Three lists, three rules
AppSec Santa runs three kinds of lists, and a tool can qualify for one without qualifying for the others.
Open-source X tools (e.g. /open-source-sca-tools) — the core scanner is licensed under an OSI-approved licence, runs locally without a vendor account, and its source repository is public.
Free X tools (e.g. /free-dast-tools) — a meaningful free tier or community edition exists with publicly documented limits. Not a 14-day trial, not a request-access gate.
Commercial X tools (the main category page) — the vendor maintains a current product page with feature documentation and either public pricing or a documented sales process. Inclusion here is a baseline, not a recommendation.
Examples
| Tool | Open-source list | Free list | Commercial list |
|---|---|---|---|
| Trivy | ✓ | ✓ | — |
| Snyk Open Source | — | ✓ | ✓ |
| Checkmarx One | — | — | ✓ |
How to submit a tool
Use the contact form and include the tool name, the list URL you’re asking to appear on, and a link I can verify the claim from (licence file, pricing page, public repo).
Submission is free and separate from sponsorship — the sponsorship page explains why those channels are kept apart. I read every submission and reply with a decision or a clarifying question.
Disagreements
If you think a tool was wrongly included or excluded, email suphi@cnt.fi with the criterion and the evidence. Factual corrections are acted on quickly. Editorial judgements (where in a list a tool sits) are reviewed but not negotiated.