1) OWASP ZAP

zaproxy / zaproxy

The ZAP by Checkmarx Core project

2) Trivy

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

Quick Start

Get Trivy

3) HashiCorp Vault

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management

4) Falco

falcosecurity / falco

Cloud Native Runtime Security

The Falco Project

5) Nuclei

projectdiscovery / nuclei

Nuclei is a fast, customizable vulnerability scanner powered by the global security community and built on a simple YAML-based DSL, enabling collaboration to tackle trending vulnerabilities on the internet. It helps you find vulnerabilities in your applications, APIs, networks, DNS, and cloud configurations.

Table of Contents

6) OpenSSF Scorecard

ossf / scorecard

OpenSSF Scorecard

Overview

Using Scorecard

Checks

Other Important Recommendations

Scoring

Contribute

Overview

What is Scorecard?

7) Pompelmi

pompelmi / pompelmi

In-process file upload security for Node.js

pompelmi

Why pompelmi?

Final thought A lot of AI-generated code ships with zero security validation. File uploads with no checks.

Secrets hardcoded in config files.Dependencies never scanned.Containers running as root. The open-source tooling to fix all of this exists and is production-ready.Most developers just haven't plugged it in yet. TL;DR: you don't need a $500/month SaaS contract to have a real security layer. These 7 tools cover the gaps vibe-coded stacks almost always miss. What it is: the most widely used open-source web application security scanner in the world. Why it matters: runs automated active and passive scans against your app before attackers do. CI-friendly, scriptable, and free. The Zed Attack Proxy (ZAP) by Checkmarx is the world’s most widely used web app scanner.Free and open source. A community based GitHub Top 1000 project that anyone can contribute to. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications.It's also a great tool for experienced pentesters to use for manual security testing. For more details about ZAP see the website: zaproxy.org What it is: a comprehensive vulnerability scanner for containers, filesystems, Git repos, and cloud configs. Why it matters: one command tells you what CVEs are hiding in your Docker image or your npm lockfile. Fast, accurate, and zero setup friction. Trivy (pronunciation) is a comprehensive and versatile security scannerTrivy has scanners that look for security issues, and targets where it can find those issues. Targets (what Trivy can scan): Scanners (what Trivy can find there): Trivy supports most popular programming languages, operating systems, and platforms. For a complete list, see the Scanning Coverage page. To learn more, go to the Trivy homepage for feature highlights, or to the Documentation site for detailed information. Trivy is available in most common distribution channels. The full list of installation options is available in the Installation page. Here are a few popular examples: What it is: secrets management and encryption as a service, fully self-hosted. Why it matters: if your team is still rotating API keys by hand or storing secrets in environment files committed to git, this is the tool that ends that pattern. Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please responsibly disclose by contacting us at [email protected]. Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log. A modern system requires access to a multitude of secrets: database credentials, API keys for external services, credentials for service-oriented architecture communication, etc. Understanding who is accessing what secrets is already very difficult and platform-specific. Adding on key rolling, secure storage, and detailed audit logs is almost impossible without a… What it is: a runtime security tool that detects anomalous behavior inside containers and Kubernetes workloads. Why it matters: static scanning catches known vulnerabilities. Falco catches what happens at runtime — unexpected syscalls, privilege escalation, suspicious network activity. Different layer, different threat model. Falco is a cloud native runtime security tool for Linux operating systems. It is designed to detect and alert on abnormal behavior and potential security threats in real-time. At its core, Falco is a kernel monitoring and detection agent that observes events, such as syscalls, based on custom rules. Falco can enhance these events by integrating metadata from the container runtime and Kubernetes. The collected events can be analyzed off-host in SIEM or data lake systems. Falco, originally created by Sysdig, is a graduated project under the Cloud Native Computing Foundation (CNCF) used in production by various organisations. For detailed technical information and insights into the cyber threats that Falco can detect, visit the official Falco website. For comprehensive information on the latest updates and changes to the project, please refer to the Change Log. The Falco Project codebase is maintained under the… What it is: a fast, template-based vulnerability scanner built for real-world attack surface testing. Why it matters: thousands of community-maintained templates covering CVEs, misconfigurations, exposed panels, and more. This is what proper recon looks like before a pentest — or before launch. English •中文 •Korean •Indonesia •Spanish •日本語 •Portuguese •Türkçe Nuclei is a modern, high-performance vulnerability scanner that leverages simple YAML-based templates. It empowers you to design custom vulnerability detection scenarios that mimic real-world conditions, leading to zero false positives. What it is: automated checks that assess the security posture of open-source projects you depend on. Why it matters: most teams audit their own code. Nobody audits the 847 packages sitting under their dependencies. Scorecard makes supply chain risk visible and measurable. We created Scorecard to help open source maintainers improve their securitybest practices and to help open source consumers judge whether their dependenciesare safe. Scorecard is an automated tool that assesses a number of important heuristics("checks") associated with software security and assignseach check a score of 0-10. You can use these scores to understand specificareas to improve… What it is: a privacy-first Node.js file upload scanner with YARA rule support, ZIP bomb detection, and MIME type validation. Why it matters: file upload endpoints are one of the most commonly overlooked attack surfaces. Most AI-generated upload handlers do exactly zero validation beyond file size. Pompelmi plugs that hole without sending your users' files to a third-party API — the scanning runs entirely on your infrastructure. Secure file upload scanning for Node.js — private, in-process, zero cloud dependencies. Scan files before they touch disk • No cloud APIs, no daemon • TypeScript-first • Drop-in framework adapters 📚 Docs • 💾 Install • ⚡ Quickstart • 🧩 Adapters • 🧬 YARA • 🤖 CI/CD • 💡 Examples Most upload handlers check the file extension and content-type header — and stop there. Real threats arrive as ZIP bombs, polyglot files, macro-embedded documents, and files with spoofed MIME types. pompelmi scans file bytes in-process, before anything is written to disk or stored, blocking threats at the earliest possible point — with no cloud API and no daemon. Security tooling used to feel like something you bolted on after the fact — expensive, painful, slow. The open-source ecosystem closed that gap.Every tool on this list is free, maintained, and drops into a real pipeline. The only question left is whether you add this layer before or after the breach. Which one are you missing from your stack? Templates let you quickly answer FAQs or store snippets for re-use. as well , this person and/or - Container Image- Git Repository (remote)- Virtual Machine Image - OS packages and software dependencies in use (SBOM)- Known vulnerabilities (CVEs)- IaC issues and misconfigurations- Sensitive information and secrets- Software licenses - brew install trivy- docker run aquasec/trivy- Download binary from https://github.com/aquasecurity/trivy/releases/latest/ - Website: developer.hashicorp.com/vault- Announcement list: Google Groups- Discussion forum: Discuss- Documentation: https://developer.hashicorp.com/vault/docs- Tutorials: https://developer.hashicorp.com/vault/tutorials- Certification exam: https://developer.hashicorp.com/certifications/security-automation- Documentation source: https://github.com/hashicorp/web-unified-docs - Simple YAML format for creating and customizing vulnerability templates.- Contributed by thousands of security professionals to tackle trending vulnerabilities.- Reduce false positives by simulating real-world steps to verify a vulnerability.- Ultra-fast parallel scan processing and request clustering.- Integrate into CI/CD pipelines for vulnerability detection and regression testing.- Supports multiple protocols like TCP, DNS, HTTP, SSL, WHOIS, JavaScript, Code and more.- Integrate with Jira, Splunk, GitHub, Elastic, GitLab. - Get Started 1. Nuclei CLI2. Pro and Enterprise Editions- 1. Nuclei CLI- 2. Pro and Enterprise Editions- Documentation Command Line FlagsSingle target scanScanning multiple targetsNetwork scanScanning with your custom templateConnect Nuclei to ProjectDiscovery_- Command Line Flags- Single target scan- Scanning multiple targets- Network scan- Scanning with your custom template- Connect Nuclei to ProjectDiscovery_- Nuclei Templates, Community and… - 1. Nuclei CLI- 2. Pro and Enterprise Editions - Command Line Flags- Single target scan- Scanning multiple targets- Network scan- Scanning with your custom template- Connect Nuclei to ProjectDiscovery_ - What Is Scorecard?- Prominent Scorecard Users- View a Project's Score- Scorecard's Public Data - Scorecard GitHub Action- Scorecard REST API- Scorecard Badges- Scorecard Command Line Interface PrerequisitesInstallationAuthenticationBasic Usage- Prerequisites- Installation- Authentication- Basic Usage - Prerequisites- Installation- Authentication- Basic Usage - Default Scorecard Checks- Detailed Check Documentation (Scoring Criteria, Risks, andRemediation)- Beginner's Guide to Scorecard Checks - Two-factor Authentication (2FA) - Aggregate Score - Report Problems- Code of Conduct- Contribute to Scorecard- Add a New Check- Connect with the Scorecard Community- Report a Security Issue