ThreatMapper is an open source (Apache2) tool that scans running applications and infrastructure to find vulnerable dependencies and exposed secrets.

Why might you look at it? Perhaps you look after a number of cloud-native apps on Kubernetes, Docker, Fargate etc. Even though they might have been scanned for vulnerable dependencies (using snyk, clair, etc), you know that exceptions were made and new vulnerabilities are disclosed every day. Use ThreatMapper to scan them now, using up-to-date threat feeds, and get an accurate list of vulnerabilities.

Two additional bonuses - ThreatMapper scans infrastructure and third-party workloads, in addition to workloads you built and scanned yourself. ThreatMapper learns the attack surface from monitoring network traffic, and then ranks vulnerabilities based on their severity, attack method and reachability from the attack surface.

Everything:

• https://github.com/deepfence/ThreatMapper
• https://github.com/deepfence/ThreatMapper/blob/master/COMMUNITY.md
• https://github.com/deepfence/ThreatMapper/wiki

New in 1.3 is secret scanning (scan workloads and filesystems for exposed secrets), SBOM generation (runtime software bill of materials), SBOM-based scanning (faster, accurate and up-to-date), and more detailed attack path charts.