30 open-source projects similar to aboutcode-org/scancode-toolkit, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Scancode Toolkit alternative.
The Snyk CLI is a command-line security scanner that detects known vulnerabilities across open-source dependencies, proprietary application code, container images, and infrastructure-as-code configuration files. It also serves as a platform management tool, allowing users to configure organizations, users, SSO, and reporting from the terminal rather than the web dashboard. The CLI integrates directly into development workflows, enabling scanning within IDEs, build pipelines, and version control systems. It implements static analysis with interfile data flow analysis to find complex security f
AboutLibraries is an open-source license compliance tool designed to collect, validate, and display third-party library licenses within software projects. It functions as a system for gathering dependency metadata at compile time and validating those libraries against a list of approved licenses to ensure legal compliance. The project provides a license validation engine that can enforce compliance by halting the build process when unauthorized licenses are detected. It also includes a set of visual components for rendering dependency and funding information within a user interface for third-
osv-scanner is a software composition analysis tool and vulnerability scanner that checks project dependencies and container images against the Open Source Vulnerabilities database. It functions as a dependency remediation tool and can be integrated into custom Go applications as a programmable security library. The project distinguishes itself through a remediation workflow that includes an interactive terminal user interface and automated scripting for upgrading vulnerable packages in lockfiles and manifests. It employs call-graph reachability analysis to determine if vulnerable code is act
Dependency-Track is a software composition analysis tool and vulnerability management system designed to track dependencies and supply chain risk. It functions as a platform for ingesting and analyzing CycloneDX software bills of materials to identify known vulnerabilities and license compliance issues within third-party software components. The system distinguishes itself by mirroring external vulnerability databases locally to enable fast offline analysis and using VEX documents to differentiate between technical vulnerabilities and actual contextual risks. It also integrates with identity
This project is a command line interface for managing, installing, and publishing JavaScript packages to a remote registry. It serves as a dependency resolution tool, a software registry publishing client, and a security auditor for Node.js development workflows. The tool distinguishes itself by providing integrated monorepo workspace management and a comprehensive registry authentication client that supports multi-factor authentication. It enables detailed control over the software supply chain through provenance attestations, package signature verification, and the generation of a Software
dependabot-core is the automated dependency management engine that powers multi-ecosystem package updates and vulnerability remediation. It parses package manifests and lockfiles, polls package registries for newer versions, resolves version constraints across entire dependency trees, and generates pull requests with changelogs and structured descriptions. The system integrates vulnerability database matching to detect known security flaws and can automatically create remediation pull requests. What distinguishes this project is its handling of complex multi-ecosystem resolution across dozens
WhatWeb is a web application fingerprinting tool that identifies the technology stack powering a website by scanning HTTP responses and page content. It matches responses against a library of over 1800 signatures to detect CMS platforms, JavaScript libraries, web servers, embedded devices, and third-party addons, while also extracting technical metadata such as software versions, user accounts, and module names. The tool operates through a plugin-based detection framework that supports both passive and aggressive scanning modes. Passive plugins analyze existing HTTP headers and page content w
Akaunting is a modular business enterprise resource planning system and self-hosted accounting software. It provides a comprehensive platform for small business financial management, centering on a double-entry bookkeeping system with a general ledger and chart of accounts. The platform is designed for extensibility through a module-based architecture and a dedicated marketplace for procuring third-party applications. It supports multi-tenant data isolation and utilizes role-based access control to manage granular user permissions. Its capability surface covers a wide range of business opera
Maskphish is a comprehensive security toolkit that integrates capabilities for digital forensics, network vulnerability scanning, open-source intelligence, penetration testing, and social engineering. It functions as a multi-purpose framework for automating reconnaissance and executing security audits across diverse network environments. The project features a specialized phishing and social engineering toolkit used for cloning websites, masking URLs, and deploying deceptive pages to capture user credentials. It also includes a remote access Trojan builder for generating platform-specific exe
Subfinder is a security reconnaissance framework designed for subdomain enumeration and attack surface management. It functions as a discovery engine that identifies and maps internet-exposed infrastructure, cloud-hosted assets, and network ranges to maintain a comprehensive inventory of an organization's digital footprint. The project distinguishes itself through a modular, template-driven scanning engine that executes security checks against discovered assets. It leverages cloud-native asset discovery to query provider APIs and infrastructure metadata, while supporting distributed agent orc
SecurityAdvisories is a software composition analysis tool and PHP security advisory database used to audit project dependencies against known security flaws and CVEs. It functions as a vulnerability scanner for PHP projects to identify and manage risky third-party libraries. The project implements a system for detecting and blocking vulnerable dependencies during the software development lifecycle. It prevents the installation of software packages with known security flaws by maintaining an exclusion list of forbidden versions. The tool integrates with the PHP package manager to intercept d
Checkov is a static analysis tool and security scanner designed to identify misconfigurations in infrastructure as code, container images, and Kubernetes configurations. It functions as a cloud security posture tool, an SCA vulnerability scanner, and a secret scanning utility to prevent security breaches and version control leaks. The project distinguishes itself through deep graph analysis and variable resolution, allowing it to map relationships between interconnected resources and evaluate the final state of infrastructure attributes. It provides extensibility for defining custom security
Syft is a software bill of materials generator, container image scanner, and software dependency catalog. It analyzes container images and filesystems to produce comprehensive inventories of installed packages and dependencies in standard formats. Additionally, it serves as a software attestation tool and an SBOM format converter. The project distinguishes itself through the ability to create cryptographically signed attestations for software inventories to ensure provenance and integrity. It also provides the capability to transform software bills of materials between different industry sche
This project is a Ruby-based package definition repository that functions as a cross-platform package manager and software dependency resolver for macOS and Linux. It provides a centralized system for installing, updating, and managing software through a Git-based distribution model. The system distinguishes itself through a binary package distribution network that produces pre-compiled bottles to avoid local compilation from source. It utilizes a Ruby-based domain specific language to define installation recipes and employs a distributed version control architecture to synchronize these defi
This project is a web application security standard and vulnerability framework. It provides a comprehensive list of the most critical security risks facing web applications, paired with technical guidance and a structured methodology for identifying and mitigating these flaws. The framework functions as a secure coding guide and a risk assessment methodology, offering a standardized approach to prioritizing vulnerabilities based on their potential impact and likelihood of exploitation. It defines architectural patterns and technical recommendations to help developers implement defense in dep
Vuls is an agentless vulnerability scanner and CVE intelligence aggregator. It identifies security flaws in operating systems, containers, and network devices without requiring the installation of permanent software agents on target machines. The project distinguishes itself by cross-referencing software versions against multiple vulnerability databases, security advisories, and known exploit catalogs. It utilizes platform-based enumeration and lockfile analysis to detect vulnerabilities in network hardware, programming libraries, and website plugins. The tool covers a broad range of securit
Tsunami Security Scanner is a network vulnerability scanner and security auditor designed to identify high-severity flaws across network assets. It functions as an asynchronous security probe engine that utilizes automated probes and specialized detection logic to find critical weaknesses and prioritize remediation efforts. The project is distinguished by a plugin-based scanning engine, which uses a modular architecture of interchangeable detection plugins to identify vulnerabilities. This extensibility allows for the development and integration of custom security plugins to expand the variet
Ghauri is an automated SQL injection scanner and exploitation tool designed to detect and extract data from vulnerable databases. It functions as a database exfiltration framework that identifies security flaws and retrieves system banners, hostnames, and database schemas. The tool identifies boolean, error, time-based, and stacked query vulnerabilities across multiple input vectors, including HTTP headers, cookies, JSON, SOAP, and XML. It provides capabilities for automated database exfiltration and the processing of bulk target lists to identify flaws across multiple environments. The syst
Wfuzz is a web application fuzzing framework that automates the injection of payloads into HTTP requests to discover hidden resources, parameters, and vulnerabilities. It functions as a content discovery scanner, a brute-force tool for credential guessing, and a plugin-based vulnerability scanner, all within a single modular system. The tool distinguishes itself through its plugin-based extensibility, allowing custom Python modules to add new payload sources, output printers, or scanning logic without modifying core code. It supports concurrent request dispatch using thread-based parallelism
Packer is a machine image builder and multi-platform image orchestrator used to create identical virtual machine images for multiple platforms from a single source configuration. It functions as an infrastructure as code tool, utilizing the HashiCorp Configuration Language to define versioned and reproducible templates for cloud image provisioners. The tool is distinguished by its plugin-based extension model, which allows it to load external binaries for builders and provisioners to support various cloud platforms and virtualization environments. It includes a post-processor pipeline to tran
afrog is an HTTP vulnerability scanner and web vulnerability management system that identifies security flaws and known CVEs using a YAML-based rule engine. It functions as a payload generator and scanner, comparing server responses against detection rules to find unauthorized access points. The project provides a framework for out-of-band security testing, detecting blind vulnerabilities by triggering and verifying external DNS or HTTP callbacks. Beyond web traffic, it includes a protocol fuzzer capable of executing multi-step read and write sequences over raw TCP and SSL sockets to identify
InvenTree is an open-source inventory management platform built on Django, designed for tracking parts, stock levels, and supply chain operations through a web interface and REST API. The system uses barcodes—including QR codes, 1D barcodes, and Data Matrix codes—as primary identifiers for scanning, linking, and triggering inventory actions, and extends core functionality through a Python plugin framework supporting custom actions, UI panels, barcode handlers, and scheduled tasks. The platform distinguishes itself through a comprehensive plugin-based extensibility system that allows custom in
ShuiZe_0x727 is an open-source intelligence gathering framework and attack surface management tool. It functions as an asset discovery engine and cyber intelligence aggregator designed to identify internet-facing assets, map network infrastructure, and visualize total network exposure. The project integrates vulnerability scanning and sensitive data leak detection to identify security weaknesses and unauthorized access points. It employs a combination of network space API queries, certificate log analysis, and public repository scanning to extract leaked credentials, API keys, and internal ad
This project serves as a comprehensive repository of best practices and documentation standards for managing open source software. It provides a foundational framework for establishing project governance, defining contributor roles, and structuring the lifecycle of collaborative software development. By centralizing knowledge on community building and operational transparency, it acts as a guide for launching, maintaining, and scaling healthy software projects. The project distinguishes itself by offering actionable strategies for the human and organizational aspects of software development t
gosec is a static analysis security tool designed to scan Go source code for vulnerabilities and common coding flaws. It functions as a security analyzer that inspects the abstract syntax tree to identify insecure function calls, API usage, and potential security risks. The tool distinguishes itself by mapping detected vulnerabilities to Common Weakness Enumeration identifiers for standardized reporting and integrating with external AI models to suggest code fixes for identified issues. Its capabilities cover the detection of injection vulnerabilities, hardcoded credentials, weak cryptograph
unioffice is a comprehensive document processing suite that provides a PDF document processor, an Open XML document library, a document security toolkit, and a document content extractor. It is designed to programmatically create, read, and modify Word, Excel, and PowerPoint files, as well as generate and edit PDF documents. The project is distinguished by its native language implementation of the Open XML standard, which removes native binary dependencies to simplify container deployments. It features advanced capabilities for digital document security, including hardware-based PDF signing,
OfficeCLI is a headless office suite and automation tool designed for programmatically reading, editing, and generating Microsoft Office documents. It functions as an OOXML manipulation library and a document templating engine, providing a standalone binary that allows for the management of Word, Excel, and PowerPoint files without requiring a local installation of office software. The project distinguishes itself by exposing document operations as tools for AI agents via a JSON-RPC server and the Model Context Protocol. It enables advanced customization through raw XML manipulation using XPa
Faraday is a vulnerability management platform and security tool aggregator designed to centralize security findings from multiple scanners into a single dashboard. It utilizes a relational security database to catalog hosts, services, and security flaws, enabling users to track remediation and analyze organizational risk. The platform distinguishes itself through a plugin-based system that normalizes diverse security tool outputs into a unified data model. It supports deep integration with a wide array of scanners and CLI tools, intercepting shell command output or parsing report files to ag
gdu is a command line disk usage analyzer and interactive disk profiler used to scan directories and visualize space consumption across file systems. It functions as a file system management tool that allows for the identification and removal of large files and folders to free up storage. The tool features a cursor-based interface for navigating directory structures and archives. It provides a storage cleanup workflow that enables the deletion of selected items directly from the analysis view, utilizing parallel execution to reduce I/O wait times. The application supports recursive directory