How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

10 Top Free Vulnerability Scanners for 2026

You've just shipped a feature. The deploy is green, monitoring is quiet, and then a critical question shows up. Did that release leave behind an exposed admin path, a forgotten debug page, a weak TLS setting, or a container image with a known CVE?

Free vulnerability scanners help answer that fast. For small teams, they close the gap between “we should check this” and “we have budget and process for a full assessment.” They are useful because they let you test specific risks in the environment you have right now, whether that is a web app, a flat internal network, or a Kubernetes cluster.

The mistake is treating every scanner as interchangeable. They are built for different jobs. ZAP is built for running web apps and APIs. OpenVAS and Nessus focus on hosts, services, and infrastructure exposure. Trivy and Grype are better suited to container images, dependencies, and cloud-native workflows. Nikto has a narrower role than a full DAST tool and is best used for quick checks against common web server issues.

Use that distinction as the selection rule. Start with the target and the question you need answered. If you are checking login flows, headers, and API behaviour, pick a web scanner. If you need visibility into ports, missing patches, and risky services across hosts, use a network and infrastructure scanner. If the concern is image vulnerabilities, IaC drift, or package risk in CI, choose a cloud-native tool. Teams still sorting out the practical difference between static and dynamic testing can use this guide to SAST vs DAST as a quick reference.

That decision framework is the point of this guide. It is less about finding one free vulnerability scanner and more about picking the right free scanner for the job.

1. OWASP ZAP (Zed Attack Proxy)

OWASP ZAP is the free vulnerability scanner I reach for first when the target is a web app or API and I need more than surface-level checks. It gives you passive scanning while you browse, active scanning when you want to probe harder, and proxying when you need to see exactly what the app is sending and receiving.

That mix matters. Plenty of teams think they need “a scanner” when what they need is a repeatable way to inspect authentication, session handling, parameter behaviour, and API responses. ZAP is good at that, especially when you want a practical bridge between manual testing and CI automation.

Where ZAP fits best

ZAP works well in three situations:

Developer verification: Run it against a new feature before release and catch obvious web flaws early.
Tester workflow: Proxy traffic through it and inspect login flows, headers, tokens, and API calls.
Pipeline automation: Use Docker, scripts, or the API for recurring checks in build and release workflows.

If your team is still sorting out SAST vs DAST in practical terms, ZAP is one of the clearest examples of what dynamic testing gives you. It sees the app as a running target, not just source code.

Practical rule: Use ZAP when you need behavioural testing. Don't use it as your only security control for dependencies, hosts, or cloud config.

The downside is tuning. Complex authentication, large single-page apps, anti-automation controls, and sprawling route maps can all reduce signal if you run ZAP with default settings and hope for the best. The scanner is free. Good results still require someone to scope, authenticate, and review findings properly.

2. Nikto

Nikto is old, simple, noisy, and still useful. That combination explains why it keeps surviving in real workflows. It's not a full web app scanner in the modern DAST sense, but it's fast at identifying dangerous files, weak server defaults, outdated software fingerprints, and common web server misconfigurations.

For quick triage, that's often enough. If I want a first pass against a target and I'm trying to answer “is there anything embarrassingly exposed here?”, Nikto is still one of the easiest ways to get an answer.

What Nikto does well

Nikto is strongest as a baseline scanner:

Fast signal: It checks for known risky files, old components, and common mistakes quickly.
Low friction: The CLI is straightforward, which makes it good for ad hoc checks.
Good companion tool: It complements ZAP instead of replacing it.

What doesn't work is treating Nikto like an application logic tester. It won't understand business rules, multi-step attacks, or nuanced access control failures. Signature-led tools also tend to produce noise, so you need to review findings with some scepticism.

Nikto is best when you want broad, obvious checks in minutes. It's weaker when you need context, authentication depth, or modern app logic coverage.

If your stack is mostly reverse proxies, CMS installs, legacy admin interfaces, and public web servers, Nikto still earns a place in the toolkit. If your risk is in a React frontend talking to a complicated API, move quickly to ZAP or a more app-aware scanner.

2. Network & Infrastructure Scanners

Category 2: Network & Infrastructure Scanners

A common incident pattern looks like this: the web app passes a quick check, but an old management port is still exposed, a forgotten VM is missing patches, or an internal service is running with default settings. Those are infrastructure problems, and they need infrastructure scanners.

These tools focus on questions like: what is exposed, what version is it, what is misconfigured, and what known weaknesses are present? For teams building a repeatable workflow, that sits alongside basic security vulnerability testing in practice.

The useful way to read this category is as a set of jobs, not a flat list of products. Some scanners are better for broad scheduled coverage across hosts. Others are better for fast discovery, targeted validation, or policy checks tied to a standard. That matters if you are deciding between a free tool that fits today's environment and a platform you may outgrow later. The trade-offs are clearer in this comparison of free vs paid security tools.

How to choose in this category

Start with the task.

If the job is recurring host assessment across a mixed estate, pick the heavier scanners:

Pick OpenVAS: Best for broad internal scanning, credentialed checks, and recurring assessments across servers and networked systems.
Pick Qualys Community Edition: Best if you want cloud-hosted setup, limited management overhead, and your asset count is still small.
Pick Nessus Essentials: Best for a lab, pilot, or smaller environment where you want a mature engine and familiar workflows.

If the job is discovery or fast validation, use the lighter tools:

Pick Nmap with NSE: Best when you need to map exposed services first, then run focused scripts to verify a suspicion.
Pick Tsunami: Best for targeted, high-signal checks against exposed services in automated pipelines or internet-facing reviews.
Pick OpenSCAP: Best for Linux baselines, compliance work, and configuration assessment tied to benchmarks and standards.

In practice, teams get better results when they combine one broad scanner with one precise utility. A scheduled scanner will tell you where to look. Nmap, OpenSCAP, or Tsunami will help confirm what matters before you hand findings to operations.

4. Greenbone OPENVAS Community Edition

Greenbone OPENVAS Community Edition

Greenbone OPENVAS Community Edition fits the job when the task is recurring infrastructure assessment across a mixed internal estate. If you need to scan Linux and Windows hosts, network services, common server software, and middleware with both authenticated and unauthenticated checks, this is the free option I would reach for before lighter tools like Nmap scripts or single-purpose web scanners.

The trade-off is setup and maintenance. OpenVAS gives you broad host coverage, but you pay for it in deployment time, feed updates, credential handling, and scan tuning. That makes it a better fit for teams that plan to run scheduled assessments, not just a quick one-off sweep.

What it does well is depth across traditional infrastructure. With working credentials, it can inspect hosts from the inside and produce findings that are usually more useful than surface-level port and banner checks. For internal vulnerability management, that matters.

Where it fits best

Use OpenVAS when the question is, “What is exposed or outdated across this subnet, server group, or internal environment?” It is stronger at estate-wide host assessment than fast validation.

It is a good pick for:

Recurring internal scans: Better suited to scheduled reviews than ad hoc checks.
Credentialed assessment: More useful when you can scan servers with authenticated access.
Mixed infrastructure: Helpful in environments with different operating systems, services, and legacy systems.
Teams comparing free and paid scanner paths: The operational overhead becomes clearer when you review the trade-offs between free and paid security tools.

The main downside is output volume. OpenVAS can generate a long findings list, and that list still needs triage, asset context, and tuning before it becomes an action plan for operations.

If the job is broad internal coverage, OpenVAS earns its place. If the job is fast service discovery or a narrow verification check, it is usually more scanner than you need.

5. Qualys Community Edition (VM + WAS)

Qualys Community Edition (VM + WAS)

Qualys Community Edition is for teams that want a free vulnerability scanner without hosting the scanner stack themselves. That's the main appeal. You get a SaaS workflow, a recognised scanning engine, and reporting that feels closer to how larger security programmes operate.

The catch is the footprint cap. Qualys Community Edition covers vulnerability scanning for up to 16 internal and 3 external IPs, plus web application scanning for 1 URL, according to Qualys Community Edition details referenced in this comparison brief. For a startup or a compact environment, that can be enough. For a growing estate, it becomes restrictive quickly.

When it's the right pick

Qualys Community Edition fits best when:

You don't want scanner infrastructure: SaaS management is the big advantage.
You need credible small-scale coverage: Good for a startup perimeter or lab.
You want both VM and limited WAS: Useful when one platform covering both is enough.

The limitation isn't quality. It's growth. Once your asset count expands, or you need wider continuous scanning, the free tier stops being a long-term strategy and becomes a stepping stone. That's still valuable. A lot of teams need a stepping stone.

6. Tenable Nessus Essentials

Tenable Nessus Essentials is often the easiest way to get hands-on with a widely recognised vulnerability assessment workflow. The interface is approachable, the scan templates are familiar, and the plugin model is mature enough that most practitioners already know roughly what to expect from it.

For a home lab, training environment, or small internal network, it's a very reasonable choice. It gives you remote checks, credentialed scans, and broad host-focused coverage without asking you to build an entire platform around it.

Where it works and where it doesn't

Nessus Essentials is a good fit when you want strong defaults and don't need to stretch the free tier too far. It's especially useful for students, solo operators, and small teams validating hosts, services, and patch posture.

Its limits matter, though. Free-tier terms, automation allowances, and usage scope can change, so you have to check Tenable's current conditions before building a process around it. It also isn't the right answer for teams that need broad continuous scanning at organisational scale.

If you're learning infrastructure scanning, Nessus Essentials is a good classroom. If you're running an estate, it's not the whole programme.

I wouldn't choose it over OpenVAS for someone committed to an open-source stack. I would choose it over OpenVAS for someone who wants faster setup and less operational overhead.

7. Nmap with NSE (Nmap Scripting Engine)

A common job looks like this. You inherit a subnet, a cloud security group changed last week, and nobody is fully sure what is exposed. That is the point where I reach for Nmap with NSE first.

Nmap earns its place in a free vulnerability scanner toolkit because it answers the first question fast. What is there, what is listening, and which services deserve a closer look. Add NSE vulnerability scripts and it can do more than discovery, but the primary value is still targeted validation rather than full lifecycle vulnerability management.

That distinction matters in this article's decision framework. For web apps, I would rather start with ZAP or Nikto. For broad host assessment, OpenVAS or Nessus gives better reporting and plugin-driven coverage. Nmap with NSE is the better pick when the task is scoping, confirming exposure, checking a specific service family, or building quick checks into an ops workflow.

Where Nmap with NSE fits best

Use it for situations like these:

Fast exposure checks: Confirm which hosts and ports are reachable before running heavier scans.
Service-focused verification: Run NSE scripts against SSH, SMB, TLS, DNS, HTTP, and other common services to spot known weaknesses or weak configuration.
Scriptable triage: Add scans to shell scripts, CI jobs, asset inventories, or change-validation routines.
Operator-led investigation: Test a suspicion quickly without standing up a larger platform.

The trade-off is accuracy versus depth. NSE often relies on service fingerprints, banners, protocol behaviour, or narrow script logic. That makes it very useful for validation, but it also means results can need manual review, especially when services are proxied, hardened, or deliberately quiet.

I would not hand Nmap output to leadership and call it a vulnerability programme. I would use it to tell me where to spend time next.

If you treat Nmap with NSE as a precision tool for network and infrastructure triage, it is one of the most practical free options available. If you need asset history, workflow, compliance reporting, and broad plugin coverage, choose one of the dedicated vulnerability managers in this category instead.

8. OpenSCAP

OpenSCAP sits in a different lane from most of the tools on this list. It's less about broad opportunistic discovery and more about policy-driven vulnerability and configuration assessment, especially on Linux and Unix systems. If your environment is audited, benchmarked, or expected to align with formal security baselines, OpenSCAP is often the better fit than a general-purpose network scanner.

Often, teams make the wrong tool choice. They run a broad vuln scan, get a pile of package issues, and assume they've covered compliance. They haven't. OpenSCAP is built for structured assessment against SCAP content such as OVAL and XCCDF profiles.

Best for audited Linux estates

Use OpenSCAP when the question is “does this host meet a defined baseline?” rather than “what can I discover from the network?” It's strong for machine-readable reporting and policy checks, and it integrates well in environments that already use enterprise Linux tooling.

Its drawbacks are practical:

Linux-first value: The strongest use cases are in Linux-heavy estates.
Content dependency: Good results depend on suitable SCAP content and profile choice.
Less helpful for broad discovery: It isn't your first tool for internet-facing reconnaissance.

OpenSCAP rewards disciplined operations. If your environment is informal, fast-moving, and largely cloud-managed, it may feel heavy. If you answer to auditors or internal control owners, it makes far more sense.

9. Google Tsunami Security Scanner

Google Tsunami Security Scanner is worth considering when you care more about confidence than breadth. Its plugin architecture is designed around targeted, high-severity detection, which gives it a different flavour from scanners that try to enumerate everything they can infer.

That makes Tsunami useful on internet-exposed systems where a smaller set of high-signal findings is more valuable than a longer report full of maybes. It's also easy to run in containers, which lowers the friction for modern teams.

Why teams like it

Tsunami is a good fit for exposed asset assessment and focused service checks. It tends to work best when you already know the target set and want a confidence-oriented pass over it.

What to expect:

Signal-first design: Better when false-positive tolerance is low.
Extensibility: Plugins let you add modern checks quickly.
Container-friendly workflow: Useful for teams already operating through Docker-based tooling.

The downside is obvious. It's not as broad as older, full-stack vulnerability management tools. If your need is full host inventory, compliance coverage, or deep credentialed auditing, Tsunami won't replace those platforms.

3. Cloud-Native & Code Scanners

A common failure pattern looks like this: the host passes a network scan, the web app passes a quick DAST check, and the release still ships with a vulnerable base image or a risky Kubernetes manifest. That is the gap this category addresses. Cloud-native and code scanners check the parts of the stack that live in repositories, build pipelines, container registries, and deployment config.

For teams running containers, Kubernetes, APIs, and infrastructure as code, these tools belong earlier in the delivery process. They help catch vulnerable packages, weak image choices, exposed secrets, and unsafe defaults before those issues become production incidents. In practice, that means fewer last-minute release blockers and fewer surprises after deployment.

The decision point is straightforward. Pick a cloud-native scanner when the control point is the artifact or the config, not the running service.

What to prioritise here

The strongest free options in this category usually fit one of two jobs:

Package and image scanning: Find vulnerable dependencies, OS packages, and base image problems.
Configuration and IaC scanning: Catch risky settings in Kubernetes manifests, Terraform, Dockerfiles, and similar build-time assets.

There is a real trade-off here. These tools are strong at software composition and configuration analysis, but they do not exercise live application behaviour. They will not show how an authentication flow breaks under attack or how input handling behaves at runtime. That is why this category works best as part of a decision framework. Use cloud-native scanners to secure what you build and ship. Use DAST and infrastructure scanners to assess what is already running.

11. Aqua Trivy

Aqua Trivy has become the default recommendation for many cloud-native teams because it's fast, easy to install, and broad enough to cover modern delivery pipelines without turning setup into its own project. It scans container images, filesystems, repositories, SBOMs, Kubernetes targets, and infrastructure-as-code definitions from a single toolchain.

That breadth is a key benefit. A lot of teams don't need a dozen specialist scanners on day one. They need one reliable free vulnerability scanner that can slot into CI and start producing useful output the same afternoon.

Why Trivy often wins the first slot

Trivy works especially well when:

You need fast feedback: It's friendly to CI and local developer use.
You scan more than images: IaC, repos, and Kubernetes support broaden its value.
You want one tool to start with: It covers enough ground to establish a habit.

Its limits are just as important. Trivy is strongest in software composition and configuration analysis. It isn't a network scanner, and it won't test live application logic the way ZAP can.

Start with Trivy if your build pipeline is the control point. Start with ZAP if your running application is the concern.

If your team ships containers weekly and changes infrastructure constantly, Trivy gives you the shortest path from “we should be scanning this” to “we are scanning this”.

12. Anchore Grype

Anchore Grype is a strong alternative when your workflow already values SBOMs and package-level accuracy. It scans images, directories, archives, and SBOM inputs, and it pairs particularly well with Syft for teams that want clearer dependency inventories before vulnerability matching.

That pairing is the point. Grype is often at its best when it's part of a slightly more deliberate software supply chain workflow rather than a one-command quick check. If your team cares about provenance, reproducibility, and package visibility, Grype fits naturally.

When Grype is the better choice

Choose Grype over Trivy when your process revolves around SBOM-first scanning or when you want flexible input types tied to package inventory. It's also a good complement rather than a replacement, especially if you want a second opinion on image findings.

Its constraints are straightforward:

Dependency-focused: Best for packages and image contents.
Workflow maturity helps: SBOM generation improves output quality.
Not a runtime or network tool: You'll still need other scanners around it.

For teams building a more disciplined container security process, Grype is a solid tool. For teams that want the fastest single-binary starting point, Trivy is usually easier.

12 Free Vulnerability Scanners Compared

| Tool | ✨ Core & key features | ★ Quality / UX | 💰 Pricing & value | 👥 Target audience | 🏆 Unique selling point | |---|---:|:---:|:---:|:---:|---| | OWASP ZAP (Zed Attack Proxy) | ✨ DAST for web/APIs; proxy/intercept; CI automation & add‑ons | ★★★★ | 💰 Free, open‑source | 👥 Devs, QA, pentesters | 🏆 Extensible DAST with strong CI hooks | | Nikto | ✨ Signature-driven web‑server checks; fast CLI scans | ★★★ | 💰 Free, low friction | 👥 Ops, quick triage, pentesters | 🏆 Fast baseline for obvious server misconfigs | | Category: Network & Infrastructure Scanners | ✨ External/internal host & network vuln coverage | ★★★★ | 💰 Mostly free/community or SaaS tiers | 👥 SecOps, infra teams | 🏆 Broad host/network vulnerability focus | | Greenbone OPENVAS (Community) | ✨ Auth/unauth scans, large plugin feed, web UI | ★★★★ | 💰 Free (community) | 👥 SecOps, internal auditors | 🏆 Mature, extensive plugin coverage | | Qualys Community Edition (VM + WAS) | ✨ SaaS VM + WAS for small asset sets; cloud agents | ★★★★ | 💰 Free tier (strict asset limits) | 👥 Startups, small infra teams | 🏆 Enterprise-grade engine & reporting (SaaS) | | Tenable Nessus Essentials | ✨ Remote & credentialed checks; rich plugin library | ★★★★ | 💰 Free (limited/educational) | 👥 Students, small labs, learners | 🏆 Widely recognised detection ecosystem | | Nmap with NSE | ✨ Network discovery + vuln scripts (NSE) | ★★★★ | 💰 Free, lightweight | 👥 Network engineers, pentesters | 🏆 Ubiquitous discovery + scriptable checks | | OpenSCAP | ✨ SCAP-based compliance (OVAL/XCCDF); machine reports | ★★★★ | 💰 Free | 👥 Compliance-focused orgs (Linux) | 🏆 NIST/CIS/DISA-aligned automated compliance | | Google Tsunami Security Scanner | ✨ Plugin-driven, high-confidence network checks | ★★★★ | 💰 Free, extensible | 👥 SecOps, engineers needing low-noise detections | 🏆 High-signal plugin architecture | | Aqua Trivy | ✨ Image/FS/IaC/SBOM scanning; fast DB updates, CI-friendly | ★★★★★ | 💰 Free OSS (commercial options) | 👥 Cloud-native devs, CI pipelines | 🏆 Fast, all‑in‑one cloud‑native scanner & SBOM support | | Anchore Grype | ✨ Image & SBOM vuln scanning; multiple data sources | ★★★★ | 💰 Free OSS | 👥 DevOps, security teams for images | 🏆 Flexible SBOM/input support for accurate results |

Final Thoughts

A free vulnerability scanner earns its place when it answers a specific question in your workflow.

A developer pushes a release on Friday afternoon. Security needs to know whether the new API endpoints behave safely, whether the container image pulled in a bad package, whether the exposed host has obvious weaknesses, and whether the Linux build still meets policy. That is four different jobs. Teams get better results when they choose scanners the same way they assign people: by specialty.

The practical way to use this list is as a decision framework. Pick a web app scanner when the risk sits in application logic and input handling. Pick a network or infrastructure scanner when you need host exposure, service discovery, or credentialed checks. Pick a cloud-native or code scanner when the core problem is in images, dependencies, IaC, or SBOM workflows. Each tool here has a lane: ZAP for application testing, Trivy for dependencies and images, Nmap for discovery, OpenSCAP for compliance, and OpenVAS or Nessus for broader host assessment.

For day-to-day work, the choices are usually straightforward. ZAP is the default starting point for web apps and APIs because it supports both quick checks and deeper testing. Nikto still helps when you want a fast look at common web server issues without much setup. On the infrastructure side, OpenVAS gives broad coverage and suits teams that want an open-source platform they can keep running internally. Nessus Essentials is easier for small labs and learning environments. Nmap stays in the toolkit because discovery and validation shape every scan that follows. In cloud-native environments, Trivy is often the first pick for CI pipelines, while Grype fits better where SBOM-driven review is already part of the process.

Process decides whether these tools help or just create noise. Good teams run them on a schedule, scope them carefully, suppress findings they have already triaged, and feed the useful results into patching, backlog review, and release gates.

A sensible starter stack for many teams looks like this:

Web app and API testing: ZAP
Quick web server baseline: Nikto
Network discovery and validation: Nmap
Broad host scanning: OpenVAS or Nessus Essentials
Linux compliance checks: OpenSCAP
Container and IaC scanning: Trivy
SBOM-based dependency review: Grype

That stack will not cover every edge case. It does give smaller teams a workable baseline that catches a lot of routine exposure before it turns into an incident.

If your environment is built around Supabase, Firebase, or mobile apps, generic scanners usually leave blind spots around backend rules, exposed RPCs, mobile secrets, and platform-specific misconfigurations. AuditYour.App is relevant in that case because it focuses on Supabase, Firebase, and mobile application issues such as exposed RLS rules, public or unprotected RPCs, leaked API keys, hardcoded secrets, and related configuration mistakes. It complements the broader scanners in this guide by covering a narrower set of risks in more detail.

Use free scanners to build meaningful coverage and verify your security posture. Run them often. Scope them properly. Fix the findings that matter. Then scan again.

If you're building on Supabase, Firebase, or shipping mobile apps, AuditYour.App gives you a targeted way to check for exposed secrets, weak RLS rules, risky RPCs, and app-layer misconfigurations without heavy setup. It fits well alongside the broader free vulnerability scanner tools in this guide when your main risk sits in modern backend and mobile-connected stacks.