Best open-source application security tools

Open-source application security tools you can self-host and inspect. A neutral list of the open-source application security options in our directory, compared on capabilities, deployment, and sources. We do not crown a single winner; tools are listed alphabetically.

3 tools listed|2026|No editorial scoring

What this shortlist looks at

Tools listed here

Semgrep

Security-conscious development teams that want fast, customizable static analysis with the ability to write organization-specific security rules

Lightweight, open-source static analysis with intuitive pattern-matching rules and fast scan performance

Lightweight, open-source static analysis with intuitive pattern-matching rules and fast scan performance

View listingSemgrep alternatives

SonarQube

Development teams that want combined code quality and security analysis with quality gate enforcement in CI/CD pipelines

Open-source code quality and security analysis platform with broad language support

Open-source code quality and security analysis platform with broad language support

View listingSonarQube alternatives

Trivy

DevOps and platform engineering teams that need a fast, open-source vulnerability scanner for containers and Kubernetes environments with zero configuration overhead

Open-source vulnerability scanner for containers, file systems, IaC, and Kubernetes with zero-config setup

Open-source vulnerability scanner for containers, file systems, IaC, and Kubernetes with zero-config setup

View listingTrivy alternatives