-
April 17, 2025 - Security Automation
- 7 Min Read
At DefectDojo we’re uniquely positioned to see many trends in security from the DefectDojo community and customers. We’re excited to share our list of best open-source tools for DevSecOps, security automation, and scalable security, based on data from the field.
Selection Criteria
There are many security tools that are focused on testing for specific issues in specific languages. While these tools are great for supplementing a robust AppSec or security program, our decade-plus of experience leads us to believe that the best results are achieved when an organization starts with a general or universal tool, which scans multiple languages for multiple issues, which this evaluation is exclusively focused on. Comparing niche tools ultimately isn’t meaningful in the context of a tool’s utility as comparing a tool specifically focused on Python vs a tool specifically focused on Ruby is an apples and oranges comparison.
Evaluation Criteria
When we evaluate any tool, we ultimately simplify down to the utility of the tool. For example, if you spend X amount of hours working with a tool, how much value Y, do you get out, accounting for dealing with the noisiness, accuracy, and robustness of a tool’s results.
With that said, we’re proud to unveil our awards for the best open-source tool in DAST, SAST, SCA, infrastructure, and secrets scanning.
DAST
Dynamic Application Security Testing is a method of testing the security of a running application by simulating attacks from the outside, without access to the source code, to identify vulnerabilities. Our winners deliver comprehensive scanning and ease of use.
Who is surprised?! There aren’t words to properly articulate the high praise ZAP deserves. In addition to being a cornerstone of dynamic scanning, ZAP has every option you could hope for to make automation easy including an API, GitHub Actions, Wrappers, etc.
We don’t think Nikto gets the respect it deserves. When we look at unique vulnerabilities discovered, Nikto is a clear standout in the DAST space. Its ability to find what other tools cannot in addition to being very easy to get started with, while also needing minimal configuration makes it a top tool to us.
While Arachni isn’t as frequently updated as the tools above, it has a very unique way of validating web-based vulnerabilities that make the results particularly valuable. The challenge with Arahcni is the tool can get stuck in loops, and thus requires some very specific configurations to work well with certain applications.
SAST
Static Application Security Testing analyzes an application's source code to identify potential vulnerabilities before the application is deployed, acting as a "white-box" test. These products provide great value and can help increase your code quality.
Semgrep has created an incredibly flexible tool that is both easy to get started with and provides the ability to write your own rules for more advanced use cases. Ultimately, based on the data we have available, Semgrep is producing the highest quality results in the SAST space with regard to their open source offering.
Sonarqube has stood the test of time and is still a go-to for those looking for an open-source SAST solution. Our experience has been that Sonarqube can be a little noisy, but once tuned will provide results that greatly increase code quality. Sonarqube also provides quality analysis, but for our purposes we are exclusively focused on it’s SAST capabilities.
Horusec appears to be underutilized for the value it provides. Hoursec covers a multitude of languages and also includes secrets scanning for a very complete, out-of-the-box solution.
SCA
Software composition analysis identifies and manages open-source components within software applications, helping to detect vulnerabilities, license compliance issues, and outdated libraries. These solutions stand out from the rest.
What Steve Springett and the team have created deserves to be listed alone. There is no other tool that compares in the open-source space to Dependency-Track.
What is there to say? Trivy scans images and scans them well.
Checkov goes beyond images to also scan configurations.
An important note: There are a number of phenomenal choices when it comes to scanning images. It was hard to narrow it down to Checkov and Trivy specifically. Most image scanners are fairly noisy. However, when examining results after going through DefectDojo’s consolidation and deduplication smart features, Checkov and Trivy stand out with regard to total valid issues detected. Other tools are close, but Checkov and Trivy appear to consistently find more actionable findings.
INFRASTRUCTURE
Infrastructure scanning involves systematically assessing and testing the security of an organization's IT infrastructure, including networks, systems, and cloud environments.
Our selections include new and tried-and-true products.
Great to see a new entrant on cloud security. We’ve seen many strong proprietary solutions in the space, but few open source.
OpenVAS has been around quite a long while and deserves recognition for its staying power and functionality
I don’t think a pentest can be done without using NMAP. NMAP’s vulnerability scanning power has also grown substantially with their NSE scripts.
SECRETS
Secrets scanning helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository. One vendor stands above the rest
While there are others in the space that are more targeted in where / what secrets they are looking for, TruffleHog’s flexibility gives the tool an edge.
Contributor of the Year: Tomas Kubla (Kiblik) LinkedIn | GitHub
DefectDojo has many regular contributors that keep the project thriving. We appreciate them all. Kiblik has been a consistent contributor of both source code and helpful answers for the community for years. What sets Kiblik apart is that he not only does the 'fun' parts of open source project contribution, but has done the 'hard things' that make DefectDojo better in non-visible ways.
Back to Blog