Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Table of contents

  1. Nessus
  2. OpenVAS
  3. Nmap
  4. Qualys
  5. Trivy
  6. Syft
  7. Gruype
  8. Lynis
  9. Checkov
  10. kubescape
  11. PurplePanda
  12. CDK
  13. cs-suite
  14. pacu

Vulnerability Assessment

Vulnerability assessment is the process of identifying and quantifying security vulnerabilities in an organization’s IT systems, applications, and infrastructure. The goal of vulnerability assessment is to provide organizations with a comprehensive view of their security posture, allowing them to identify and prioritize security risks and take steps to remediate them.

In the context of DevSecOps, vulnerability assessment is a critical component of a comprehensive security strategy. By regularly scanning for vulnerabilities and identifying potential security risks, organizations can take proactive steps to secure their applications and infrastructure.

Some of the key benefits of vulnerability assessment in DevSecOps include:

  1. Early detection of vulnerabilities: By regularly scanning for vulnerabilities, organizations can detect potential security risks early on, allowing them to take swift action to remediate them.

  2. Improved risk management: Vulnerability assessments provide organizations with a comprehensive view of their security posture, allowing them to identify and prioritize security risks and take steps to mitigate them.

  3. Compliance: Many regulatory requirements, such as PCI DSS and HIPAA, require regular vulnerability assessments as part of their compliance standards.

  4. Integration with other DevSecOps practices: Vulnerability assessment can be integrated with other DevSecOps practices, such as continuous integration and continuous deployment, to ensure that security is built into the application development lifecycle.

There are a variety of vulnerability assessment tools and technologies available that can be used in DevSecOps, including both commercial and open-source solutions. Some popular vulnerability assessment tools include Nessus, Qualys, and OpenVAS.

Best practices for vulnerability assessment:

  1. Conduct regular vulnerability assessments to identify potential weaknesses and misconfigurations in your network and infrastructure.

  2. Use a combination of automated and manual vulnerability scanning techniques to ensure comprehensive coverage.

  3. Prioritize and remediate vulnerabilities based on their severity and potential impact on your organization.

  4. Regularly update and patch software and systems to address known vulnerabilities.

  5. Use segmentation and isolation to limit the spread of attacks in case of a successful breach.


A vulnerability scanner that allows you to identify vulnerabilities and misconfigurations in your network and infrastructure.

nessuscli scan new -n "My Scan" -t "" -T "Basic Network Scan"


An open-source vulnerability scanner that allows you to identify vulnerabilities and misconfigurations in your network and infrastructure.

omp -u admin -w password -h localhost -p 9390 -G


A network exploration and vulnerability scanner that allows you to identify open ports and potential vulnerabilities in your network.

nmap -sS -A -p1-65535


A cloud-based vulnerability management platform that allows you to identify vulnerabilities and misconfigurations in your network and infrastructure.

curl -H 'X-Requested-With: Curl Sample' -u "USERNAME:PASSWORD" -H 'Accept: application/json' -H 'Content-Type: application/json' ''


  • Scanning Container Images with Trivy

Trivy is a lightweight vulnerability scanner that can be integrated into your CI/CD pipeline to scan container images before deployment. Here’s an example of using Trivy to scan a container image:

trivy image <image-name>:<tag>
  • Scanning Helm Charts with Trivy

Trivy can also scan Helm charts for vulnerabilities before deploying them. Here’s an example of using Trivy to scan a Helm chart:

trivy chart <chart-path>


  • Analyzing Container Images with Syft

Syft provides detailed insights into the dependencies and vulnerabilities present in a container image. Here’s an example of using Syft to analyze a container image:

syft <image-name>:<tag>


  • Analyzing Container Images with Gruype

Gruype is a vulnerability scanner designed specifically for container images. Here’s an example of using Gruype to analyze a container image:

grype <image-name>:<tag>


  • Perform a System Scan
lynis audit system: Perform a security audit on the system.
  • Specify a Profile
lynis audit system --profile <profile-name>: Perform a security audit using a specific profile.
  • Generate a Report
lynis report --report-file <report-file.txt>: Generate a report of the audit results.
  • Run Non-Interactive Mode
lynis audit system --quiet: Run Lynis in non-interactive mode, displaying only the warnings and suggestions.
  • Update Lynis Database
lynis update info: Update the Lynis database with the latest vulnerability checks and information.
  • Enable Debug Mode
lynis audit system --debug: Run Lynis in debug mode, providing detailed debug information.
  • Ignore Specific Tests
lynis audit system --tests <test1,test2>: Skip specific tests during the audit.
  • View Available Plugins
lynis show plugins: View the available plugins that can be used with Lynis.


  • Scan a specific directory or file for security issues
checkov -d <directory> or checkov -f <file>
  • Scan a specific cloud provider configuration
checkov -t <provider>
  • Scan a specific cloud provider configuration file
checkov -t <provider> -f <file>
  • Perform a recursive scan on a directory
checkov -d <directory> --recursive
  • Ignore specific check IDs during the scan
checkov -d <directory> --skip-check <check_id>
  • Specify a custom policy directory or file to use
checkov -d <directory> --external-checks-dir <directory>
  • Output results in JSON format
checkov -d <directory> -o json
  • Output results in SARIF format
checkov -d <directory> -o sarif
  • Output results in JUnit XML format
checkov -d <directory> -o junitxml
  • Output results in GitHub Actions format
checkov -d <directory> -o github_failed_only
  • Enable verbose mode for more detailed output
checkov -d <directory> --verbose
  • Display only failed checks
checkov -d <directory> --quiet
  • Ignore informational-level checks during the scan
checkov -d <directory> --quiet --skip-check I
  • Update Checkov to the latest version
pip install --upgrade checkov


  • Scan a Kubernetes cluster for CIS benchmarks
kubescape scan framework cis-1.5 cluster
  • Scan a specific namespace for vulnerabilities
kubescape scan framework nsa cluster --namespace <namespace_name>
  • Perform a dry-run scan to validate the Kubernetes manifest files
kubescape scan framework mitre attack --dry-run --output kubescape-results.json
  • Scan a Helm chart for security issues
kubescape scan framework kube-hunter chart --chart <path_to_chart>
  • Scan a YAML file for compliance with custom policies
kubescape scan policy --file <path_to_yaml_file> --policies <path_to_custom_policies>


  • Specify the target IP or hostname
python3 -t <target>
  • Specify the target port
python3 -t <target> -p <port>
  • Specify a specific NSE script
python3 -t <target> -p <port> -s <nse_script>
  • Specify the number of concurrent threads
python3 -t <target> -p <port> -n <num_threads>
  • Specify the output directory for results
python3 -t <target> -p <port> -o <output_dir>
  • Enable script tracing for debugging
python3 -t <target> -p <port> --trace


  • Initialize a new CDK project
cdk init <project_name>
  • Synthesize CDK app into CloudFormation template
cdk synth
  • Deploy CDK app to the default environment
cdk deploy
  • Bootstrap the AWS environment for CDK deployment
cdk bootstrap
  • Invoke a specific AWS Lambda function in the CDK app
cdk invoke <function_name>
  • Add a dependency to the CDK app
cdk add <dependency_name>
  • Create an IAM role with least privilege access
cdk deploy IAMRoleStack
  • Deploy an EC2 instance with secure configuration
cdk deploy EC2Stack
  • Implement AWS CloudTrail for audit logging
cdk deploy CloudTrailStack
  • Enable AWS Config for continuous compliance monitoring
cdk deploy ConfigStack
  • Implement AWS Security Hub for centralized security findings
cdk deploy SecurityHubStack
  • Set up AWS GuardDuty for threat detection
cdk deploy GuardDutyStack
  • Enable VPC Flow Logs for network traffic analysis
cdk deploy FlowLogsStack
  • Configure AWS WAF for web application protection
cdk deploy WAFStack
  • Deploy AWS Secrets Manager for secure secret storage
cdk deploy SecretsManagerStack
  • Implement AWS Key Management Service (KMS) for encryption
cdk deploy KMSStack
  • Enable AWS Shield for DDoS protection
cdk deploy ShieldStack
  • Create a VPC with security best practices
cdk deploy VPCStack
  • Create security groups for different services
cdk deploy SecurityGroupStack
  • Configure strict inbound and outbound rules for security groups
cdk deploy SecurityGroupRulesStack


  • Run a vulnerability scan on a target URL
python3 vulnscan --url <target_url>
  • Perform a subdomain enumeration
python3 subdomain --url <target_domain>
  • Scan a target for open ports
python3 portscan --ip <target_ip>
  • Enumerate SSL/TLS cipher suites supported by a target
python3 tlscipher --host <target_host>
  • Run a vulnerability scan on a target URL
python3 vulnscan --url <target_url>
  • Perform an SQL injection test on a target URL
python3 sqlinject --url <target_url>
  • Conduct a cross-site scripting (XSS) test on a target URL
python3 xss --url <target_url>
  • Scan a target for sensitive information using regex patterns
python3 sensitivescan --url <target_url>
  • Perform a directory traversal test on a target URL
python3 dirtraversal --url <target_url>
  • Run a brute force attack on a target’s login page
python3 brute --url <target_url> --username <username> --passwords <password_list>
  • Scan a target for insecure headers
python3 insecureheaders --url <target_url>
  • Conduct a DNS zone transfer test on a target domain
python3 dnszone --domain <target_domain>
  • Check a target for vulnerable HTTP methods
python3 httpmethods --url <target_url>
  • Perform a CORS misconfiguration test on a target URL
python3 cors --url <target_url>
  • Scan a target for open S3 buckets
python3 s3scan --url <target_url>


  • AWS recon and enumeration
./ recon_enum
  • Privilege escalation through EC2 instance metadata
./ exploit_ec2_metadata
  • Enumeration of AWS resources and data leaks
./ enumeration
  • Enumeration of security groups and open ports
./ enum_security_groups
  • Enumeration of IAM users, groups, and roles
./ enum_iam_users_roles_groups
  • Enumeration of S3 buckets and their contents
./ enum_s3_buckets
  • Enumeration of EC2 instances and their metadata
./ enum_ec2_instances
  • Enumeration of RDS instances and their metadata
./ enum_rds_instances
  • Enumeration of ECR repositories and their images
./ enum_ecr_repositories
  • Privilege escalation through attaching an IAM role to an EC2 instance
./ escalate_iam_roles_to_ec2
  • Privilege escalation through modifying EC2 instance IAM profiles
./ escalate_iam_roles_to_iam_profiles
  • Privilege escalation through modifying S3 bucket policies
./ escalate_s3_bucket_policy
  • Privilege escalation through modifying IAM group membership
./ escalate_iam_group_membership
  • Privilege escalation through modifying IAM user permissions
./ escalate_iam_user_permissions
  • Privilege escalation through modifying RDS instance permissions
./ escalate_rds_instance_permissions
  • Privilege escalation through modifying ECR repository permissions
./ escalate_ecr_repository_permissions
  • Privilege escalation through modifying Lambda function permissions
./ escalate_lambda_function_permissions
  • Privilege escalation through modifying KMS key policies
./ escalate_kms_key_policy