State of Open-Source AppSec Tools
Data-driven analysis of 140 AppSec tools: open-source vs. commercial split, GitHub star rankings, category trends, and license distribution.
Methodology
This analysis is based on our own dataset: 140 application security tools reviewed on AppSec Santa across 10 categories. For each tool, we track the name, category, license type, status (active, deprecated, acquired, renamed), GitHub repository URL, and GitHub star count where applicable.
The data was extracted directly from the tool review pages on this site in February 2026. GitHub star counts are approximate and were last updated in early 2026.
Definitions used in this analysis:
- Open-source: The tool’s core functionality is available under an OSI-approved license (Apache 2.0, MIT, LGPL, GPL, AGPL) at no cost.
- Freemium: A free tier or community edition exists, but significant features require a paid license.
- Commercial: The tool requires a paid license for any meaningful use. Free trials do not count.
We classified each tool based on its primary license. Tools like Semgrep (LGPL-2.1 CLI with a commercial platform) are counted as open-source for the CLI component and noted where the commercial platform adds significant capability.
Dataset overview
Total tools tracked: 140
By status:
| Status | Count | Percentage |
|---|---|---|
| Active | 129 | 92.1% |
| Deprecated | 6 | 4.3% |
| Acquired | 4 | 2.9% |
| Renamed | 1 | 0.7% |
129 active tools make up the current market. The deprecated tools (Reshift, ThreadFix, OpenRASP, Hdiv, Contrast Community Edition, Rebuff) show where the market has moved on. The acquisitions (Probely, Signal Sciences, Qwiet AI, Traceable AI) point to consolidation in DAST, RASP, SCA, and API Security.
Category breakdown
| Category | Tool Count | % of Total |
|---|---|---|
| DAST | 29 | 20.7% |
| SAST | 26 | 18.6% |
| SCA | 23 | 16.4% |
| ASPM | 12 | 8.6% |
| AI Security | 11 | 7.9% |
| Mobile | 9 | 6.4% |
| IAST | 9 | 6.4% |
| RASP | 8 | 5.7% |
| API Security | 7 | 5.0% |
| IaC Security | 6 | 4.3% |
The three largest categories (DAST, SAST, SCA) account for 55.7% of all tools. These are the most established application security testing methods, and the market reflects decades of competition.
ASPM is the fourth-largest category despite being newer than most. The 12 tools tracked here reflect how quickly the market responded to the problem of managing findings from multiple scanners.
AI Security has 11 tools and is the fastest-growing category. Every tool in this category launched or became relevant in 2023-2025.
License distribution
We grouped the 140 tools into three buckets based on their licensing model.
| License Category | Count | Percentage |
|---|---|---|
| Commercial | 85 | 60.7% |
| Open-Source (Free) | 30 | 21.4% |
| Freemium / Hybrid | 25 | 17.9% |
Commercial tools (85) make up the majority. Checkmarx, Veracode, Fortify, Invicti, and Qualys WAS are all fully commercial with custom enterprise pricing.
Open-source tools (30) include both standalone projects and tools backed by commercial companies. Trivy (Aqua Security), Semgrep (Semgrep Inc.), ZAP (Checkmarx), and Checkov (Prisma Cloud) all have corporate sponsors funding development while keeping the core free.
Freemium/hybrid tools (25) offer a free tier or community edition with paid upgrades. Snyk (free for individuals, paid for teams), SonarQube (free Community Edition, paid Developer/Enterprise), StackHawk (free tier, paid Pro plan), and Dependabot (free on GitHub) follow this model.
License types among open-source tools
| License | Tool Count | Examples |
|---|---|---|
| Apache 2.0 | 9 | Trivy, ZAP, Checkov, Terrascan, OWASP Dep-Check |
| Unspecified Open-Source | 8 | Nuclei, MobSF, Nikto, Wapiti, Bandit |
| LGPL-2.1 | 3 | Semgrep, SpotBugs, Horusec |
| AGPL-3.0 | 1 | Renovate |
| Other / Mixed | 9 | Various |
Apache 2.0 dominates among open-source AppSec tools. Its permissive nature allows companies to embed these tools in commercial products, which is why corporate sponsors prefer it. The LGPL-2.1 license used by Semgrep allows proprietary rules and extensions while keeping the core engine open.
Open-source penetration by category
This is the most telling part of the analysis. The categories vary wildly in how much of the market is served by open-source tools.
| Category | Total | Open-Source | Freemium | Commercial | OSS % |
|---|---|---|---|---|---|
| IaC Security | 6 | 5 | 1 | 0 | 83% |
| AI Security | 11 | 5 | 2 | 4 | 45% |
| SCA | 23 | 6 | 5 | 12 | 26% |
| DAST | 29 | 7 | 2 | 20 | 24% |
| SAST | 26 | 8 | 3 | 15 | 31% |
| Mobile | 9 | 1 | 2 | 6 | 11% |
| ASPM | 12 | 2 | 0 | 10 | 17% |
| API Security | 7 | 0 | 1 | 6 | 0% |
| RASP | 8 | 1 | 0 | 7 | 13% |
| IAST | 9 | 0 | 1 | 8 | 0% |
Categories where open-source wins
IaC Security (83% open-source) is dominated by free tools. Trivy, Checkov, Terrascan, KICS, and Kubescape are all open-source. Only Snyk IaC operates on a freemium model. This makes sense when you think about it: IaC scanning is relatively straightforward (match patterns against known misconfigurations), the cloud-native community favors open tools, and the commercial opportunity is in platform features, not the scanner itself.
AI Security (45% open-source) reflects where the AI security space came from: research labs and open-source communities. Promptfoo, Garak, PyRIT, LLM Guard, and NeMo Guardrails are all open-source. The category is young enough that commercial vendors have not locked it down yet.
Categories where commercial dominates
IAST (0% open-source) has no meaningful open-source option. IAST requires deep instrumentation of application runtimes (JVM, CLR, Node.js), which takes serious engineering investment and ongoing language/framework support. Contrast Security, Seeker IAST, and HCL AppScan are all commercial.
API Security (0% open-source) is also commercial-only. API security needs traffic analysis, behavioral modeling, and real-time threat detection, all of which are expensive to build and maintain. Salt Security, Wallarm, and 42Crunch are the main players.
RASP (13% open-source) has one deprecated open-source option (OpenRASP) and is otherwise entirely commercial. Same pattern as IAST: runtime instrumentation is complex and commercially valuable.
GitHub star rankings
39 of the 140 tools tracked have public GitHub repositories with star counts. Here are the top 20.
| Rank | Tool | Category | Stars | License |
|---|---|---|---|---|
| 1 | Trivy | IaC Security | 31,700 | Apache 2.0 |
| 2 | Nuclei | DAST | 26,900 | Open-Source |
| 3 | Renovate | SCA | 20,700 | AGPL-3.0 |
| 4 | MobSF | Mobile | 20,300 | Open-Source |
| 5 | ZAP | DAST | 14,700 | Apache 2.0 |
| 6 | Semgrep | SAST | 14,100 | LGPL-2.1 |
| 7 | Grype | SCA | 11,500 | Open-Source |
| 8 | Kubescape | IaC Security | 11,200 | Apache 2.0 |
| 9 | Promptfoo | AI Security | 10,300 | Open-Source |
| 10 | SonarQube | SAST | 10,200 | Community Edition |
| 11 | Nikto | DAST | 10,100 | Open-Source |
| 12 | Gosec | SAST | 8,700 | Open-Source |
| 13 | Checkov | IaC Security | 8,500 | Apache 2.0 |
| 14 | Bandit | SAST | 7,800 | Open-Source |
| 15 | OWASP Dep-Check | SCA | 7,400 | Apache 2.0 |
| 16 | Brakeman | SAST | 7,200 | Open-Source |
| 17 | Garak | AI Security | 6,938 | Open-Source |
| 18 | Faraday | ASPM | 6,200 | Open-Source |
| 19 | NeMo Guardrails | AI Security | 5,600 | Open-Source |
| 20 | PMD | SAST | 5,300 | Open-Source |
What the numbers show
Trivy’s lead is large. At 31,700 stars, it has 18% more than second-place Nuclei. The reason is breadth: Trivy handles SCA, container scanning, and IaC in one tool, so it replaces multiple scanners. If you only adopt one tool, Trivy is often it.
DAST tools punch above their weight in star counts. Nuclei (26,900), ZAP (14,700), and Nikto (10,100) take three of the top 11 spots. The DAST category benefits from both professional pentesters and hobbyist security researchers, which inflates stars relative to tools used mainly in enterprise CI/CD pipelines.
AI Security is moving fast. Promptfoo (10,300 stars) already outpaces established tools like Nikto and Gosec despite being much newer. Garak (6,938) and NeMo Guardrails (5,600) are accumulating stars quickly as organizations get serious about LLM security.
SAST has the most represented tools in the top 20. Five appear: Semgrep, SonarQube, Gosec, Bandit, and Brakeman. That reflects how broad the need for static analysis is across programming languages and frameworks.
New entrants (2025-2026)
Fifteen tools in our dataset are flagged as recent additions, showing where the market is actively growing.
| Tool | Category | License | GitHub Stars |
|---|---|---|---|
| Promptfoo | AI Security | Open-Source | 10,300 |
| Garak | AI Security | Open-Source | 6,938 |
| DeepTeam | AI Security | Open-Source | 1,277 |
| PyRIT | AI Security | Open-Source | 3,400 |
| Lakera Guard | AI Security | Commercial | - |
| Protect AI Guardian | AI Security | Commercial | - |
| Qodana | SAST | Commercial (Free tier) | - |
| Socket | SCA | Commercial (Free tier) | - |
| Seemplicity | ASPM | Commercial | - |
| Apiiro | ASPM | Commercial | - |
| Horusec | SAST | Open-Source | 1,300 |
| StackHawk | DAST | Freemium | - |
| Dastardly | DAST | Free | 300 |
| Talsec | Mobile | Freemium | 469 |
| Codacy | SAST | Commercial | 113 |
The pattern is hard to miss: AI Security accounts for 6 of the 15 new entrants (40%). It is the only category experiencing rapid expansion. The other new entries are scattered across existing categories, representing incremental additions rather than new market formation.
Among the new entrants, the AI Security tools are overwhelmingly open-source (4 of 6), while the tools in other categories lean commercial. This mirrors the broader pattern in the open-source analysis: new categories start open, established categories are commercial.
Where commercial vendors dominate
Three categories are commercial strongholds with weak or nonexistent open-source alternatives.
IAST: zero open-source options
Interactive Application Security Testing requires runtime instrumentation agents that hook into the JVM, CLR, or Node.js runtime. Building and maintaining these agents across language versions and frameworks is expensive. The market is entirely commercial: Contrast Security, Seeker IAST, HCL AppScan, Fortify WebInspect, and others.
The closest open-source analog is running SAST + DAST together, which provides overlapping coverage but lacks IAST’s ability to observe data flow through the application at runtime.
RASP: one deprecated option
OpenRASP by Baidu was the only notable open-source RASP tool, and it has been deprecated. The RASP market is now entirely commercial, led by Contrast Protect, Imperva RASP, and Waratek.
RASP faces a broader market challenge: many organizations question whether runtime agents belong in production. The security overhead, performance impact, and operational complexity make RASP a harder sell than shift-left approaches like SAST and SCA. This commercial-only market may reflect limited total demand rather than a lack of open-source interest.
API Security: platform complexity
API security tools need to analyze API traffic, build behavioral models, detect anomalies, and enforce policies at runtime. This is closer to a security platform than a scanner, and platforms tend to be commercial. Salt Security, Wallarm, 42Crunch, and Traceable AI all operate on commercial models.
Open-source API scanning exists in adjacent tools (ZAP can scan APIs, Nuclei has API templates), but dedicated API security platforms remain commercial.
Trends
1. Open-source core, commercial platform
The model that works best in 2026 is an open-source scanning engine with a commercial management platform layered on top. Semgrep (LGPL CLI + commercial Cloud), Snyk (open-source integrations + commercial platform), and Trivy (Apache 2.0 scanner + Aqua commercial platform) all follow this pattern. Users get a free starting point; vendors capture enterprise revenue through governance, policy, and reporting features.
2. AI Security is where the growth is
Six of 15 new entrants are AI Security tools. The category barely existed before 2023 and now has 11 tools, 5 of them open-source. LLM red-teaming (Promptfoo, Garak, PyRIT) and LLM guardrails (NeMo Guardrails, LLM Guard) are the two main subcategories. This will likely be the fastest-growing category through 2027.
3. Consolidation is accelerating
Four tools in our dataset were acquired: Probely (DAST), Signal Sciences (RASP), Qwiet AI (SCA), and Traceable AI (API Security). Six more are deprecated. Vendors like Checkmarx, Snyk, and Veracode are buying specialized tools to build comprehensive platforms. Standalone point solutions are increasingly becoming acquisition targets rather than independent companies.
4. IaC Security is commoditized
With 83% open-source penetration and every major cloud security platform bundling IaC scanning, standalone IaC security is effectively a commodity. The remaining commercial opportunity is in policy management and compliance reporting, not in the scanner itself.
5. DAST stays fragmented
Despite being the largest category (29 tools), DAST has not consolidated. The category spans too many use cases: manual penetration testing (Burp Suite), automated CI/CD scanning (StackHawk), infrastructure scanning (Nikto), and template-based scanning (Nuclei). That diversity keeps the market fragmented with room for both open-source and commercial tools.
Frequently asked questions
Frequently Asked Questions
How many open-source AppSec tools are there?
Which open-source AppSec tool has the most GitHub stars?
Is the AppSec market becoming more or less open-source?
Which AppSec category has the most tools?
What licenses do open-source AppSec tools use?
How reliable is GitHub star count as a popularity metric?
Suphi Cankurt is an application security enthusiast based in Helsinki, Finland. He reviews and compares 129 AppSec tools across 10 categories on AppSec Santa. Learn more.
Comments
Powered by Giscus — comments are stored in GitHub Discussions.