Top 23 vulnerability-detection Open-Source Projects

• trivy

  82 21,316 9.7 Go

  Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

  

Project mention: A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons | dev.to | 2024-04-16

Trivy Owner/Maintainer: Aqua Security Age: First released on GitHub on May 7th, 2019 License: Apache License 2.0 backward-compatible with tfsec

• nuclei

  17 17,234 9.8 Go

  Fast and customizable vulnerability scanner based on simple YAML based DSL.

  

Project mention: The 36 tools that SaaS can use to keep their product and data safe from criminal hackers (manual research) | /r/SaaS | 2023-05-22

Nuclei

• InfluxDB

  www.influxdata.com sponsored

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• lynis

  72 12,507 7.8 Shell

  Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.

  

Project mention: Who does check linux distros of malware - open source | /r/linux | 2023-12-10

Linux has (free) tools to improve security and detect/remove malware: Lynis,Chkrootkit,Rkhunter,ClamAV,Vuls,LMD,radare2,Yara,ntopng,maltrail,Snort,Suricata...

• vuls

  3 10,671 8.8 Go

  Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices

  

• kubescape

  76 9,686 9.5 Go

  Kubescape is an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters. It includes risk analysis, security, compliance, and misconfiguration scanning, saving Kubernetes users and administrators precious time, effort, and resources.

  

Project mention: CodiumAI PR-Agent Dominates the Dev World with Versatility and Open-Source Power | dev.to | 2023-12-03

CodiumAI PR-Agent’s influence extends deeply within open-source projects. An exemplary illustration is Kubespace, a Cloud Native Computing Foundation (CNCF) sandbox project. Since its adoption in August, Kubespace has been utilizing the PR-Agent service. They also recently had a public bug bounty collaboration with CodiumAI. This program added an extra layer of community-driven scrutiny, encouraging contributors to utilize simple commands like /describe for effective pull request messages. Here the contributor wanted to better describe the PR, so he used the /describe prompt.

• Wazuh

  151 9,161 10.0 C

  Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.

  

Project mention: Exclude certain CIS (sca) rules from agents | /r/Wazuh | 2023-12-11

There is currently no feature for excluding specific SCA rules however this feature has been requested here and would be added to the roadmap for future releases.

• nuclei-templates

  13 8,024 10.0 JavaScript

  Community curated list of templates for the nuclei engine to find security vulnerabilities.

  

Project mention: Script kiddie tools preferred by the hackers of this channel? | /r/hacking | 2023-07-08

Check https://github.com/projectdiscovery/nuclei mostly for CVEs.

• WorkOS

  workos.com sponsored

  The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

  

• DependencyCheck

  11 5,863 9.4 Java

  OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

Project mention: OWASP dependency check (<9.0.0) could fail to work after Dec 15th, 2023 | /r/programming | 2023-12-05

• scan4all

  1 5,231 7.7 Go

  Official repository vuls Scan: 15000+PoCs; 23 kinds of application password crack; 7000+Web fingerprints; 146 protocols and 90000+ rules Port scanning; Fuzz, HW, awesome BugBounty( ͡° ͜ʖ ͡°)...

  

• ThreatMapper

  32 4,631 9.9 TypeScript

  Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more.

  

Project mention: ThreatMapper: Open-source cloud native security observability platform | news.ycombinator.com | 2023-09-10

• arachni

  2 3,639 1.5 Ruby

  Web Application Security Scanner Framework

  

Project mention: Self-Host Vulnerability Scanner | /r/selfhosted | 2023-07-09

• vulscan

  3 3,314 3.4 Lua

  Advanced vulnerability scanning with Nmap NSE

  

Project mention: Scanning ports and finding network vulnerabilities using nmap | dev.to | 2023-12-01

Few people know that nmap is not just for reconnaissance work. Among other things, it allows finding vulnerabilities based on scripts prepared by the community and the tool's developers. Examples include nmap-vulners, vulscan or already prepared scripts that are installed along with nmap.

• openvas-scanner

  9 2,870 9.3 C

  This repository contains the scanner component for Greenbone Community Edition.

  

Project mention: Monthly Security Checklist | /r/msp | 2023-06-25

OpenVAS - https://github.com/greenbone/openvas-scanner

• dependency-track

  18 2,315 9.8 Java

  Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

  

Project mention: Show HN: Pre-alpha tool for analyzing spdx SBOMs generated by GitHub | news.ycombinator.com | 2024-04-21

I've become interested in SBOM recently, and found there were great tools like https://dependencytrack.org/ for CycloneDX SBOMs, but all I have is SPDX SBOMs generated by GitHub.

I decided to have a go at writing my own dependency track esque tool aiming to integrate with the APIs GitHub provides.

It's pretty limited in functionality so far, but can give a high level summary of the types of licenses your repository dependencies use, and let you drill down into potentially problematic ones.

Written in NextJS + mui + sqlite, and using another project of mine to generate most of the API boilerplate/glue (https://github.com/mnahkies/openapi-code-generator)

• cve-search

  1 2,197 8.0 Python

  cve-search - a tool to perform local searches for known vulnerabilities (by cve-search)

  

• kics

  13 1,896 9.9 Open Policy Agent

  Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.

  

Project mention: A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons | dev.to | 2024-04-16

KICS (stands for "Keeping Infrastructure as Code Secure"): Owner/Maintainer: Checkmarx Age: First released on GitHub on November 30th, 2020 License: Apache License 2.0

• rapidscan

  1 1,650 4.1 Python

  :new: The Multi-Tool Web Vulnerability Scanner.

  

• safety

  7 1,626 6.5 Python

  Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.

  

Project mention: A Tale of Two Kitchens - Hypermodernizing Your Python Code Base | dev.to | 2023-11-12

Safety and Dependabot complement these security tools by focusing on external dependencies. Safety takes charge of examining your dependencies, ensuring they are up-to-date and free from any known vulnerabilities. Dependabot works similarly, scanning dependencies, verifying if they're current and assessing them for potential security flaws. This function is crucial as weaknesses in external dependencies can compromise the security of the entire codebase.

• metlo

  21 1,567 6.0 TypeScript

  Metlo is an open-source API security platform.

  

Project mention: Using Metlo to Secure My Personal Finance App | dev.to | 2023-06-29

So far, I’ve been using Metlo's protection features to initially test out its capabilities on my app, but there’s still a whole other Testing feature that it has that I'm starting to look into. Everything I’ve tried out has been pretty quick and easy so hopefully I can play around with the Testing more to help me catch any other authentication or authorization vulnerabilities that might exist in my app. If this is something that interests you, you can check it out at https://metlo.com .

• graudit

  1 1,344 0.0 Shell

  grep rough audit - source code auditing tool

• trivy-operator

  2 1,038 9.6 Go

  Kubernetes-native security toolkit

  

• Open-Source-Security-Guide

  23 850 6.4 Go

  Open Source Security Guide. Learn all about Security Standards (FIPS, CIS, FedRAMP, FISMA, etc.), Frameworks, Threat Models, Encryption, and Benchmarks.

• killshot

  2 613 2.8 Ruby

  A Penetration Testing Framework, Information gathering tool & Website Vulnerability Scanner

• SaaSHub

  www.saashub.com sponsored

  SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

  

vulnerability-detection related posts

• Exclude certain CIS (sca) rules from agents
  1 project | /r/Wazuh | 11 Dec 2023
• Deployment issue
  1 project | /r/Wazuh | 11 Dec 2023
• Greenbone
  1 project | /r/ITProTuesday | 8 Dec 2023
• Update vulnerability databases through proxy with authentication
  3 projects | /r/Wazuh | 7 Dec 2023
• 💻 Introducing Wazuh 4.7.0.
  1 project | /r/Wazuh | 6 Dec 2023
• Scanning ports and finding network vulnerabilities using nmap
  2 projects | dev.to | 1 Dec 2023
• Mageni
  1 project | /r/selfhosted | 8 Sep 2023
• A note from our sponsor - WorkOS
  workos.com | 26 Apr 2024

  The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning. Learn more →

Index

Sponsored

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com