A vulnerability assessment is a methodical examination of network infrastructure, computer systems, and software with the goal of identifying and addressing known security flaws. Once the vulnerabilities are pinpointed, they are classified based on how critical it is to fix/mitigate them sooner rather than later. Usually, the vulnerability scanning tool also provides instructions on how to remediate or mitigate the discovered flaws.
Security teams can use the findings of a vulnerability assessment to better understand the security posture of their network and put protective measures in place.
All the open-source vulnerability assessment tools listed below can be downloaded and used for free.
Aqua Trivy is an open-source tool that detects vulnerabilities, and provides an explanation of risk so developers can decide which components they want to use in their applications and containers. Trivy has different scanners that look for different security issues, and different targets where it can find those issues.
Clair is an open-source project for the static analysis of vulnerabilities in application containers (currently including OCI and docker). Clients use the Clair API to index their container images and can then match them against known vulnerabilities.
Tsunami is a general-purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence. Tsunami is easy to scale, executes fast, and scans non-intrusively.
Vaf is a cross-platform web fuzzer with features like: fast threading, HTTP header fuzzing and proxying.
Zed Attack Proxy
Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the OWASP umbrella. ZAP is designed specifically for testing web applications and is both flexible and extensible, you can even run it on a raspberry pi.