Besides pointing pentester tools like metasploit at yourself, there are some nice scanners out there. https://github.com/quay/clair. - Source: Hacker News / 4 months ago

Clair. Vulnerability Static Analysis for Containers. - Source: dev.to / 4 months ago

Https://github.com/quay/clair 9.4k stars, updated 17 hours ago. Source: about 1 year ago

It scaled well compared to a naive graph abstraction implemented outside the database, but when performance wasn't great, it REALLY wasn't great. We ended up throwing it out in later versions to try and get more consistent performance. I've since worked on SpiceDB[1] which takes the traditional design approach for graph databases and simply treating Postgres as triple-store and that scales far better. IME, if you... - Source: Hacker News / about 1 year ago

Open source: Trivy, Gryp and Clair are widely used open source tools for container scanning. - Source: dev.to / over 1 year ago

SpotBugs is an open source static anlysis tool. "SpotBugs uses static analysis to inspect Java bytecode for occurrences of bug patterns." This means that SpotBugs runs against the compiled source source code, rather than raw Java files. Because it analyses bytecode, it can catch some types of bugs that source code analysis would not catch. - Source: dev.to / 17 days ago

SpotBugs is a great tool for static code analysis. Recently I got two similar warnings in one of the codebases I work on And I had to fix it. - Source: dev.to / 23 days ago

While at it you could also point them to static code analyzers such as error_prone, spotbugs and pmd (use all 3 at once - they complement each other in detecting different issues). Source: over 2 years ago

If you don’t have checkmarx/Vera code money, have you looked at https://find-sec-bugs.github.io/? It can be used with a few things such as https://spotbugs.github.io/ and sonarQ. Source: over 2 years ago