools as backup, or as a check to verify vulnerabilities. In our analysis, here are the best open source vulnerability tools for 2023.
Open Source Website and Application Vulnerability Scanners:
- OSV-Scanner – Best Open Source Code Scanner
- sqlmap – Best for Database Scanning
- Wapiti – Best for SQLi Testing
- ZAP (OWASP Zed Attack Proxy) – Best for XSS Testing
Open Source Infrastructure Vulnerability Scanners:
- CloudSploit – Best Cloud Resource Scanner
- Firmwalker – Best for IoT Scanning
- Nikto2 – Best Web Server Scanner
- OpenSCAP – Best for Compliance-Focused Scanning
- OpenVAS – Best for Endpoint and Network Scanning
- Nmap – Best for Network and Port Scanning
After a discussion of the tools, this article will cover how we evaluated the open source vulnerability scanners and who shouldn’t use an open source vulnerability scanner. For those who might need a refresher on vulnerability scanning, consider reading our guide to vulnerability scanning first.
Open Source Website and Application Vulnerability Scanners
In an ever-connected world, developers continuously churn out complex websites and applications. Website and Application (WebApp) scanners test code in various ways to catch programming errors and vulnerabilities before hackers can locate them.
Most tools will detect common, but critical vulnerabilities listed in the OWASP top 10 such as SQL Injections (SQLi) or Cross-site Scripting (XSS), but may do better in one category than another. Organizations will make their selection based upon deployment flexibility, scanning speed, scanning accuracy, and connections to other tools such as ticketing systems or programming workflow products. However, without licensing costs as a barrier, many teams will deploy several open source tools at the same time.
The following table provides an overview of key tools and capabilities and is followed by an in-depth look at each open source application vulnerability scanner.
|Open Source VulnScan Comparison||XSS Testing||SQLi Testing||Database Scanning||Open Source Code Scanning||Automation Option|
Best open source code scanner
Several other Software Composition Analysis (SCA) tools significantly predate OSV Scanner’s December 13, 2022 launch date and effectively scan static software for open source programming code vulnerabilities. However, the Google-developed OSV pulls from the OSV.dev open source vulnerability database and works in a host of different ecosystems.
While a newcomer, OSV provides a broader range of vulnerability sources and languages and should be considered as either a replacement, or at least a complementary open-source scanning tool for DevOps teams.
- Scans software to locate dependencies and the vulnerabilities that affect them
- Stores information about affected versions in JSON, a machine-readable format to integrate with developer packages
- Scans directories, software bill of materials (SBOMs), lockfiles, Debian-based docker images, or software running within Docker containers.
- Pulls vulnerabilities from a huge number of sources: Apine, Android, crates.io, Debian, Go, Linux, Maven, npm, NuGet, OSS-Fuzz, Packagist, PyPl, RubyGems and more.
- Shows condensed results that reduce time needed for resolution.
- Can ignore vulnerabilities by ID number.
- Still in active development by Google so new features will be added
- Still in active development, so lacking full features for developer workflow integrations, C/C++ vulnerabilities
- May not yet surpass the specialized capabilities of more focused and older open source SCA tools for their specialty programming languages:
Best for database scanning
Some DevOp teams want to scan a back-end database before hooking it up to code. sqlmap enables database vulnerability scanning and penetration testing on a wide variety of databases without distracting the DevOp team with unnecessary features and functions.
- Automatically recognizes and uses password hashes
- Developed in Python and can be run on any system with a python interpreter
- Can directly attach to the database for testing via DBMS credentials, IP address, port, and database name
- Full support for more than 35 database management systems including MySQL, Oracle, Postgre SQL, Microsoft SQL Server, IBM DB2, Sybase, SAP MaxDB, Microsoft Access, Amazon Redshift, Apache Ignite, and more.
- Performs six types of SQL Injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries, and out-of-band.
- Can perform password cracking
- Can search for specific database names and tables
- Supports execution of arbitrary commands and retrieval of standard outputs
- Command-line tool with no graphic user interface
- Very specialized tool
- Requires expertise in databases to use effectively
Best for SQLi testing
Wapiti performs black-box scans of websites and applications without examining code. Instead, Wapiti uses fuzzing techniques to inject payloads into scripts and check for common vulnerabilities.
- Supports GET and POST HTTP methods for attacks
- Modules test for SQL injections (SQLi), XPath Injections, Cross Site Scripting (XSS), file disclosure, Xml eXternal Entity injection (XXE), folder and file enumeration, and more.
- Supports HTTP, HTTPS, and SOCKS5 proxies
- Authentication through Basic, Digest, NTLM or GET/POST on login forms
- Scans can be performed on domains, folders, pages, and URLs.
- Tests a wide variety of potential vulnerabilities
- Some tests show Wapiti detects more SQLi and Blind SQLi vulnerabilities than other open source tools such as ZAP
- Command-line tool with no graphic user interface
- Requires significant expertise and knowledge to use
ZAP (OWASP Zed Attack Proxy)
Best for XSS testing
OWASP’s Zed Attack Proxy (ZAP), also available on Kali Linux, places itself between the tester’s browser and the web application to intercept requests, and act as a “proxy,.” This technique allows ZAP to test applications by modifying contents, forwarding packets, and other activities to simulate user and hacker behavior.
- Available for major operating systems and Docker
- Docker packaged scans available for quick starts
- Automation framework available
- Comprehensive API available
- Manual and automated exploration available
- Actively maintained by OWASP teams
- Very comprehensive
- Both graphical and command-line interfaces are available
- Fast learning curve and great documentation
- Convenient for various levels, from beginners to security teams
- Performs very well to detect XSS vulnerabilities
- Can perform fuzzing attacks
- ZAP is commonly used by penetration testers, so using ZAP provides an excellent idea of what vulnerabilities casual attackers might locate
- Requires additional plugins for some features
- Requires some expertise to use
- Generally produces more false positives than commercial products
Open Source Infrastructure Vulnerability Scanners
Security and IT professionals first developed vulnerability scanners to seek missing patches and misconfigurations in traditional IT networking infrastructure: servers, firewalls, networking equipment, and endpoints. With the increasing complexity of the cloud, virtual machines, and connected devices, vulnerability scanning tools have expanded in number and scope to keep up.
The following table provides a high-level overview of the tools in this category before exploring the tools in depth.
|Open Source IT System VulnScan Comparison||Cloud Resource Scans||Web Server Scans||Endpoint Scans||Network Scans||IoT Scans||Compliance Scans|
|CloudSploit||Scans AWS, Azure, Google, Oracle||n/a||n/a||n/a||n/a||HIPAA,
|Firmwalker||Firmware only||n/a||Firmware only||n/a||Firmware Scan||n/a|
|Nikto2||n/a||Robust variety of scans||n/a||n/a||n/a||n/a|
|OpenSCAP||SCAP policy scan||SCAP policy scan||SCAP policy scan||SCAP policy scan||n/a||Must define compliance in advance|
|OpenVAS||n/a||n/a||Robust variety of scans||n/a||n/a||n/a|
|nmap||Port Scans||Port Scans||Port Scans||Port Scans||n/a||n/a|
Best cloud resource scanner
Aqua open-sourced the core scanning engine for their CloudSploit so that users can download, modify, and enjoy the benefits of the basic tool. CloudSploit scans can be performed on-demand or configured to run continuously and feed alerts to security and DevOp teams.
- Uses RESTful interface for APIs
- API can be called from the command line, scripts, or build systems (Jenkins, CircleCL, AWS CodeBuild, etc.)
- Read/write controls can provide each API key with specific permissions
- Each API call is separately trackable
- Continuous CIS Benchmark auditing for AWS, Azure, and Google Cloud
- Continuous scans can deliver alerts on changes to the cloud infrastructure that introduce vulnerabilities as they occur such as changed security groups, new trusted SSH keys, MFA devices deactivated, deleted logs, and more.
- Real-time results
- Secure HMAC256 signatures for authentication for API Keys
- Scans for over 95 security risks in seconds
- Intuitive Web GUI
- Supports HIPAA and PCI (DSS) compliance frameworks
- Integrates to send alerts via Slack, Splunk, OpsGenie, Amazon SNS, email, and more.
- Not available through GitHub
- Automatic update push, some reporting tools, and some integration may only be available with the paid product (additional features are not open source).
Best for IoT scanning
A few open source teams developed various tools to scan the firmware and settings for network equipment and the internet of things (IoT). Yet, most tend to lean more towards security tools than vulnerability scanners. However, Firmwalker can search through extracted or mounted firmware and report on potential vulnerabilities.
- Can search for SSl related files and etc/ssl directories
- Can search for configuration, script, and pin files
- Can recognize and report on keywords such as admin, password, and remote
- Can search for URLs, email addresses and IP addresses
- Performs a security audit of IoT, networking, OT, and other firmware
- Can locate unexpected files, embedded passwords, or hidden URLs
- Available as a bash script
- Requires some programming skills to use effectively
- No GUI available
- Shodan API support is currently experimental
Best web server scanner
Nikto2 is an open-source web server scanner that can spot dangerous files and programs as well as server misconfigurations hackers want to exploit. Users can also access Nikto on Kali Linux.
- Checks for over 6,700 potentially dangerous files and programs
- Tests for more than 1,250 outdated server versions and 270 version specific problems
- Checks for multiple index files, HTTP server options
- Verifies installed web servers and software
- Can perform credentials guessing
- Techniques available to reduce false-positives
- Outputs to TST, XML, HTML, NBE or CSV file formats
- Small and lightweight software but still powerful
- Supports files for input and output
- Scan items and plugins are frequently updated but update automatically
- Detects and flags many common issues with web servers
- SSL support for Unix and Windows OS, HTTP Proxy Support
- Option to deploy encoding techniques for intrusion detection system (IDS) evasion and testing
- No interface, only command lines
- Very specific, which can be confusing for beginners
- Searches are more limited than some commercial tools
- Thorough scans can take more than 45 minutes to complete
Best for compliance-focused scanning
OpenSCAP is an open-source framework for Linux platform based on the Security Content Automation Protocol (SCAP) maintained by the US National Institute of Standards and Technology (NIST). The OpenSCAP project creates open-source tools for implementing and enforcing this open standard used to enumerate flaws and misconfigurations.
The scanner provides an extensive range of tools that support scanning on web applications, network infrastructure, databases, and hosts. Unlike most scanners that test for Common Vulnerabilities and Exposures (CVEs), OpenSCAP tests the device against the SCAP standard.
- Performs vulnerability assessments on systems
- Accesses public databases of vulnerabilities
- The OpenSCAP Base tool provides a NIST-certified command line scanning tool, a graphical user interface (GUI) is available for more ease of use
- The OpenSCAP Daemon can continuously scan infrastructure for SCAP policy compliance
- Other OpenSCAP tools provide desktop scanning, centralized scan results, or compliant computer images
- Integrates with systems management solutions such as Red Hat Satellite 6, RH Access Insights and more
- The Atomic Scan option can scan containers for security vulnerabilities and compliance issues.
- Quick identification of security issues and instant corrective operations
- Supported by Red Hat and other open-source vendors
- Combines security vulnerability and compliance scanning
- Can scan docker container images
- Significantly harder to learn than many other tools
- The multiple tools in the OpenSCAP system can be confusing
- Users need to know the security policy that matches their needs
- Many tools only run on Linux, and some some tools only run on specific Linux distributions
Best for endpoint and network scanning
Developers created OpenVAS as a multi-purpose scanner by using the last available open source code for Nessus, now a market-leading commercial product released by Tenable. OpenVAS maintains high capabilities to perform large-scale assessments and network vulnerability tests on traditional endpoints and networks. The tool collects insights from a massive range of sources and an extensive database of vulnerabilities.
- Scans systems for known vulnerabilities and missing patches
- Web-based management console
- Can be installed on any local or cloud-based machine
- Provides insights on each vulnerability such as how to eliminate the vulnerability or how attackers might exploit the vulnerability
- Actively maintained by Greenbone
- Covers many CVEs (common vulnerabilities and exposures)
- The scan database is updated regularly
- Large community for peer support
- Organizations that outgrow the Community Edition can upgrade to the Greenbone Enterprise Appliance or Greenbone Cloud Service.
- Can be overwhelming for beginners and requires some expertise
- Large numbers of concurrent scans can crash the program
- No policy management
- Greenbone Community Edition only scans basic endpoint assets, or Home Application Products, such as Ubuntu Linux, MS Office, etc.
- To scan enterprise products or obtain access to Policies, organizations need to upgrade to the for-pay Greenbone Enterprise version.
Best for network and port scanning
The Nmap Security Scanner supports binary packages for Windows, macOS, and Linux and is included in many Linux builds. Nmap uses IP packets to scan device ports and determine what hosts, services, and operating systems are available from the asset under inspection. Penetration testers and IT teams value nmap as a quick, effective, and light-weight tool to list open ports on a system.
- Host discovery quickly determines IP addresses up and available on a network.
- Uses TCP/IP stack characteristics to guess device operating systems
- Growing library of 500 scripts for enhanced network discovery and vulnerability assessment
- Quickly scans open ports on a system and determines available TCP/UDP services
- Interrogates ports to determine running protocols, applications and version numbers
- Large user base and open source community
- No formal support for customers
- Requires some expertise and IT knowledge to use effectively
How We Evaluated Open Source Vulnerability Scanners
The staff at eSecurity Planet researched a variety of open source vulnerability scanning tools for this article. We used content from community forums, tool websites, and other resources to obtain industry feedback on the tools.
To be included, tools needed to be primarily vulnerability scanning tools so penetration testing or security tools (endpoint, network, etc.) that merely include a vulnerability scanning function were not generally included. We assume readers are looking for specific tools for vulnerability scanning and we have published other articles on those topics.
Also, the open-source project needed to be updated relatively recently to demonstrate that the tool is keeping pace with the discovery of vulnerabilities. Many popular open source tools such as Arachni, Lynis, Vega, and w3af could not be included because they have not been updated in several years.
Where possible, a winner was selected for a category. However, if a winner could not be selected and another tool on our recommended list could perform some of the functions, then we dropped the category.
For example, many developers created open source container-vulnerability scanning tools such as Anchore, Clair, Dagda, and Trivy. While reviews cite effective results, they also cite significant missing features and difficulty with use or integration. Since OpenSCAP and OSV-Scanner both have some ability to scan containers, we dropped an exclusive container vulnerability scanning tool category for this year.
Who Shouldn’t Use an Open Source Vulnerability Scanner?
Open Source tools can often be downloaded, modified, and used for free. So why shouldn’t everyone use them?
Open source scanners tend to require more technical expertise, more time, and more effort from the IT team members using the tool. Even organizations with expertise in-house often purchase commercial vulnerability scanning tools or vulnerability-management-as-a-service (VMaaS) instead to save time and the hidden labor costs.
Cloud Risk Complete delivers real-time visibility into your entire environment with the new Executive Risk View: a unified dashboard that provides the comprehensive visibility and context needed to track total risk across both cloud and on-premises assets and better understand organizational risk posture and trends. See it in action via our virtual product tour and discover firsthand how Rapid7 helps you assess and reduce risk faster across your hybrid environment.
Intruder is the top-rated vulnerability scanner. It saves you time by helping prioritize the most critical vulnerabilities, to avoid exposing your systems. Intruder has direct integrations with cloud providers and runs thousands of thorough checks. It will proactively scan your systems for new threats, such as Spring4Shell, giving you peace of mind. Intruder makes it easy to find and fix issues such as misconfigurations, missing patches, application bugs, and more. Try a 14-day free trial.
Astra Pentest is comprehensive platform featuring an automated vulnerability scanner, manual pentest capabilities, and an all-purpose vulnerability management dashboard that helps you streamline every step of the pentest process.
Our Pentest platform emulates hackers behavior to find critical vulnerabilities in your application proactively.
Notable features include:
Scan behind logged-in pages,
Zero false positives,
Try Astra’s 7 days trial!
In general open source tools will not have the same features, integrations, and capabilities of commercial tools. Open source tools will also lack formal technical support, but some consultants and for-profit companies, such as Greenbone for OpenVAS, provide service and support for a fee. Open source tools may have robust communities available for peer-to-peer support, but the response time to questions can vary and there is no guarantee of helpful responses.
Open source tools also generally rely upon open source databases. This might mean that these tools lag behind commercial tools that have employees dedicated to updating vulnerability databases and in-house research. However, researchers often contribute vulnerabilities to these databases as well, so there are some open source tools that lag only the most aggressively updated commercial tools.
An issue not exclusive to Open Source is that most open source projects rely upon open source building blocks in their development. Contributors regularly police the libraries and work to eliminate vulnerabilities in the code as they are discovered in the software bill of materials (SBOM). However, whether commercial software may or may not be more aggressive than open source teams in closing off potential vulnerabilities needs to be evaluated on a case-by-case basis.
Can Penetration Testing Tools Be Used for Vulnerability Scans?
Many blogs and lists of open source vulnerability scanning tools include a variety of penetration testing tools such as: Wireshark, Metasploit, and Aircrack-Ng. While penetration testing tools can be used to locate vulnerabilities, most of these tools have not been designed to integrate with ticketing systems, provide any ranking or prioritization of vulnerabilities, or incorporate the likelihood of exploitation.
Penetration testing tools work great, but were designed for a different purpose. Engineers and technicians that use penetration testing tools for vulnerability assessments do so more out of habit and comfort level than because they are efficient vulnerability scanning tools.
- 10 Top Open Source Penetration Testing Tools
- Penetration Testing vs. Vulnerability Testing: An Important Difference
Bottom Line: Open Source Vulnerability Scanners
The most important step in vulnerability management is to start. Whether or not an organization chooses open source or commercial tools will depend upon their resources and preferences, but the tools should be deployed and used regularly. Regular use of vulnerability scanning tools can detect issues before attackers and give internal teams the time to remediate the issues.
Fortunately, the low cost of open source tools allows for IT, security, and DevOps teams to deploy multiple open source tools even if they also use commercial tools. Hackers often use open source tools to scan systems and software for exploitation, so periodically using these open source tools provides insight into a hacker’s viewpoint and priorities. Even though these tools can demand more effort and expertise, open source vulnerability tools provide a valuable resource to any organization that can effectively use them.
Julien Maury contributed to this report.
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.