# security-scanning

Enterprise software composition analysis for supply chain security

Sonatype Lifecycle is an enterprise software composition analysis platform that identifies vulnerabilities, license risks, and quality issues in open-source dependencies throughout the development lifecycle. It integrates with IDEs, CI/CD pipelines, and artifact repositories to block risky components before they enter the codebase. Backed by the largest vulnerability database with proprietary research beyond public CVE data.

Shift-left DAST platform built for CI/CD pipeline integration

StackHawk is a dynamic application security testing platform designed for CI/CD pipeline integration. It tests running web applications and APIs for OWASP Top 10 vulnerabilities including SQL injection, XSS, and authentication flaws during the development process. Built on ZAP with a developer-friendly CLI and YAML configuration, it provides actionable findings with reproducer requests and fix guidance.

AI-powered DAST platform specializing in API and GraphQL security

Escape is an AI-powered dynamic application security testing platform focused on API security including REST, GraphQL, and gRPC endpoints. It automatically discovers and tests API endpoints for vulnerabilities without requiring source code access. Features business logic testing that goes beyond OWASP patterns, CI/CD integration for shift-left security, and detailed remediation guidance for developers.

Agent harness performance system with 30+ agents and 136 skills

Everything Claude Code is a comprehensive agent harness performance optimization system providing 30 specialized agents, 136 skills, 60 commands, and automated hook workflows for AI-assisted development. Born from an Anthropic hackathon winner and evolved over 10+ months of intensive daily use, it works across Claude Code, Codex, Cursor, and OpenCode with built-in security scanning via AgentShield, continuous learning, and research-first development patterns.

Hunt down social media accounts by username across 400+ platforms

Sherlock is a Python CLI tool that searches for a given username across 400+ social networks and websites simultaneously. It is widely used in OSINT investigations, security audits, red teaming exercises, and digital footprint analysis. Sherlock is included in Kali Linux and Parrot Security distributions and has over 76,000 GitHub stars, making it one of the most popular open-source security tools.

Security scanner for MCP servers against tool poisoning attacks

MCP-Scan is a security tool that scans MCP servers for vulnerabilities including tool poisoning, prompt injection, cross-origin escalation, and rug pull attacks. Acquired by Snyk in 2026, it is the first dedicated security scanner for the MCP ecosystem. It analyzes tool descriptions, permissions, and behavior patterns to detect malicious or compromised MCP servers before they can exploit AI agents.

Cloud native runtime security for Kubernetes

Falco is a CNCF graduated open-source runtime security tool that detects unexpected behavior and threats across containers, Kubernetes, and cloud workloads in real time. Originally created by Sysdig, Falco monitors Linux kernel syscalls using eBPF and applies customizable detection rules to alert on malicious activity like container escapes, cryptojacking, unauthorized file access, and anomalous network connections. It supports 50+ alert output channels including SIEM integration.

AI framework for distributed vulnerability research

Taskflow Agent is an open-source MIT-licensed AI framework by GitHub Security Lab that automates vulnerability discovery through a three-stage pipeline: threat modeling, issue suggestion, and audit validation. It has discovered 91 confirmed vulnerabilities in major open-source projects including Outline and WooCommerce, using distributed community-powered security research coordinated by AI agents.

AI-native SAST with automated PR security reviews

ZeroPath is an AI-native SAST and AppSec platform recognized as an RSAC 2026 finalist that provides automated pull request security reviews with contextual feedback and natural-language fix suggestions. It catches secrets, IaC misconfigurations, and logic flaws in code changes, competing directly with established code review tools but with a security-first AI-native architecture.

DRM and IP protection for AI model weights

RefortifAI is a Y Combinator P2026 batch company that provides DRM and intellectual property protection for AI models by obfuscating model weights so they only run inside a hardened runtime. It solves the critical problem of model weight protection for companies distributing custom LLMs to untrusted environments, preventing IP theft while maintaining inference performance.

AI security triage for small engineering teams

Amplify Security is an AI-native security tool designed for small-to-mid engineering teams that automates the triage of security alerts and integrates directly into GitHub and GitLab workflows. It specifically addresses alert fatigue by using AI to prioritize high-risk findings over low-severity noise, offering a free tier for small teams that makes developer-first security accessible without enterprise budgets.

Continuous security scanning with AI and human expertise

Fluid Attacks integrates continuous vulnerability scanning into the SDLC by combining AI automation with human security expertise to verify critical flaws. The hybrid approach ensures that automated findings are validated by security researchers before reaching developers, reducing false positive noise while maintaining coverage across SAST, DAST, SCA, and infrastructure-as-code security scanning.

AI-automated pentesting with zero false positives

ZeroThreat is an automated penetration testing platform that uses AI to conduct comprehensive security audits, claiming to identify 500+ vulnerability types with zero false positives. It automates the traditionally expensive and manual red-teaming process, providing continuous security assessment for web applications with detailed remediation guidance and compliance-ready reporting.

Prompt fuzzing tool for LLM security testing

ps-fuzz by Prompt Security is a security testing tool with 660+ GitHub stars that fuzzes system prompts against dynamic LLM-based attack scenarios including jailbreaks, prompt injection, and data extraction attempts. It helps developers harden their GenAI applications by simulating adversarial attacks in a controlled environment, turning LLM security into a testable and reproducible quality gate.

Security scanner for AI model files

ModelScan by Protect AI is an open-source tool that scans machine learning model files for malicious or unsafe code before they are loaded into production. Supporting formats like Pickle, HDF5, SavedModel, and SafeTensors, it detects hidden code execution, deserialization attacks, and supply chain threats in the AI/ML model artifact pipeline, integrating into CI/CD as a critical security gate.

Open-source vulnerability management aggregator

DefectDojo is an open-source vulnerability management platform with 3,800+ GitHub stars that aggregates findings from dozens of security scanning tools into a single view for ranking, triaging, and tracking remediation. It serves as the operating system for security teams by normalizing data from SAST, DAST, container scanners, and dependency checkers into a unified workflow with deduplication and metrics.

Secret scanning across Git history and cloud storage

TruffleHog by Truffle Security scans for high-entropy strings and secrets across GitHub history, S3 buckets, and other data stores with 15,000+ GitHub stars. It goes beyond simple pattern matching by verifying whether discovered credentials are actually active and valid, significantly reducing false positives and helping teams prioritize remediation of truly exposed secrets.

Open-source secret detection for Git repositories

Gitleaks is an open-source SAST tool with 16,000+ GitHub stars that detects hardcoded secrets like passwords, API keys, and tokens in Git repositories. It scans both current code and full Git history to find accidentally committed credentials, integrating into CI/CD pipelines as a pre-commit hook or pipeline step to prevent secrets from ever reaching remote repositories.

AI-powered SAST for PR-time security analysis

CodeThreat provides pull request-time security analysis covering SAST, dependency vulnerability checks, and infrastructure-as-code risk review. Highly rated for its seamless GitHub integration, it catches security issues introduced by both human and AI-generated code before they reach production, with particular strength in identifying vulnerabilities from rapid vibe coding workflows.

AI-native AppSec that finds and fixes vulnerabilities

Corgea is an AI-native application security platform that uses LLMs to scan, triage, and automatically fix security vulnerabilities in code. Unlike traditional SAST tools that only detect issues, Corgea focuses on the remediation phase by generating context-aware fixes for vulnerabilities, significantly reducing the time engineering teams spend on security backlog while providing contextual PR reviews and IDE integrations.

All-in-one AI code review, security, and quality

CodeAnt AI is a Y Combinator-backed platform that bundles AI-powered pull request reviews, SAST security scanning, secret detection, IaC scanning, and DORA developer metrics into a single tool. Supporting 30+ programming languages and all major Git platforms including GitHub, GitLab, Bitbucket, and Azure DevOps, it has scanned over 50 million lines of code and auto-fixed 500,000+ issues across engineering teams worldwide.

AI-native security for coding agents

Corridor is an AI-native security platform that intercepts vulnerabilities at the code generation layer, providing real-time guardrails and automated PR security reviews for teams using AI coding agents like Cursor, Claude Code, and GitHub Copilot. Founded by former CISA Secure by Design lead Jack Cable and backed by $25M Series A from Felicis at a $200M valuation, Corridor embeds proactive security context into developer workflows via MCP server integration.

Agentic application security from prompt to cloud

Cycode is an AI-native application security platform that converges AST, SSCS, and ASPM into a single solution with the Maestro AI orchestrator managing multi-agent security workflows. It provides native SAST, SCA, secrets detection, IaC scanning, and container security alongside ConnectorX integration with 100+ third-party tools. Cycode's AI Exploitability Agent reduces false positives by 94%, and the Context Intelligence Graph maps risk across code, pipelines, and runtime environments.

Pipelineless AppSec for AI-driven development

Arnica is a pipelineless application security platform that scans every code push in real-time across SAST, SCA, IaC, secrets, and license risks without CI/CD pipeline integration. Its Arnie AI engine combines deterministic static analysis with multi-agent reasoning to detect logic flaws and vulnerabilities in both human-written and AI-generated code. It integrates directly with GitHub, GitLab, Bitbucket, and Azure DevOps for 100% repository coverage from day one.