A list of free open source vulnerability scanners which developers and penetration testers can use to scan systems for vulnerabilities and potential malware.

A vulnerability assessment is an in-depth analysis of a network’s hardware, software, and other components to locate and fix potential security holes. Once identified, the software prioritizes security holes by how quickly they must be patched or mitigated. In most cases, the vulnerability scanning tool will also include guidance on how to fix or lessen the impact of any vulnerabilities it finds.

The results from vulnerability scanners can be used as a guide by security teams as they evaluate the safety of their network and take preventative measures.

Devs can use the following open-source vulnerability assessment tools to test their vulnerabilities for free.

Aqua Trivy

For developers to make informed decisions about which components to use in their applications and containers, open-source tools like Aqua Trivy can help them identify vulnerabilities and understand the associated risks. Trivy’s array of vulnerability scanners allows it to detect vulnerabilities in a wide variety of systems.

Static analysis of vulnerabilities in application containers is the focus of the Clair open-source project (currently including OCI and Docker).

Clients can index their container images via the Clair API and compare them to a database of known security flaws.


Tsunami is a flexible, plugin-based network security scanner designed to detect and scan critical vulnerabilities accurately.

Tsunami is scalable, runs quickly, and scans quietly.


Vaf is a platform-independent web fuzzer that can quickly thread through requests, fuzz HTTP headers, and even act as a proxy.

Zed Attack Proxy ZAP

Under the OWASP banner, Zed Attack Proxy (ZAP) is developed and maintained as a free, open-source penetration testing tool and can be used as an effective vulnerability scanner.

ZAP is highly adaptable and extensible; it can even be deployed on a Raspberry Pi and is optimized for testing websites and deployed as a vulnerability scanner.