Web security scanning is fragmented. The good open-source tools each cover one slice: nuclei for vulnerability templates, nmap for ports, sslyze for TLS, ZAP for spiders, semgrep for code patterns, trivy for CVEs, gitleaks for secrets. To get full coverage you run all of them, paste outputs into a document, and triage the result. There's no shared schema, deduplication is on you, and every finding ships with generic remediation that doesn't know whether your site lives behind Cloudflare, an Astro _headers file, or an nginx config.
secscan is an MIT-licensed Python CLI plus a small FastAPI dashboard. It orchestrates nuclei, nmap, sslyze, subfinder, httpx, OWASP ZAP, semgrep, trivy, and gitleaks — it does not replace them. Findings are normalised into a common schema and rendered as HTML, Markdown, and JSON. Each scanner declares a risk level; medium-risk scans refuse to run without explicit consent. Optional AI-tailored remediation via the Anthropic API turns generic findings into context-aware fixes drawn from the project's actual config files. Published on PyPI as secscan-tool, with a Docker image and a GitHub Actions workflow that posts new High or Critical findings as issues.
Solo developers and small teams running production sites who want a credible security baseline without a paid platform.