Reference map of security tools by category and pipeline phase — click a phase to filter
Select a phase to highlight tools commonly used there. Choose All phases to see the full catalog.
Categories: SAST, DAST, SCA, container security, IaC scanning, secrets detection, CSPM. License column is indicative only.
| Tool | Category | Primary phase(s) | What it does | OSS / Commercial |
|---|---|---|---|---|
| OWASP Threat Dragon | Threat modeling | Plan | Diagram-driven STRIDE-style threat models tied to Git. | OSS |
| Microsoft Threat Modeling Tool | Threat modeling | Plan | Data-flow diagrams with STRIDE rule templates. | Free (not OSS) |
| SonarQube / SonarCloud | SAST | Code, Build | Static analysis for bugs, hotspots, and security rules in PRs. | Both |
| Semgrep | SAST | Code, Build | Fast pattern-based static analysis with community rules. | OSS + commercial |
| Checkmarx SAST | SAST | Code, Build | Enterprise static analysis with centralized policy. | Commercial |
| Veracode Static Analysis | SAST | Code, Build | Cloud static scanning with policy gates. | Commercial |
| GitGuardian ggshield | Secrets detection | Code, Build | Scans commits and CI for leaked credentials. | Both |
| TruffleHog | Secrets detection | Code, Build | High-signal secret scanning with verified validators. | OSS |
| Gitleaks | Secrets detection | Code, Build | Regex and entropy-based secret detection in repos. | OSS |
| OWASP Dependency-Check | SCA | Build | Correlates dependencies to NVD CVEs. | OSS |
| Snyk Open Source | SCA | Build | Dependency vulnerability and license analysis. | Both |
| Mend (WhiteSource) | SCA | Build | Enterprise dependency governance and SBOM. | Commercial |
| Gradle OWASP plugin / npm audit | SCA | Build | Build-native dependency CVE checks. | OSS |
| Trivy | Container security | Build, Deploy | Image/filesystem vuln scan, IaC misconfig, secrets. | OSS |
| Grype | Container security | Build, Deploy | SBOM-oriented image vulnerability scanner. | OSS |
| Clair | Container security | Build, Operate | Static analysis of container image layers. | OSS |
| Sigstore / Cosign | Container security | Build | Sign and verify OCI artifacts and SBOMs. | OSS |
| OWASP ZAP | DAST | Test | Proxy and automated scanner for web apps/APIs. | OSS |
| Burp Suite | DAST | Test | Manual and automated web security testing. | Both |
| Acunetix / Invicti | DAST | Test | Continuous web vulnerability scanning. | Commercial |
| Contrast Security / Seeker-style | DAST | Test | Interactive/IAST-style runtime-assisted testing. | Commercial |
| Checkov | IaC scanning | Deploy | Static policy checks for Terraform, K8s, CloudFormation. | OSS |
| Terraform tfsec | IaC scanning | Deploy | Security scanner focused on Terraform HCL. | OSS |
| cfn-lint + guard rules | IaC scanning | Deploy | CloudFormation validation and policy-as-code. | OSS |
| OPA / Conftest | IaC scanning | Deploy | Rego policies against Kubernetes YAML and IaC JSON. | OSS |
| Wiz | CSPM | Operate | Cloud posture, CIEM, data risk graph across providers. | Commercial |
| Prisma Cloud / CWPP | CSPM | Operate | Posture, compliance, workload protection. | Commercial |
| ScoutSuite / Prowler | CSPM | Operate | Open multi-cloud security assessments. | OSS |
| AWS Security Hub + Config | CSPM | Operate | Native AWS control plane aggregation and rules. | Commercial (AWS) |
Prefer outcomes over tool count: tune rules, reduce false positives, and wire top findings into product backlogs. Correlate DAST + SAST + SCA on the same feature branch when possible to see chained risk (vulnerable dependency reachable via new route).