9 min read
CandyShop is a database of vulnerability scanning tool results. It is available to cybersecurity professionals only.
(29 members now)
CandyShop is a devsecops project for cybersecurity professionals to access the most popular vulnerability scanning tool results to compare and understand the capabilities.
Test Beds: OWASP JuiceShop, Broken Crystals, Altoro Mutual, Vulnerable Flask App
Scanning Tools: semgrep, CodeQL, nodejsscan, Nuclei, OWASP ZAP, Dependabot, Dependency Check, Trivy, Grype
|OWASP ZAP||DAST||6:59 minutes||0||0||32||32|
|Dependency Check||SCA||3:18 minutes||0||0||0||0|
|Trivy||Container Security||1:24 minutes||8||15||16||11|
|Grype||Container Security||1:50 minutes||25||57||77||2|
|OWASP ZAP||DAST||6:59 minutes||0||1||112||136|
|Dependency Check||SCA||9:15 minutes||4||30||23||2|
|Trivy||Container Security||3:06 minutes||45||458||443||1144|
|Grype||Container Security||2:56 minutes||48||478||445||386|
|OWASP ZAP||DAST||16:15 minutes||0||23||82||126|
|Dependency Check||SCA||3:30 minutes||0||0||11||2|
|Trivy||Container Security||0:55 minutes||95||295||300||362|
|Grype||Container Security||0:54 minutes||112||304||286||190|
It is one of the most popular OWASP projects since It was created in 2014 by Björn Kimminich. It is written in Node.js, Express and Angular.
It is one of the newest intentionally vulnerable web applications developed and maintained by Bright Security.
It is a vulnerable J2EE banking application developed in 2008 and still maintained by HCL Technology.
Semgrep is a fast, open-source, static analysis tool for modern languages.
Gosec is a SAST tool for applications developed in Go.
Brakeman is a free vulnerability scanner (SAST) for your Ruby on Rails applications.
Bandit is a free vulnerability scanner (SAST) for your Python applications.
Find Security Bugs is the SpotBugs plugin for security audits of Java web applications
Security Code Scan analyzes .NET and .NET Core projects in a background (IntelliSense) or during a build.
Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, API keys, and tokens in git repos.
NodeJsScan is a static security code scanner for Node.js applications.
Find security vulnerabilities in your PHP codebase with Psalm, a free and open-source tool created by Vimeo.
CodeQL is the code analysis engine developed by GitHub to automate security checks.
OWASP ZAP is the world's most widely used dynamic web app scanner. Free and open source.
Nuclei is one of the best and free open-source DAST (Dynamic Application Security Testing) tool.
OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index
Automated dependency updates built into GitHub
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets.
A vulnerability scanner for container images and filesystems.