Open-source alternatives to Trivy

Terrascan is an infrastructure as code security scanner and cloud configuration auditor designed to detect security violations and compliance risks in cloud templates and Dockerfiles before provisioning. It utilizes the Open Policy Agent to evaluate infrastructure templates against both standard security policies and custom organizational rules. The project functions as a security guardrail within build pipelines, blocking risky deployments by integrating scanning logic directly into CI/CD workflows. It also includes a container registry vulnerability scanner that collects vulnerability data

This project is a security compliance tool and configuration auditor designed to evaluate Docker deployments against industry security benchmarks. It functions as a script-based scanner that identifies misconfigurations and vulnerabilities within both the host operating system and container settings. The tool specifically implements the Center for Internet Security standards for Docker to verify host and container configurations. It enables a hardening workflow by comparing system states against these standards to identify security gaps and document compliance status. The audit engine suppor

Cosign is a tool for signing and verifying software artifacts, primarily those stored in OCI-compatible registries such as container images, Helm charts, SBOMs, and Tekton bundles. It supports keyless signing using ephemeral keys and short-lived certificates from the Sigstore public-good infrastructure, associating signatures with an OpenID Connect identity rather than a long-lived cryptographic key. The project provides multiple signing and verification methods, including private keys, key pairs stored in KMS providers like AWS KMS and Azure Key Vault, and hardware security keys. It can sign

ThreatMapper is a cloud native application protection platform and infrastructure security scanner. It functions as a vulnerability management system and cloud workload telemetry collector designed to monitor workloads and detect security risks across cloud and container environments. The platform distinguishes itself through a network traffic visualizer that uses machine learning to classify communication patterns and a graph-based attack mapping system to identify high-risk paths between vulnerabilities and network dependencies. Its broader capabilities cover cloud infrastructure complianc

Prowler is an automated cloud infrastructure security scanner and posture management tool. It evaluates cloud environments and infrastructure-as-code templates against security benchmarks to identify misconfigurations, vulnerabilities, and compliance gaps that could compromise system integrity. The platform distinguishes itself through graph-based attack path analysis, which identifies chains of misconfigurations that create exploitable routes for unauthorized access. It utilizes a plugin-based execution model to perform state-based assessments of live environments and static analysis of conf

Terrascan is a static analysis tool designed to evaluate infrastructure-as-code configuration files for security vulnerabilities and compliance violations. By parsing these files into an intermediate representation, it identifies risks before cloud resources are provisioned, serving as a compliance auditor for cloud-native environments. The tool functions as a policy-as-code engine, allowing users to define and enforce custom security rules and industry benchmarks using a specialized query language. It distinguishes itself through its ability to integrate directly into development and deploym

Clair is a container vulnerability scanner that performs static analysis of container images to identify known security vulnerabilities. It functions as an analyzer for OCI and Docker images, indexing their contents to detect security risks and outdated packages without requiring the containers to be running. The tool identifies vulnerabilities by matching indexed container components against security databases to find common vulnerabilities and exposures. This process involves analyzing filesystem layers to track the provenance and versioning of packages across the image hierarchy. The proj

tfsec is a static analysis tool and infrastructure as code linter designed to detect security misconfigurations and compliance violations in Terraform infrastructure code. It functions as a cloud security posture tool and policy enforcement engine that evaluates configurations against established security benchmarks. The tool provides multi-cloud security auditing for providers including AWS, Azure, Google Cloud, and Kubernetes, as well as specialized scanning for DigitalOcean, OpenStack, CloudStack, and GitHub configurations. It identifies insecure settings such as public access or unencrypt

Syft is a software bill of materials generator, container image scanner, and software dependency catalog. It analyzes container images and filesystems to produce comprehensive inventories of installed packages and dependencies in standard formats. Additionally, it serves as a software attestation tool and an SBOM format converter. The project distinguishes itself through the ability to create cryptographically signed attestations for software inventories to ensure provenance and integrity. It also provides the capability to transform software bills of materials between different industry sche

The Snyk CLI is a command-line security scanner that detects known vulnerabilities across open-source dependencies, proprietary application code, container images, and infrastructure-as-code configuration files. It also serves as a platform management tool, allowing users to configure organizations, users, SSO, and reporting from the terminal rather than the web dashboard. The CLI integrates directly into development workflows, enabling scanning within IDEs, build pipelines, and version control systems. It implements static analysis with interfile data flow analysis to find complex security f

Tsunami Security Scanner is a network vulnerability scanner and security auditor designed to identify high-severity flaws across network assets. It functions as an asynchronous security probe engine that utilizes automated probes and specialized detection logic to find critical weaknesses and prioritize remediation efforts. The project is distinguished by a plugin-based scanning engine, which uses a modular architecture of interchangeable detection plugins to identify vulnerabilities. This extensibility allows for the development and integration of custom security plugins to expand the variet

Bearer is a static analysis security testing tool and privacy compliance auditor. It identifies security vulnerabilities, hard-coded secrets, and privacy risks in source code through static analysis and data flow tracing. The tool distinguishes itself by tracking the movement of sensitive data through code to identify leaks and by mapping personal and health-related information flows to generate evidence for privacy impact assessments. It also provides differential scanning for pull requests and uses fingerprint-based suppression to exclude known false positives from reports. The platform co

Prowler is a multi-cloud security scanner and security posture management tool. It automates security and compliance assessments across multiple cloud environments to identify misconfigurations and vulnerabilities. The project provides a multi-cloud security analysis engine that operates as an automated auditor, evaluating infrastructure against industry-standard regulatory frameworks and security benchmarks. It features a cloud security visualization dashboard that uses a graph database to map cloud inventory and visualize potential attack paths. Capabilities include automated cloud infrast

Vuls is an agentless vulnerability scanner and CVE intelligence aggregator. It identifies security flaws in operating systems, containers, and network devices without requiring the installation of permanent software agents on target machines. The project distinguishes itself by cross-referencing software versions against multiple vulnerability databases, security advisories, and known exploit catalogs. It utilizes platform-based enumeration and lockfile analysis to detect vulnerabilities in network hardware, programming libraries, and website plugins. The tool covers a broad range of securit

Hadolint is a static analysis tool designed to validate container build configurations. It functions as a security scanner and configuration auditor, parsing build instructions into a structured format to identify deviations from security and efficiency standards. The tool distinguishes itself by performing deep inspection of embedded shell commands. By tokenizing and analyzing these scripts, it detects common scripting errors and security vulnerabilities that might otherwise persist within a container image. It integrates external analysis tools to provide specialized validation for these in

tfsec is a static analysis tool and security scanner for Terraform configuration files. It functions as an infrastructure as code security scanner and compliance linter designed to detect misconfigurations and vulnerabilities across multiple cloud providers before resources are deployed. The tool identifies security risks by analyzing infrastructure code and variable files to evaluate the final state of the environment. It supports custom policy enforcement and allows for the suppression of specific security warnings through inline comments. Its capabilities cover cloud security posture mana

Bandit is a static analysis security testing tool and vulnerability detection scanner for Python source code. It functions as a security-focused linter and static analyzer that identifies common vulnerabilities and architectural flaws without executing the program. The tool utilizes an abstract syntax tree to analyze code patterns and identifies risky function calls or insecure configurations. It employs a plugin-based rule engine to decouple scanning logic from individual security checks and supports configuration-driven filtering to exclude specific files or ignore certain warnings. The sy

SecretScanner is a security tool designed to search filesystems and container images for unprotected passwords, API keys, and other sensitive data. It functions as a static secret detector and container image scanner that identifies hardcoded credentials by matching content against a database of known secret types. The tool inspects container image layers to find secrets hidden within the filesystem hierarchy and parses local directories and host-mounted paths. It provides the ability to export scan findings in machine-readable JSON format for automated analysis and processing. The scanning

Lynis is an automated security auditing and system hardening framework designed for UNIX-based operating systems. It functions as a command-line utility that inspects local system configurations to identify security vulnerabilities, configuration weaknesses, and compliance gaps. By executing a series of modular tests, the tool generates actionable reports and remediation suggestions to assist in strengthening system defenses. The project distinguishes itself through a highly modular architecture that relies on shell-script-based execution and native system inspection. Users can define custom

Kube-hunter is a security scanner and vulnerability hunter for Kubernetes clusters. It operates as a cloud-native penetration tool designed to identify security weaknesses, infrastructure misconfigurations, and exploitable gaps by simulating attacker techniques. The tool distinguishes itself through a dual-mode scanning engine that executes both remote external probes and internal network scans. It features identity-based impersonation, allowing it to use service account tokens and pod identities to simulate security access from specific cluster roles and determine the potential blast radius

gosec is a static analysis security tool designed to scan Go source code for vulnerabilities and common coding flaws. It functions as a security analyzer that inspects the abstract syntax tree to identify insecure function calls, API usage, and potential security risks. The tool distinguishes itself by mapping detected vulnerabilities to Common Weakness Enumeration identifiers for standardized reporting and integrating with external AI models to suggest code fixes for identified issues. Its capabilities cover the detection of injection vulnerabilities, hardcoded credentials, weak cryptograph

Gitleaks is a static analysis security tool and secret detection engine designed to find hardcoded passwords, API keys, and authentication tokens. It functions as a Git secret scanner that analyzes both local file systems and Git commit history to prevent credential leaks. The tool distinguishes itself through a decoding pipeline that transforms base64 and hex strings into plaintext to find obfuscated secrets. It further reduces false positives using proximity-based validation and fingerprint-based suppression to filter out known or baseline findings. The system covers a broad range of detec

CrackMapExec is a network penetration testing framework and automated security scanner designed to assess security postures across large IP ranges. It functions as a multi-protocol security scanner and network protocol auditor used to identify vulnerabilities and misconfigurations. The tool provides capabilities for Active Directory auditing to enumerate users and permissions, as well as post-exploitation enumeration to gather system metadata and discover lateral movement paths. It includes a framework for credential spraying and harvesting across various network services. The system utilize

SonarQube is a static code analysis platform used to scan source code and infrastructure scripts across multiple languages. It detects bugs, security vulnerabilities, and maintainability issues to ensure software meets reliability and security standards. The platform implements automated quality gates for continuous integration and delivery pipelines, verifying code against defined rules during merge or pull requests. It also integrates directly with code editors to provide real-time analysis results and quick-fix guidance during development. The system covers broad functional areas includin

Amass is an attack surface management tool designed to identify, map, and inventory an organization's internet-facing digital assets. It functions as a security asset discovery engine that systematically expands an organization's known infrastructure footprint through recursive domain name resolution and the collection of intelligence from diverse public data sources. The platform distinguishes itself by utilizing a graph-based modeling approach to organize discovered resources. By maintaining a persistent graph database, it tracks the relationships between infrastructure components and norma

SecLists is a centralized library of security assessment data designed to support vulnerability discovery and penetration testing. It functions as a comprehensive repository of wordlists, payloads, and testing methodologies used to audit software, firmware, and internet-connected hardware for technical vulnerabilities. The project distinguishes itself through a standardized taxonomy and a language-agnostic data format, which allows security tools to predictably ingest and utilize its assets regardless of the underlying programming environment. By decoupling raw testing data from execution log

The framework is a comprehensive penetration testing platform designed for the development, testing, and execution of security exploits. It serves as a research toolkit and automated assessment environment, enabling security professionals to identify and validate vulnerabilities within networked systems and infrastructure through repeatable, standardized procedures. The platform distinguishes itself through a modular architecture that supports reflective payload injection, allowing for the execution of code directly in memory without writing to disk. It utilizes an asynchronous event loop to