CandyShop for DevSecOps

9 min read

CandyShop is a database of vulnerability scanning tool results.  It is available to cybersecurity professionals only.  

CandyShop for DevSecOps
Get Access

(29 members now)

What's in CandyShop?

CandyShop is a devsecops project for cybersecurity professionals to access the most popular vulnerability scanning tool results to compare and understand the capabilities.

Test Beds: OWASP JuiceShop, Broken Crystals, Altoro Mutual, Vulnerable Flask App

Scanning Tools: semgrep, CodeQL, nodejsscan, Nuclei, OWASP ZAP, Dependabot, Dependency Check, Trivy, Grype

CandyShop Dashboard
Vulnerability Scans
Semgrep scan result
Scan Statistics:

OWASP Juice Shop - Scan Results

Tool NameTypeDurationCritical HighMediumLow
nodejsscanSAST1:50 minutes0200
semgrepSAST2:24 minutes02420
CodeQLSAST0:20 minutes19148180
NucleiDAST1:09 minutes0001
OWASP ZAPDAST6:59 minutes003232
DependabotSCA0:01 minutes0130
Dependency CheckSCA3:18 minutes0000
TrivyContainer Security1:24 minutes8151611
GrypeContainer Security1:50 minutes2557772

Broken Crystals - Scan Results

Tool NameTypeDurationCritical HighMediumLow
semgrepSAST0:28 minutes002390
CodeQLSAST0:20 minutes411370
NucleiDAST1:09 minutes0010
OWASP ZAPDAST6:59 minutes01112136
DependabotSCA0:21 minutes41662
Dependency CheckSCA9:15 minutes430232
TrivyContainer Security3:06 minutes454584431144
GrypeContainer Security2:56 minutes48478445386

Altoro Mutual - Scan Results

Tool NameTypeDurationCritical HighMediumLow
semgrepSAST0:27 minutes0920
CodeQLSAST0:20 minutes05100
NucleiDAST1:57 minutes0000
OWASP ZAPDAST16:15 minutes02382126
DependabotSCA0:20 minutes0000
Dependency CheckSCA3:30 minutes00112
TrivyContainer Security0:55 minutes95295300362
GrypeContainer Security0:54 minutes112304286190

Vulnerable Web Applications

OWASP Juice Shop

It is one of the most popular OWASP projects since It was created in 2014 by Björn Kimminich. It is written in Node.js, Express and Angular.

OWASP Juice Shop


Known Vulnerabilities:

  • Broken Access Control
  • Broken Anti-Automation
  • Broken Authentication
  • Cross-Site Scripting (XSS)
  • Cryptographic Issues
  • Improper Input Validation
  • Injection
  • Insecure Deserialization
  • Miscellaneous
  • Security Misconfiguration
  • Security through Obscurity
  • Sensitive Data Exposure
  • Unvalidated Redirects
  • Vulnerable Components
  • XML External Entities (XXE)

It is one of the newest intentionally vulnerable web applications developed and maintained by Bright Security.

Broken Crystals


Known Vulnerabilities:

  • Broken JWT Authentication
  • Brute Force Login
  • Common Files
  • Cookie Security
  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Default Login Location
  • Directory Listing
  • DOM Cross-Site Scripting
  • File Upload
  • Full Path Disclosure
  • Headers Security Check
  • HTML Injection
  • HTTP Method fuzzer
  • LDAP Injection
  • Local File Inclusion (LFI)
  • Mass Assignment
  • Open Database
  • OS Command Injection
  • Remote File Inclusion (RFI)
  • Secret Tokens
  • Server-Side Template Injection (SSTI)
  • Server-Side Request Forgery (SSRF)
  • SQL injection (SQLI)
  • Unvalidated Redirect
  • Version Control System
  • XML External Entity (XXE)
  • JavaScript Vulnerabilities Scanning

It is a vulnerable J2EE banking application developed in 2008 and still maintained by HCL Technology.

It is a vulnerable Flask Web App developed by Anil Yelkin.

Vulnerable Flask App

Vulnerability Scanners

Static Application Security Testing (SAST)

Semgrep is a fast, open-source, static analysis tool for modern languages. 

Gosec is a SAST tool for applications developed in Go.

Brakeman is a free vulnerability scanner (SAST) for your Ruby on Rails applications.

Bandit is a free vulnerability scanner (SAST) for your Python applications.

Find Security Bugs is the SpotBugs plugin for security audits of Java web applications

Security Code Scan analyzes .NET and .NET Core projects in a background (IntelliSense) or during a build.

Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, API keys, and tokens in git repos.

ESLint is a static code analysis tool for identifying problematic patterns found in JavaScript code.

NodeJsScan is a static security code scanner for Node.js applications.

Find security vulnerabilities in your PHP codebase with Psalm, a free and open-source tool created by Vimeo.

CodeQL is the code analysis engine developed by GitHub to automate security checks.

Dynamic Application Security Testing (DAST)

OWASP ZAP is the world’s most widely used dynamic web app scanner. Free and open source. 

Nuclei is one of the best and free open-source DAST (Dynamic Application Security Testing) tool.

Software Composition Analysis

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index

Automated dependency updates built into GitHub

Container Security

Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets.

A vulnerability scanner for container images and filesystems.

On this page:

6 Responses

  1. You wrote:

    > “Nuclei is one of the best and free open-source DAST (Dynamic Application Security Testing) tool.”

    … while Nuclei consistently had little-to-no findings in any of your tests. Does that suggest that Nuclei actually isn’t that good? Or that ZAP is registering an incredible amount of false positives?

  2. Tess, I would rather say both of them is really good in their own use cases.

    OWASP Zap in the market since 2015 and has a lot of features to offer a better user experience for authentication or session handling. It is designed for more general use cases. However, the team behind Nuclei is coming with a bounty hunter background (at the very top level) and it is there to be sharp and accurate.

    So OWASP Zap may check more issues from a coverage point of view (informational or best practices) and have a better user experience for beginners. And, It may generate more false positives.

    In Nuclei, you choose what checks to happen or create your own template to automate and when it finds an issue it means you catch a fish.

  3. About the comment/question on nuclei, actually, I don’t see or consider nuclei as DAST scanner, and rather it’s more of a vulnerability scanner for known vulnerabilities and misconfigurations, and we can see the same in the result section.

    Nuclei don’t find anything in OWASP JuiceShop as it doesn’t have any template for it and on the side, someone can write templates to detect all the known vulnerabilities in it.

    Whereas in DAST, the aim is to find unknown vulnerabilities, and ZAP or Burp Active Scan will be the right choice of project to use.

  4. Thanks, Sandeep for a great explanation. I wanted to include Nuclei in CandyShop project as it is one of my favorite appsec tool and DAST is the most relevant one in my categories :)

Leave a Reply

Your email address will not be published. Required fields are marked *