Web Dev Tools
Categories

Security Scanning (SAST / DAST / SCA)

Static analysis, dependency CVE scanning, secrets, and runtime scanning.

SCA — Software Composition Analysis (your dependencies)

  • Socket — modern; analyzes supply-chain risk on every PR (typosquatting, install scripts, suspicious behavior). Generous free tier.
  • Snyk — dependency CVEs + license issues; broad ecosystem; small free tier.
  • npm audit / pnpm audit — built-in; surface-level.
  • GitHub Dependabot Alerts — free, default-on for public repos.
  • OSV-Scanner (Google) — open source; uses the OSV database; free.
  • Trivy (Aqua) — broad scanner: deps, containers, IaC; fast; free.
  • Grype (Anchore) — alternative to Trivy.

SAST — Static Application Security Testing (your code)

  • Semgrep — open core; pattern-based; thousands of rules across languages; extensible. Free tier + paid SaaS. Default for adding security lint to CI.
  • CodeQL (GitHub) — query-based; free for public repos; GitHub's default Code Scanning engine.
  • SonarCloud / SonarQube — code quality + security; classic.
  • Snyk Code — paid; built on DeepCode.
  • Bearer — open-source SAST focused on data flow / PII.
  • Bandit (Python), brakeman (Ruby) — language-specific.

Secret scanning

  • GitGuardian — gold standard; PR + history scanning; free tier.
  • GitHub Secret Scanning — default-on for public repos; private repos with GHAS.
  • TruffleHog — open source; scan filesystems and history.
  • gitleaks — fast pre-commit option.
  • See also Secrets Management.

DAST — Dynamic / runtime scanning

  • OWASP ZAP — free, open-source DAST; CI-friendly with Docker.
  • Burp Suite — paid; the security pro's tool.
  • Nuclei (ProjectDiscovery) — fast template-based vulnerability scanner; great for "is this CVE present in our deployment?"
  • Detectify — paid hosted DAST.
  • StackHawk — DAST in CI; paid.

Container & IaC scanning

  • Trivy — containers, Kubernetes manifests, Terraform, Helm.
  • Grype + Syft — alternative pair.
  • Docker Scout — built into Docker Desktop / Hub.
  • tfsec / Checkov / kics — Terraform / IaC scanners.
  • Snyk Container — paid container scans.

Cloud posture / CSPM

  • Wiz, Orca, Lacework, Aqua — paid; enterprise.
  • Steampipe — open-source; query AWS / GCP / Azure as SQL; great for custom posture checks.
  • Prowler — AWS / GCP / Azure CIS benchmark scanner.
  • CloudSploit — open-source AWS scanner.

API security

  • 42Crunch — paid; OpenAPI-driven API security.
  • Stackhawk — DAST tuned for APIs.
  • Schemathesis — property-based API testing; finds security issues incidentally; see OpenAPI Tooling.

License scanning

  • Snyk License, FOSSA, WhiteSource Bolt, license-checker (npm) — for compliance teams.
  • oss-attribution-generator — generate attribution files for distribution.

Patterns to adopt

  • Run scanners in CI on every PR. Block on high-severity findings.
  • Triage promptly — most CVE noise is non-exploitable; tag and track.
  • SBOM generationsyft, cyclonedx-cli. Increasingly required by enterprise customers.
  • Rotate secrets immediately when GitGuardian fires; assume the secret is compromised.
  • Don't ignore "low" — they accumulate. Set a clean-up cadence.

Pick this if…

  • Default new project, free: Semgrep + Trivy + GitHub Dependabot Alerts + GitHub Secret Scanning.
  • Want one polished SaaS: Snyk (dep + code) + GitGuardian (secrets).
  • Open source / self-host all of it: Semgrep CLI + Trivy + gitleaks + OWASP ZAP.
  • Containers / k8s heavy: Trivy + Steampipe.
  • Modern supply-chain / typosquatting: Socket on PRs.

Previous

Dependency Updates

Next

Analytics

On this page