We curate open-source GitHub repositories matching “open source vulnerability scanner”. Results are ranked by relevance to your query — pick filters below to narrow, or refine with AI.
Clair is a container vulnerability scanner that performs static analysis of container images to identify known security vulnerabilities. It functions as an analyzer for OCI and Docker images, indexing their contents to detect security risks and outdated packages without requiring the containers to be running. The tool identifies vulnerabilities by matching indexed container components against security databases to find common vulnerabilities and exposures. This process involves analyzing filesystem layers to track the provenance and versioning of packages across the image hierarchy. The proj
Clair is a dedicated container vulnerability scanner that analyzes container images for known CVEs and supports self-hosted deployment, CLI usage, and CI/CD integration, which squarely matches the need for scanning software dependencies and containers for security risks.
Vuls is an agentless vulnerability scanner and CVE intelligence aggregator. It identifies security flaws in operating systems, containers, and network devices without requiring the installation of permanent software agents on target machines. The project distinguishes itself by cross-referencing software versions against multiple vulnerability databases, security advisories, and known exploit catalogs. It utilizes platform-based enumeration and lockfile analysis to detect vulnerabilities in network hardware, programming libraries, and website plugins. The tool covers a broad range of securit
Vuls is an agentless vulnerability scanner that cross-references multiple CVE databases, scans dependencies via lockfile analysis, and supports container and OS scanning, making it a comprehensive self-hostable CLI tool that fits your requirements for identifying and remediating risks.
osv-scanner is a software composition analysis tool and vulnerability scanner that checks project dependencies and container images against the Open Source Vulnerabilities database. It functions as a dependency remediation tool and can be integrated into custom Go applications as a programmable security library. The project distinguishes itself through a remediation workflow that includes an interactive terminal user interface and automated scripting for upgrading vulnerable packages in lockfiles and manifests. It employs call-graph reachability analysis to determine if vulnerable code is act
osv-scanner is a software composition analysis tool that scans project dependencies and container images against the Open Source Vulnerabilities database (which includes CVE data), supports CI/CD integration, generates reports (including SARIF), and runs as a self-hostable CLI — directly matching this search's requirements for a vulnerability scanner.
Grype is a command-line security scanner designed to identify known vulnerabilities within container images, filesystems, and software manifests. It functions as a software composition analysis tool that detects security flaws in application components and open-source libraries to support supply chain security. The tool distinguishes itself by reconstructing the final state of container images through layered filesystem inspection and normalizing diverse package formats into a unified dependency graph. It maintains a local cache of security advisories synchronized from multiple upstream sourc
Grype is a command-line software composition analysis tool that scans container images, filesystems, and software manifests for known vulnerabilities using a cached database of security advisories from multiple sources, making it a thorough vulnerability scanner with support for CI/CD, dependency scanning, and report generation.
Trivy is a comprehensive security scanner designed to identify vulnerabilities and misconfigurations across container images, filesystems, and infrastructure as code files. It functions as a software composition analysis tool and an infrastructure security scanner, providing automated checks for CI/CD pipelines and cloud environments to ensure the integrity of the software supply chain. The tool distinguishes itself through a modular, plugin-based architecture that allows for the independent inspection of diverse targets. It utilizes a declarative policy engine to evaluate configurations agai
Trivy is a self-hostable CLI vulnerability scanner that integrates CVE databases, scans dependencies, containers, and infrastructure as code, and is built for CI/CD pipelines with reporting capabilities—exactly the comprehensive tool this search describes.
Checkov is a static analysis tool and security scanner designed to identify misconfigurations in infrastructure as code, container images, and Kubernetes configurations. It functions as a cloud security posture tool, an SCA vulnerability scanner, and a secret scanning utility to prevent security breaches and version control leaks. The project distinguishes itself through deep graph analysis and variable resolution, allowing it to map relationships between interconnected resources and evaluate the final state of infrastructure attributes. It provides extensibility for defining custom security
Checkov is an open-source static analysis and security scanner that covers infrastructure as code, container images, and dependencies via SCA, directly matching the need for a vulnerability scanner with CVE integration, CLI, and CI/CD support.
Clair is a container image vulnerability scanner and security analyzer. It performs static analysis of container images by matching package contents against vulnerability databases to identify security risks across different package formats and architectures. The project functions as both an image indexer and a vulnerability database manager. It processes container layers into intermediate representations to enable fast security lookups and synchronizes security metadata from multiple external sources to maintain a local registry. Capability areas include continuous security monitoring, whic
Clair is a specialized container image vulnerability scanner that analyzes container layers against CVE databases, making it a strong fit for scanning containers and their dependencies, though it focuses solely on containers rather than broader project or system scanning.
This project is a suite of automated tools and an LLM code review framework designed for design auditing, security scanning, and AI-driven code analysis. It functions as a developer workflow orchestrator that uses static analysis agents and agent-based workflows to automate pull request analysis and security audits. The system employs a dual-loop agent architecture to coordinate primary analysis and secondary verification, reducing false positives. It distinguishes itself through the use of browser automation to perform live UI component testing and verify frontend changes against accessibili
This repository is an open-source workflow orchestrator that includes dependency vulnerability scanning, static analysis, and security scanning with CI/CD integration, making it a valid software vulnerability scanner—just one that also covers broader code review and design auditing tasks.
Snyk is a developer-focused security platform designed to identify and remediate vulnerabilities across the entire software development lifecycle. It provides a unified workflow for scanning open-source dependencies, container images, infrastructure-as-code configurations, and application source code. By integrating directly into local development environments, command-line interfaces, and CI/CD pipelines, the platform enables teams to detect security risks and enforce policy-driven automation before code reaches production. The platform distinguishes itself through a broker-based secure prox
Snyk CLI is a comprehensive open-source tool that scans dependencies, containers, and source code for vulnerabilities via CVE integration, offers CLI and CI/CD integration, generates reports, and supports self-hosted deployment through its broker proxy, making it a strong fit for this search.
SkillSpector is a security scanner designed to detect vulnerabilities and malicious patterns in AI agent plugins and extensions before they are installed. It functions as a runtime guardrail that calculates numeric risk scores and assigns severity labels to provide installation recommendations or block risky external extensions. The project distinguishes itself by using language models to perform semantic code analysis, evaluating code intent and context to reduce false positives. It also employs fingerprint-based issue suppression to track and ignore previously accepted risks across repeated
SkillSpector is a vulnerability scanner specialized for AI agent plugins and extensions, using semantic analysis and CVE-based detection – it fits the software vulnerability scanner category but is narrowly focused on one type of component rather than general projects, containers, or dependencies.
The Snyk CLI is a command-line security scanner that detects known vulnerabilities across open-source dependencies, proprietary application code, container images, and infrastructure-as-code configuration files. It also serves as a platform management tool, allowing users to configure organizations, users, SSO, and reporting from the terminal rather than the web dashboard. The CLI integrates directly into development workflows, enabling scanning within IDEs, build pipelines, and version control systems. It implements static analysis with interfile data flow analysis to find complex security f
Snyk’s CLI is an open-source command-line vulnerability scanner that checks dependencies, containers, and code for known CVEs and integrates with CI/CD, but it depends on Snyk’s proprietary backend rather than being a fully self‑hostable scanner.
SonarQube is a static code analysis platform used to scan source code and infrastructure scripts across multiple languages. It detects bugs, security vulnerabilities, and maintainability issues to ensure software meets reliability and security standards. The platform implements automated quality gates for continuous integration and delivery pipelines, verifying code against defined rules during merge or pull requests. It also integrates directly with code editors to provide real-time analysis results and quick-fix guidance during development. The system covers broad functional areas includin
SonarQube is a self-hostable static code analysis platform that detects security vulnerabilities in source code and infrastructure scripts, and it offers CI/CD integration, CLI scanning, and reporting; while it covers software vulnerability scanning, its core focus is on static analysis rather than dedicated dependency or container image scanning, so it fits the category but falls short of a comprehensive vulnerability scanner for all the listed features.
ScanCode Toolkit is a software composition analysis tool and scanning framework designed to identify open-source licenses and copyright statements in source code and binary files. It functions as an open-source license detector, a dependency vulnerability scanner, and a generator for standardized software bills of materials in SPDX and CycloneDX formats. The project is built as a plugin-based scanning framework, allowing the integration of custom detection logic, specialized analyzers, and modified scanning behaviors at runtime. It distinguishes itself through the ability to produce formal le
ScanCode Toolkit is a software composition analysis tool that includes dependency vulnerability scanning and generates SBOMs, making it a solid fit for a self-hostable CLI scanner with CI/CD integration and report generation, though container scanning is not its primary focus.
Dependency-Track is a software composition analysis tool and vulnerability management system designed to track dependencies and supply chain risk. It functions as a platform for ingesting and analyzing CycloneDX software bills of materials to identify known vulnerabilities and license compliance issues within third-party software components. The system distinguishes itself by mirroring external vulnerability databases locally to enable fast offline analysis and using VEX documents to differentiate between technical vulnerabilities and actual contextual risks. It also integrates with identity
Dependency-Track is a software composition analysis platform that specializes in scanning dependencies and supply chain risk using SBOMs, with built-in CVE database mirroring, self-hosting, and CI/CD integration — exactly what this search needs, though container image scanning is not a primary focus.
Bearer is a static analysis security testing tool and privacy compliance auditor. It identifies security vulnerabilities, hard-coded secrets, and privacy risks in source code through static analysis and data flow tracing. The tool distinguishes itself by tracking the movement of sensitive data through code to identify leaks and by mapping personal and health-related information flows to generate evidence for privacy impact assessments. It also provides differential scanning for pull requests and uses fingerprint-based suppression to exclude known false positives from reports. The platform co
Bearer is a static analysis security testing tool that scans source code for vulnerabilities, secrets, and privacy leaks — a genuine software vulnerability scanner for your projects, though it does not cover dependency or container image scanning as built-in features.
Kubescape is a security platform for Kubernetes that provides tools for scanning clusters, configurations, and container images against industry compliance and security benchmarks. It functions as a suite of security utilities, including a compliance auditor, a misconfiguration scanner, and a container vulnerability scanner. The project differentiates itself through automated remediation and active enforcement. It can automatically patch operating system vulnerabilities in images and fix security errors within manifest files. It also utilizes an admission controller to block the deployment of
Kubescape is a Kubernetes-focused security platform that scans container images for known vulnerabilities (CVE database), misconfigurations, and compliance issues, meeting the requirement for a self-hostable CLI tool with CI/CD integration even though its scope is limited to container and cluster scanning rather than general software dependency analysis.
Nuclei is a modular security scanning framework designed for automated vulnerability detection and infrastructure reconnaissance. It functions as a template-driven engine that executes security checks across diverse network protocols, allowing users to define custom detection logic to identify vulnerabilities, misconfigurations, and exposed assets. The platform distinguishes itself through its highly extensible architecture, which supports distributed scanning, headless browser automation for dynamic web content, and out-of-band interaction monitoring to detect blind vulnerabilities. It integ
Nuclei is a template-driven vulnerability scanner that detects known CVEs and misconfigurations across network protocols and services, fitting the core need for automated vulnerability identification, though it lacks dedicated software dependency scanning and container image analysis features requested.
This project is a set of specialized utilities for Windows vulnerability assessment and patch management auditing. It functions as a vulnerability scanner and exploit suggester that analyzes installed updates to identify missing security patches and their corresponding known vulnerabilities. The system distinguishes itself by matching missing updates against a consolidated vulnerability database to recommend specific publicly available exploits. It maintains accuracy by synchronizing remote security bulletins into a local database and cross-referencing identified gaps against official update
wesng is a Windows-specific vulnerability scanner that identifies missing security patches and maps them to known CVEs and exploits, which fits the core need of scanning for vulnerabilities but does not cover dependency or container image scanning as required.
Docker Scout CLI
Docker Scout CLI is a container image vulnerability scanner that uses CVE data, generates SBOMs and reports, and works from the command line with CI/CD integration, making it a good fit for scanning containers and their dependencies, though its focus is narrower than general software project scanning.
OpenSCAP is a system and container vulnerability scanner that uses SCAP standards for compliance and CVE-based scanning, making it a genuine vulnerability scanner, though it lacks dedicated dependency scanning for software projects.