upgrade
upgrade

🔄DevOps and Continuous Integration

Security Scanning Tools

Study smarter with Fiveable

Get study guides, practice questions, and cheatsheets for all your subjects. Join 500,000+ students with a 96% pass rate.

Get Started

Why This Matters

In DevOps and CI/CD, security isn't a phase—it's a continuous practice woven into every stage of your pipeline. You're being tested on understanding how different scanning tools fit into the shift-left security philosophy, where vulnerabilities are caught early rather than discovered in production. The tools in this guide represent distinct approaches: static analysis, dynamic analysis, dependency scanning, network reconnaissance, and penetration testing. Knowing which tool addresses which attack surface is essential for designing secure pipelines.

Don't just memorize tool names and features—understand what type of vulnerability each tool detects, where in the pipeline it belongs, and how it integrates with your CI/CD workflow. Exam questions often present scenarios asking you to select the appropriate tool for a specific security concern, so focus on the underlying principles each tool demonstrates.

Static Application Security Testing (SAST)

Static analysis tools examine source code without executing it, catching vulnerabilities like SQL injection patterns, hardcoded credentials, and insecure coding practices before the code ever runs.

SonarQube

  • Continuous code inspection—analyzes both code quality and security vulnerabilities in a single platform
  • Multi-language support covers 25+ programming languages, making it versatile for polyglot codebases
  • Quality gates can block merges when security thresholds aren't met, enforcing standards automatically

Checkmarx

  • Source code analysis identifies vulnerabilities like injection flaws and authentication weaknesses at the code level
  • Remediation guidance provides developers with specific fix recommendations, not just problem reports
  • IDE integration allows developers to scan code locally before committing, catching issues at the earliest possible stage

Fortify

  • Comprehensive SAST engine from Micro Focus covers enterprise-scale applications with deep analysis capabilities
  • Audit workbench helps security teams triage findings and reduce false positives efficiently
  • DevSecOps integration connects with Jenkins, Azure DevOps, and other CI/CD platforms natively

Compare: SonarQube vs. Checkmarx—both perform static analysis, but SonarQube emphasizes code quality alongside security while Checkmarx focuses exclusively on security vulnerabilities. If an exam scenario involves maintaining code maintainability AND security, SonarQube is your answer.

Dynamic Application Security Testing (DAST)

Dynamic scanners test running applications by simulating attacks, finding vulnerabilities that only manifest during execution like authentication bypasses and session management flaws.

OWASP ZAP (Zed Attack Proxy)

  • Open-source DAST scanner—the most widely adopted free tool for web application security testing
  • Active and passive scanning modes let you choose between aggressive testing and quiet observation
  • API scanning supports REST, GraphQL, and SOAP endpoints, critical for modern microservices architectures

Acunetix

  • Automated vulnerability detection identifies OWASP Top 10 issues including SQL injection, XSS, and CSRF
  • Proof-of-exploit provides evidence that vulnerabilities are actually exploitable, reducing false positive noise
  • CI/CD plugins for Jenkins, GitLab, and Azure DevOps enable scheduled scans on every deployment

Burp Suite

  • Proxy-based interception allows security testers to inspect and modify traffic between browser and application
  • Professional-grade scanner combines automated crawling with manual testing capabilities
  • Extensibility through BApps lets teams add custom scanning rules and integrations

Compare: OWASP ZAP vs. Burp Suite—both are proxy-based web scanners, but ZAP is fully open-source and CI/CD-friendly while Burp Suite offers more advanced manual testing features for professional penetration testers. For automated pipeline integration, ZAP is typically the better choice.

Software Composition Analysis (SCA)

SCA tools scan your project's dependencies—the code you didn't write—checking third-party libraries against known vulnerability databases like the National Vulnerability Database (NVD).

Snyk

  • Developer-first design integrates directly into IDEs, Git repos, and container registries for frictionless adoption
  • Automatic fix PRs can generate pull requests that upgrade vulnerable dependencies to safe versions
  • Container and IaC scanning extends beyond code dependencies to Docker images and Terraform configurations

Dependency-Check

  • OWASP project provides free, open-source scanning that maps dependencies to CVE entries
  • Build tool integration works with Maven, Gradle, npm, and other package managers through plugins
  • Offline capability can run without internet access using downloaded vulnerability databases

Veracode

  • Enterprise SCA platform combines dependency scanning with SAST and DAST in a unified solution
  • Policy enforcement lets organizations define acceptable risk thresholds and block non-compliant builds
  • Software Bill of Materials (SBOM) generation helps with compliance and supply chain transparency

Compare: Snyk vs. Dependency-Check—both identify vulnerable dependencies, but Snyk offers automated remediation and commercial support while Dependency-Check is completely free and self-hosted. For teams with budget constraints, Dependency-Check delivers solid coverage at zero cost.

Network and Infrastructure Scanning

These tools assess the infrastructure layer—discovering hosts, open ports, misconfigurations, and system-level vulnerabilities that application scanners miss.

Nmap

  • Network discovery maps hosts, open ports, and running services across your infrastructure
  • Service fingerprinting identifies software versions, helping correlate with known CVEs
  • Scripting engine (NSE) enables custom vulnerability checks and automation through Lua scripts

Nessus

  • Comprehensive vulnerability assessment scans operating systems, network devices, and applications
  • Plugin architecture with 100,000+ checks covering CVEs, misconfigurations, and compliance standards
  • Credentialed scanning logs into systems for deeper analysis than external-only scans can provide

OpenVAS

  • Open-source alternative to commercial scanners, maintained by Greenbone Networks
  • Network Vulnerability Tests (NVTs) updated regularly through community and commercial feeds
  • Web-based management through Greenbone Security Assistant provides accessible reporting dashboards

Qualys

  • Cloud-native platform eliminates the need to deploy and maintain scanning infrastructure
  • Continuous monitoring detects new vulnerabilities as they emerge, not just during scheduled scans
  • Compliance modules map findings to frameworks like PCI-DSS, HIPAA, and CIS benchmarks

Compare: Nessus vs. OpenVAS—both perform comprehensive vulnerability scanning, but Nessus offers commercial support and more polished reporting while OpenVAS is fully open-source and free for unlimited IPs. For exam scenarios involving cost-sensitive environments, OpenVAS is the go-to answer.

Penetration Testing and Exploitation

These tools go beyond detection to actively exploit vulnerabilities, proving real-world impact and helping teams understand attack chains.

Metasploit

  • Exploitation framework contains thousands of verified exploits for testing vulnerable systems
  • Post-exploitation modules demonstrate lateral movement and privilege escalation scenarios
  • Automation through msfconsole enables scripted penetration tests that can integrate with CI/CD for security validation

Nikto

  • Web server scanner checks for dangerous files, outdated software, and server misconfigurations
  • Lightweight and fast makes it ideal for quick reconnaissance during pipeline security checks
  • Tuning options let you focus scans on specific vulnerability categories to reduce noise

Compare: Metasploit vs. Nikto—Metasploit is a full exploitation framework for proving vulnerabilities are exploitable, while Nikto is a reconnaissance scanner that identifies potential issues without exploitation. Use Nikto for discovery, Metasploit for validation.

Quick Reference Table

ConceptBest Examples
Static Analysis (SAST)SonarQube, Checkmarx, Fortify
Dynamic Analysis (DAST)OWASP ZAP, Acunetix, Burp Suite
Dependency/SCA ScanningSnyk, Dependency-Check, Veracode
Network Vulnerability ScanningNessus, OpenVAS, Qualys
Network DiscoveryNmap
Penetration TestingMetasploit, Nikto
Open-Source OptionsOWASP ZAP, OpenVAS, Dependency-Check, Nikto
Cloud-Native PlatformsQualys, Snyk, Veracode

Self-Check Questions

  1. Which two tools would you combine to achieve both static code analysis AND dynamic runtime testing in a CI/CD pipeline?

  2. A team needs to scan their Node.js application's package.json dependencies for known CVEs without paying for commercial tools. Which scanner should they use, and why?

  3. Compare and contrast OWASP ZAP and Burp Suite: when would you choose one over the other in a DevOps context?

  4. Your pipeline deploys containerized microservices to Kubernetes. Which scanning tool can analyze both your application dependencies AND your Docker images for vulnerabilities?

  5. An FRQ asks you to design a "shift-left" security strategy. Which category of tools (SAST, DAST, or SCA) should run earliest in the pipeline, and which tool from this guide best represents that category?