Vulnerability scanning is the systematic process of identifying security weaknesses in systems, networks, and applications. A well-designed scanning program catches issues before attackers do. This article covers the major scanning tools, how to structure scanning workflows, and how to handle the inevitable flood of findings.


Scanning Tools


Nmap


Nmap is the foundation of network discovery and port scanning. It identifies live hosts, open ports, running services, and operating system details.



# Scan a subnet for open ports and service versions

nmap -sV -p 1-65535 192.168.1.0/24



# Run default NSE scripts for vulnerability detection

nmap -sV --script vuln target.example.com



# Scan with OS detection and traceroute

nmap -O --traceroute target.example.com

Nmap scripting engine (NSE) extends the tool into a vulnerability scanner. Scripts like `http-sql-injection`, `ssl-heartbleed`, and `smb-vuln-ms17-010` detect specific flaws.


OpenVAS


OpenVAS is an open-source vulnerability scanner managed by Greenbone. It performs authenticated and unauthenticated scans against thousands of known vulnerabilities.


OpenVAS workflow:

  • Configure a target with IP ranges and credentials for authenticated scanning.

    • 2. Select a scan config (e.g., "Full and Fast" for production, "Full" for deep scans).

    3. Schedule recurring scans (weekly for external, monthly for internal).

    4. Review results in the Greenbone Security Assistant dashboard.


    OpenVAS categorizes findings by severity (Critical, High, Medium, Low) using CVSS scores. It also provides remediation advice for each finding.


    Nessus


    Nessus by Tenable is a commercial vulnerability scanner widely used in enterprise environments. It supports over 150,000 plugins.


    
# Start a Nessus scan from CLI using the API

curl -X POST https://localhost:8834/scans \

  -H "X-ApiKeys: accessKey=KEY; secretKey=SECRET" \

  -H "Content-Type: application/json" \

  -d '{

    "uuid": "scan-template-uuid",

    "settings": {

      "name": "Weekly Internal Scan",

      "text_targets": "10.0.0.0/8",

      "launch": "WEEKLY"

    }

  }'

    Nessus offers pre-built scan templates for different scenarios: basic network scan, credentialed patch audit, web application test, and PCI DSS compliance.


    Trivy


    Trivy is a modern vulnerability scanner focused on containers and infrastructure-as-code. It is fast, dependencyless, and integrates well into CI/CD pipelines.


    
# Scan a container image

trivy image nginx:1.25



# Scan a filesystem for vulnerable libraries

trivy fs /path/to/project



# Scan a Kubernetes cluster

trivy k8s cluster



# Scan infrastructure as code

trivy config ./terraform/

    Trivy detects vulnerabilities in OS packages (Alpine, Debian, Ubuntu) and language-specific dependencies (npm, pip, gem, cargo). It also scans for misconfigurations in Terraform, Docker, and Kubernetes manifests.


    Scanning Cadence


    A vulnerability scanning program needs a regular schedule:


  • **External network scan**: Weekly. Scans public-facing IPs and services from an external perspective.
  • **Internal network scan**: Monthly. Scans internal ranges with authenticated credentials for deeper visibility.
  • **Container image scan**: On every build. Scan images in the CI/CD pipeline before pushing to the registry.
  • **Web application scan**: On every major release and quarterly for existing applications.
  • **Cloud infrastructure scan**: Daily. Use tools like ScoutSuite or Prowler to check cloud configurations.

    • False Positive Management


    Raw scanner output always contains false positives. A mature process distinguishes real findings from noise.


  • **Triage**: Review each finding within 24 hours. Determine if it is a true positive, false positive, or needs investigation.

    • 2. **Verify**: Confirm true positives by manual testing or by running a secondary scanner.

    3. **Document**: Maintain a false positive registry with the reason each finding was rejected. This saves time in subsequent scans.

    4. **Tune**: Configure scanner exclusions and reduction filters to reduce known false positives automatically.


    CVE Prioritization


    Not all CVEs are equal. A critical severity CVE in an internet-facing service matters more than the same score in an internal-only tool.


    Use a risk-based approach:


  • **CVSS score**: Base severity (Critical 9.0+, High 7.0-8.9).
  • **Exploit availability**: Is there a public exploit in Metasploit, Exploit-DB, or a PoC on GitHub?
  • **Asset criticality**: Does the vulnerable system process sensitive data or serve external users?
  • **Attack vector**: Is the vulnerability remotely exploitable without authentication?
  • **Mitigation status**: Is there a vendor patch or a workaround?

    • Prioritize vulnerabilities that are remotely exploitable, have public exploits, affect critical assets, and lack compensating controls. These should be remediated within 24-72 hours.


    Conclusion


    Vulnerability scanning is not a one-time activity. It requires consistent tooling, regular cadence, smart prioritization, and rigorous false positive management. Pair automated scanning with manual validation, and always focus remediation energy on the vulnerabilities that present genuine risk to your environment.