We pulled GitHub data for every open-source application security tool listed on AppSec Santa — 65 projects across 8 categories — and ran the numbers on stars, forks, contributors, release cadence, issue resolution times, and package downloads.
The goal: give security teams a data-backed view of which open-source AppSec tools have real community traction, which are well-maintained, and which might be falling behind.
All data was collected via the GitHub API and public package registries in February 2026. The Linux Foundation’s Census III highlighted that a large share of critical software depends on a small number of open-source maintainers — a finding our health score data confirms for the AppSec space.
Key findings
Stars by category
GitHub stars are an imperfect popularity metric, but they give a rough sense of community interest. Here is how stars distribute across categories.
Mobile security leads in raw star count because it includes Ghidra (64K), Jadx (47K), mitmproxy (42K), and Frida (20K) — tools used far beyond mobile reverse engineering. IaC security and SAST follow, driven by the cloud-native security wave.
| Category | Tools | Total Stars | Avg Health Score |
|---|---|---|---|
| SCA | 9 | 67,176 | 61.6 |
| IaC Security | 13 | 100,000 | 56.7 |
| Mobile | 8 | 203,997 | 54.1 |
| SAST | 16 | 119,881 | 53.3 |
| ASPM | 3 | 10,801 | 53.3 |
| AI Security | 7 | 31,775 | 48.4 |
| RASP | 2 | 12,448 | 45.0 |
| DAST | 7 | 62,623 | 40.7 |
SCA tools have the highest average health score (61.6), which makes sense — dependency scanning sits at the center of supply chain security, a space that has seen sustained investment since the Log4Shell and XZ Utils incidents.
Top 20 projects by stars
Secrets detection tools punch well above their weight. Gitleaks (25K) and TruffleHog (25K) both rank in the top 10 — ahead of established scanners like ZAP and Semgrep. The supply chain security narrative and leaked credential incidents (CircleCI, LastPass, Okta) have made these tools essential in most CI/CD pipelines.
Promptfoo (10.5K stars) is the only AI security tool in the top 20, reflecting how new this category is. Most AI security projects launched in 2023-2024 and are still building community.
Language distribution
What programming languages are open-source AppSec tools written in?
| Language | Tools | Share |
|---|---|---|
| Go | 20 | 30.8% |
| Python | 14 | 21.5% |
| Java | 8 | 12.3% |
| TypeScript | 4 | 6.2% |
| C++ | 3 | 4.6% |
| Ruby | 2 | 3.1% |
| Other | 14 | 21.5% |
Go dominates the IaC and cloud-native security space (Trivy, Grype, Kubescape, Gitleaks, Kyverno). Python leads in AI security (PyRIT, NeMo Guardrails, LLM Guard) and traditional SAST/DAST. Java holds steady thanks to legacy scanners (SpotBugs, PMD, SonarQube, OWASP Dependency-Check).
TypeScript is the newcomer — Promptfoo and Renovate show that the JavaScript ecosystem is starting to produce security tooling with staying power.
License distribution
| License | Tools | Share |
|---|---|---|
| Apache-2.0 | 28 | 43.1% |
| NOASSERTION | 11 | 16.9% |
| MIT | 9 | 13.8% |
| GPL-3.0 | 6 | 9.2% |
| AGPL-3.0 | 3 | 4.6% |
| LGPL-2.1 / LGPL-3.0 | 4 | 6.2% |
| Other | 4 | 6.2% |
Apache-2.0 is the clear winner for AppSec tooling, favored by tools with commercial backing (Trivy by Aqua, Checkov by Palo Alto, Grype by Anchore). The NOASSERTION group includes tools with custom or dual licenses that GitHub could not classify automatically — many of these have commercial add-ons or source-available models.
The GPL family (GPL-2.0, GPL-3.0, AGPL-3.0) accounts for 10 tools combined, including Wapiti, MobSF, Faraday (GPL), and TruffleHog, Renovate (AGPL).
Health score distribution
Our health score rates each tool on a 0-100 scale based on maintenance signals: recent commits, release frequency, contributor base, and issue response time. It is not a quality score — it measures whether the lights are on.
The bulk of tools (42 out of 65) fall in the 50-69 “fair” range — active enough to use but not at peak maintenance velocity. Only 7 tools score above 70 (Renovate, Trivy, Nuclei, TruffleHog, Promptfoo, ZAP, and Grype), all of which have dedicated full-time teams behind them.
No tool scored above 90. This is partly a limitation of our scoring model (the commit activity API returned incomplete data for some repos), but it also reflects reality: even well-funded open-source projects rarely hit peak marks across every maintenance dimension simultaneously.
Contributors and releases
Contributor count and release cadence tell you whether a project has a real team behind it or depends on one or two maintainers.
Top 10 by contributor count
Trivy, Renovate, and Kyverno all have 400+ contributors — a sign of genuine community-driven development. These are not single-company projects; they attract outside contributions consistently.
Fastest issue resolution
| Tool | Median Close Time | Category |
|---|---|---|
| Nikto | 0.7 days | DAST |
| Renovate | 0.9 days | SCA |
| OpenRASP | 1.0 days | RASP |
| Nuclei | 1.1 days | DAST |
| Graudit | 1.1 days | SAST |
| ZAP | 1.5 days | DAST |
| gosec | 2.7 days | SAST |
| Jadx | 2.9 days | Mobile |
| Trivy | 3.3 days | SCA |
| Horusec | 4.3 days | SAST |
Renovate and Nuclei stand out for combining large contributor bases with sub-2-day median issue close times. That combination of scale and responsiveness is rare in open-source security tooling.
Downloads and adoption
Stars measure attention. Downloads measure actual usage. We pulled monthly download counts from PyPI and npm, plus total Docker Hub pulls where available.
Top tools by Docker Hub pulls
OPA Gatekeeper (3.2B pulls) and Renovate (1.4B pulls) dwarf everything else — these tools run in virtually every Kubernetes cluster and CI/CD pipeline, respectively. Docker pull counts accumulate over time and favor older projects, so they are better as a rough adoption proxy than a direct comparison.
Top tools by PyPI monthly downloads
| Tool | Monthly Downloads |
|---|---|
| Semgrep | 39.3M |
| Checkov | 26.5M |
| Frida | 1.6M |
| Promptfoo (npm) | 409K |
| NeMo Guardrails | 222K |
| LLM Guard | 217K |
| Wapiti | 15.9K |
Semgrep’s 39.3M monthly PyPI downloads reflect its position as the default linter-style SAST tool in many Python/JS projects. Checkov at 26.5M shows how deeply IaC scanning has penetrated cloud engineering workflows. The AI security tools (NeMo Guardrails, LLM Guard) are already pulling 200K+ monthly downloads — impressive for tools that did not exist two years ago.
At-risk projects
Four tools scored below 20 on our health index, flagging potential maintenance concerns:
| Tool | Health Score | Last Push | Category | Note |
|---|---|---|---|---|
| Dastardly | 3 | Jul 2024 | DAST | GitHub Action wrapper only; the core product is commercial |
| w3af | 12 | Feb 2023 | DAST | No commits in 3 years; effectively unmaintained |
| Rebuff | 12 | Aug 2024 | AI Security | Early AI prompt injection detector; development stalled |
| detect-secrets | 17 | Mar 2025 | SAST | Yelp-maintained; last push March 2025, no releases in past year |
A low health score does not mean a tool is broken or insecure. Dastardly, for example, is a thin wrapper around PortSwigger’s commercial scanner — the real work happens elsewhere. But for tools like w3af, where no alternative maintainer has emerged, teams should evaluate migration paths.
Project age
Nearly half of all open-source AppSec tools (30 of 65) are 9+ years old. The field has matured — new entrants are rare unless they target a genuinely new problem space like AI security or supply chain integrity. The 14 tools in the 3-5 year bucket are predominantly cloud-native and AI security tools that rode the Kubernetes and LLM waves.
Related Research
How well is the web actually deploying security headers? We scanned 10,000 websites and scored them using Mozilla Observatory methodology — CSP adoption, HSTS deployment, grade distribution, and more.
Read: Security Headers Adoption Study 2026 →Methodology
Data collection: We used the GitHub REST API (authenticated, 5000 req/hr) to collect repository metadata, contributor counts, release history, and issue statistics for every tool on AppSec Santa with a public GitHub repository. Download counts were pulled from PyPI (pypistats.org API), npm (api.npmjs.org), and Docker Hub (hub.docker.com API).
Scope: 65 tools with public GitHub repositories, across 8 categories. Commercial-only tools (Checkmarx, Veracode, Fortify, etc.) were excluded due to lack of public data.
Health score: A composite 0-100 score based on:
- Recency (25 pts): Days since last push to default branch
- Activity (25 pts): Commits in the last month
- Releases (20 pts): Number of releases in the past year
- Community (15 pts): Total contributor count
- Responsiveness (15 pts): Median time to close issues
Limitations: GitHub commit activity data was incomplete for some repositories (the statistics API returns 202 on first request and requires polling). Docker Hub pull counts are cumulative and favor older tools. PyPI/npm downloads include CI bot traffic, not just human installs. Stars can be gamed. This dataset is a snapshot from February 2026 and will change over time.
Reproducibility: All data collection scripts and raw datasets are available in the AppSec Santa research repository. Run node scripts/collect-github-data.js, then node scripts/collect-downloads.js, then python3 scripts/aggregate-oss-study.py to regenerate the dataset.
Comments
Powered by Giscus — comments are stored in GitHub Discussions.