A list of open source web security scanners on GitHub and GitLab (just added), ordered by Stars. It does not provide in-depth analysis - for more analysis or a wider range of tools, see the links below.
Note that some large projects have multiple repos - in which case the second most relevant repo is included immediately after.
Tools which can find a range of 'unknown' vulnerabilities on any websites.
| Main Site | Last Commit | Committers | Stars |
|---|---|---|---|
| ZAP |  |
 |
 |
| - ZAP Extensions |  |
 |
 |
| W3af |  |
 |
 |
| Hetty |  |
 |
 |
| Arachni |  |
 |
 |
| Astra |  |
 |
 |
| Skipfish |  |
 |
 |
| Sitadel |  |
 |
 |
| Taipan |  |
 |
 |
| Vega |  |
 |
 |
| Wapiti |  |
 |
 |
| Tuplar |  |
 |
 |
| Ugly-duckling |  |
 |
 |
| Jawfish |  |
 |
 |
| Browserker |
Tools which can find a range of 'known' vulnerabilities on any websites.
| Main Site | Last Commit | Committers | Stars |
|---|---|---|---|
| Nuclei |  |
 |
 |
| - Nuclei Templates |  |
 |
 |
| Tsunami |  |
 |
 |
| Nikto |  |
 |
 |
| Striker |  |
 |
 |
| Jaeles |  |
 |
 |
| - Jaeles-Signatures |  |
 |
 |
| Yasuo |  |
 |
 |
| Observatory |  |
 |
 |
| Spaghetti |  |
 |
 |
Tools which focus on throwing 'bad stuff' at things - the user typically has to work out if it sticks.
| Main Site | Last Commit | Committers | Stars |
|---|---|---|---|
| dirsearch |  |
 |
 |
| Ffuf |  |
 |
 |
| gobuster |  |
 |
 |
| Wfuzz |  |
 |
 |
| feroxbuster |  |
 |
 |
| rustbusterv |  |
 |
 |
| vaf |  |
 |
 |
Tools which can find a range of 'known' vulnerabilities on one or more CMS websites.
| Main Site | Last Commit | Committers | Stars |
|---|---|---|---|
| WPscan |  |
 |
 |
| Volnx |  |
 |
 |
| Droopescan |  |
 |
 |
| CMSScan |  |
 |
 |
| JoomScan |  |
 |
 |
| Clusterd |  |
 |
 |
Tools which focus on web APIs.
| Main Site | Last Commit | Committers | Stars |
|---|---|---|---|
| Automatic API Attack Tool |  |
 |
 |
| Cherrybomb |  |
 |
 |
Tools which focus on finding subdomains of a domain using various methods.
| Main Site | Last Commit | Committers | Stars |
|---|---|---|---|
| github-subdomains |  |
 |
 |
| Amass |  |
 |
 |
Tools which focus on specific types of vulnerabilities.
| Main Site | Last Commit | Committers | Stars |
|---|---|---|---|
| Sqlmap |  |
 |
 |
| Comix |  |
 |
 |
| Xsscrapy |  |
 |
 |
Tools which focus on specific types of vulnerabilities.
| Main Site | Last Commit | Committers | Stars | Desc |
|---|---|---|---|---|
| qsreplace |  |
 |
 |
Accept URLs on stdin, replace all query string values with a user-supplied value, only output each combination of query string parameters once per host and path. |
- Free for Open Source Application Security Tools - includes commercial tools as well
- Vulnerability Scanning Tools - covers more tools, includes commercial tools as well
- Linux Security Tools - covers more tools and evaluates more criteria
- Web Hackers Weapons - covers more tools
- Arsenal of cloud native security tools
PR's welcomed.
Template line for GitHub projects (replace USER_REPO):
| []() | [](https://github.com/USER_REPO/commits) | [](https://github.com/USER_REPO/graphs/contributors) | [](https://github.com/USER_REPO/stargazers) |
Template line for GitLab projects (replace USER_REPO):
| []() | [](https://gitlab.com/USER_REPO/-/commits/master) | [](https://gitlab.com/USER_REPO/-/graphs/master) | [](https://gitlab.com/USER_REPO/-/starrers) |