Application Security Tools

Curated list of free/open source application security tools

SAST

• Security Code Review

  • CodeQL
  • Semgrep
  • Snyk Code
  • Bandit
  • Brakeman
  • nodejsscan
  • ShiftLefSecurity Scan
  • SonarQube Commuinity Edition
  • GoKart
  • Pysa
  • SCORE Bot
  • ShellCheck
  • CodeCat

• Software Composition Analysis(SCA)

  • Dependency-Track
  • OWASP Dependency-Check
  • GitHub Dependabot
  • Snyk Open Source
  • npm-audit
  • Retire.js
  • It-Depends
  • Eclipse Steady
  • deps.dev
  • DazedAndConfused
  • Confused
  • MavenDependencyCheck
  • OchronaSec

• Secrets Scanning

  • GitHub secret scanning
  • truffleHog
  • Driftwood
  • Gitleaks
  • git-secrets
  • Whispers
  • gittyleaks
  • git-all-secrets
  • detect-secrets
  • Gitrob
  • Token-Hunter
  • Credential Digger
  • GitHound
  • Repo-supervisor
  • repo-security-scanner
  • Surch
  • GitLab Watchman
  • Slack Watchman
  • Talisman
  • GitGuardian

DAST

• OWASP ZAP
• Burp Suite Community Edition
• ugly-duckling
• Arachni
• Nikto2
• Nuclei
• Vega
• w3af
• Commix
• sqlmap
• Astra

Misc

• Border Collie
• Gordon
• weggli
• Sourcetrail
• OpenSSF CVE Benchmark
• Listo
• goSDL
• DefectDojo
• Joern

Further References

• Application Security Knowledgebase
• OWASP Source Code Analysis Tools
• OWASP Component Analysis
• OWASP Vulnerability Scanning Tools
• Top 9 Git Secret Scanning Tools for DevSecOps
• Web Application Security Scanner List
• AppSec Map
• Security Tools!
• Free for Open Source Application Security Tools
• Static Analysis Tools

I found a lot of these tools via tldrsec newsletter, shoutout to Clint Gibler for putting out amazing contents every week. Feel free to recommend any tools that i am missing here.