What is vulnerability scanning?
Vulnerability scanning is the continuous, automated search for known weaknesses across your cloud, containers, applications, hosts, and code. Scanners inventory assets, analyze configurations and versions, and map those details to vulnerability intelligence (such as CVEs, advisories, and security policies) to surface issues before they’re exploited. Unlike ad‑hoc tests, modern scanners plug into your cloud accounts and CI/CD pipelines and turn findings into prioritized, trackable workflows.
Uncover Vulnerabilities Across Your Clouds and Workloads
Learn why CISOs at the fastest growing companies choose Wiz to secure their cloud environments.
Key considerations for vulnerability scanners
At Wiz, we believe the right scanner fits your environment and turns signal into action – not just more alerts. We prioritize fast integration, broad coverage, and clear risk‑based ranking so teams fix what matters first.
Automate early: We recommend triggering scans on every commit and build across GitLab CI, Jenkins, GitHub Actions, Azure DevOps, and more to deliver rapid, developer‑friendly feedback.
Maximize coverage: In our view, the best results come from combining signals across cloud resources, networks, applications, containers, and hosts to reveal real attack paths and ownership.
Streamline deployment: Favor low‑overhead approaches – agentless collection or single‑binary tools—that work across your cloud and CI/CD ecosystem for faster time‑to‑value.
Drive risk‑based action: Prioritize using severity, external exposure, exploitability, and business context – the same dimensions we use – to focus effort where it reduces risk fastest.
AWS Vulnerability Management Best Practices [Cheat Sheet]
This 8-page cheat sheet breaks down the critical steps to fortifying your AWS security posture. From asset discovery and agentless scanning to risk-based prioritization and patch management, it covers the essential strategies needed to safeguard your AWS workloads.
Download Cheat Sheet
Open-source vulnerability scanning tools (no particular order)
With those criteria in mind, here’s a quick reference to widely used open-source scanners. Most focus on a specific layer; teams often combine several to cover the full stack and SDLC.
| Tool Type | Tool Name | Capability | Strength |
|---|---|---|---|
| Network vulnerability scanners | Aircrack-ng | Monitoring wireless networks | Seamless packet injection |
| Network vulnerability scanners | Masscan | Network troubleshooting and security auditing | Fast scans |
| Application vulnerability scanners | Arachni | Web app security testing | Customizable and distributed scans |
| Application vulnerability scanners | Burp Suite | Web application scanning and testing | Enables active and passive scans |
| Container vulnerability scanners | Clair | Static container vulnerability scanning | Can be customized to suit various use cases without forking |
| Container vulnerability scanners | Anchore Engine | Container vulnerability scanning and compliance management | Can be integrated into CI pipelines for automated scans |
| Code vulnerability scanners | KICS | IaC code scanning and compliance assessment | Vulnerability risk scores |
| Code vulnerability scanners | Gitleaks | Git code scanning | Git history and version scanning |
| Endpoint vulnerability scanners | Lynis | Endpoint security auditing and hardening | Highly extensible |
| Endpoint vulnerability scanners | OSSEC | Endpoint vulnerability scanning and compliance checks | Host-based intrusion detection |
Network vulnerability scanners
Network vulnerability scanners assess LANs, servers, and systems for security risks, such as outdated software, misconfigurations, suspicious traffic patterns, and open ports.
Aircrack-ng
Aircrack-ng is a suite of tools designed mainly for monitoring, attacking, and cracking 802.11 wireless networks. It sniffs packets and captures hashes, collecting insights needed to crack WEP and WPA/WPA2 pre-shared key (PSK) passwords. This in turn lets you know how easily attackers can decrypt your network traffic and packets.
Aircrack supports various attack techniques like deauthentication, packet injection, brute force, replay, and dictionary-based password cracking attacks. It comes pre-installed in Kali Linux and can be accessed by typing the following command in the terminal:
aircrack-ng --helpYou'll then receive an output displaying various Aircrack-ng commands you can deploy for your vulnerability scans.
How Aircrack-ng works
You can use any of the tools within Aircrack-ng to conduct a wide range of scans. For instance, you can scan the network using airodump-ng to find suspicious activity or rogue access points.
Masscan
Known for its remarkable speed and scalability, Masscan is a lightweight network security vulnerability scanner and reconnaissance tool. It’s ideal for scanning IP addresses, open ports, and other network components.
How Masscan works
You can use Masscan to detect rogue services, firewall outage/tampering, or misconfigured devices that could result in sensitive data exposure.
For example, you can find misconfigurations by scanning your entire network (Hello, fast scans!), focusing on commonly exploited ports like 80, 22, and 443. Masscan then outputs a report showing all misconfigurations detected—e.g., open port 21 (showing that the unencrypted FTP is being used) or weak authentication and authorization in port 22 (creating potential for brute force attacks and remote code execution).
Application vulnerability scanners
Application scanners are automated tools that find insecure configurations, outdated libraries, and code vulnerabilities in software applications.
Arachni
Arachni is a modular web app vulnerability scanner and security testing tool designed to uncover code and input validation vulnerabilities like SQL injection, cross-site request forgery (CSRF), and file inclusion weaknesses.
How Arachni works
You can use Arachni to scan apps or websites with PINs or credit card numbers collected during transactions. First, you’ll need to set up Arachni on your servers and provide authentication credentials to enable it to crawl your website to identify user input fields for collecting sensitive customer data (e.g., login services, payment dashboards, and checkout processes).
Burp Suite CE
Burp Suite comprises a set of tools for identifying and exploiting web app vulnerabilities. It has an advanced crawler for identifying input fields, forms, and links. Its Interception proxy enables the detection of proxy-based attacks like CSRF and its Intruder tool allows for pen testing via parameter manipulation and brute force attacks.
How Burp Suite works
Burp Suite works like a man-in-the-middle, intercepting packets moving from client to server and analyzing them for security vulnerabilities. To get started, install Burp Suite CE and add 127.0.0.1:8080 to your browser. Then, navigate the target website as a typical user or threat actor would, enabling Burp Suite to capture HTTP requests and responses to detect malicious packets or inputs. You can also test for password vulnerabilities by using Intruder to perform brute-force scans against login pages.
Container vulnerability scanners
Container vulnerability scanners check for security gaps and misconfigurations that attackers can exploit in containers.
Clair
Clair is a scanner that conducts static vulnerability analysis of containers and container images. It’s often deployed to work with built-in container vulnerability scanners available in common container registries like AWS, ECR, and Quay.
How Clair works
Clair works by continuously importing CVE data from pre-configured databases like the National Vulnerability Database (NVD). To use Clair, create a docker-compose file containing a Clair container (for the API) and a PostgreSQL container (for CVE data storage).
Anchore Engine
Anchore Engine is a command-line vulnerability scanner for detecting security weaknesses and compliance issues in containers within CI pipelines.
How Anchore Engine works
Anchore Engine works by first fetching a container image from a pre-configured registry, then generating a software bill of materials (SBOM), indexing all components of the image. Afterwards, it compares the indexed components—e.g., software packages—to a vulnerability database, correlating the software risks with known vulnerabilities.
Code vulnerability scanners
Code vulnerability scanners are designed to identify potential vulnerabilities in source code and binary files throughout the software development lifecycle.
KICS
Keeping Infrastructure as Code Secure (KICS) is an infrastructure as code (IaC) security scanner for detecting vulnerabilities in IaC tools – like Terraform, Docker, Ansible – before code is shipped.
How KICS works
KICS comes with robust built-in and customizable policy templates that enable it to scan IaC files for misconfigurations, vulnerabilities, and compliance violations. It covers a wide range of compliance standards, such as GDPR, PCI DSS, and HIPAA, and enforces security best practices. KICS parses IaC files, extracts relevant metadata, and matches the data against the CIS’s library of built-in custom rules.
Gitleaks
Gitleaks is a code scanner for identifying hard-coded secrets, such as passwords, private keys, API keys, and tokens in code repos before they are exploited by attackers.
How Gitleaks works
Gitleaks can scan code before or after it is committed to Git. If you’ve written some code and need to be sure it contains no secrets or vulnerabilities before pushing it to Git, you’d run the following command:
gitleaks protect . This will trigger Gitleaks to run a regex scan on the code file, comparing patterns within your code to a set of predefined patterns for detecting common secrets. You can also configure Gitleaks to automatically scan your code or repos for secrets every time code changes are made. Once it finds a matching pattern, Gitleaks alerts you, pinpointing the problematic part of the code.
Endpoint vulnerability scanners
Endpoint vulnerability scanners detect software, OS, and configuration weaknesses on endpoint devices such as desktops, mobile devices, and servers.
Lynis
Lynis is a lightweight endpoint security auditing tool for Unix-based systems. It can be used to run continuous or scheduled scans to facilitate ongoing security posture management.
How Lynis works
Lynis assesses endpoints for system/network configuration, file permission, and authentication settings issues. To get Lynis to assess your endpoints for security risks, install it through the source code or package manager. Then run the audit command to scan your device remotely, locally, or to a Docker container.
2. OSSEC
OSSEC is a host-based intrusion detection system (HIDS) for monitoring and auditing endpoints. OSSEC detects endpoint security risks like suspicious activities, rootkits, malware, unauthorized access, and policy violations.
How OSSEC works
OSSEC works via agentless and agent-based deployments. It collects data from operating systems, servers, firewalls, routers, and intrusion prevention systems (IPS). It then uses predefined rules and detection signatures to detect known vulnerabilities, attack patterns, and policy violations in endpoint devices.
The CVE Database: Curated Vulnerability Intelligence by Wiz
Wiz's CVE Database curates CVE data to create easy-to-navigate profiles that cover the entire vulnerability timeline, exploit scenarios, and mitigation steps.
Explore database
Vulnerability management with Wiz
Vulnerability scanning is a critical foundation, but effective vulnerability management requires connecting scan results to real-world cloud context. Wiz builds on the signals generated by vulnerability scanners – open-source and commercial alike – by adding prioritization, correlation, and response capabilities designed for cloud-native environments.
Wiz’s agentless vulnerability management capabilities help teams manage vulnerabilities across their full lifecycle, from discovery and contextual prioritization to remediation and continuous monitoring. Because these capabilities are part of the Wiz Cloud-Native Application Protection Platform (CNAPP), vulnerability findings are automatically enriched with cloud context such as exposure, identity permissions, network reachability, and runtime behavior – helping teams understand which issues matter most and why.
Wiz also brings deep vulnerability intelligence into the process. As a CVE Numbering Authority (CNA), Wiz contributes original research and maintains its own vulnerability database, which is used to enhance detection accuracy and keep pace with emerging threats. This research-driven approach helps ensure vulnerability data stays current and relevant as cloud services, runtimes, and attack techniques evolve. Wiz’s Red Hat Vulnerability Scanner certification further reflects its ability to integrate reliably across modern enterprise environments.
Together, open-source vulnerability scanners and Wiz enable a more complete approach: scanners surface issues, and Wiz provides the context and prioritization needed to act on them efficiently at scale. The result is a vulnerability management program that preserves flexibility while reducing noise, shortening remediation cycles, and focusing effort on the risks that truly impact your cloud environment.
If you’d like to see how Wiz complements existing vulnerability scanning tools and fits into your security workflows, request a demo to explore it in action.
Uncover Vulnerabilities Across Your Clouds and Workloads
Learn why CISOs at the fastest growing companies choose Wiz to secure their cloud environments.
Related tool roundups