Introduction

Vulnerability scanners are the first line of defense in proactive security management — they identify missing patches, misconfigurations, and known CVEs before attackers can exploit them. While traditional scanners require installing agents on every target, agentless scanning takes a different approach: connect remotely, scan, and report without leaving software behind.

This guide compares three self-hosted agentless vulnerability scanning approaches: Vuls (an agentless vulnerability scanner for Linux/FreeBSD), OpenSCAP (NIST-certified SCAP compliance scanner), and Wazuh Agent (lightweight endpoint security agent with vulnerability detection). Each represents a different philosophy in how to discover and manage security weaknesses across your infrastructure.

Comparison Table

FeatureVulsOpenSCAPWazuh Agent
Stars12,1661,72511,800+
Agent RequiredNo (SSH-based)No (local scan)Yes (lightweight agent)
LanguageGoCC (agent) / Python (manager)
CVE DetectionYes (NVD, JVN, OVAL)Yes (OVAL, CVE feeds)Yes (CVE + vulnerability feeds)
Compliance ScanningNoYes (SCAP, XCCDF)Yes (CIS, PCI DSS, GDPR)
Scan TargetLinux, FreeBSD, ContainersLinux (RHEL/CentOS/Fedora)Linux, Windows, macOS, Cloud
ReportingTUI, JSON, Slack/EmailHTML, ARF, XCCDF resultsKibana dashboards, PDF reports
CWE MappingYesVia SCAP contentVia MITRE mapping
DatabasePostgreSQL, MySQL, SQLiteLocal XML/ARF filesFilebeat + Elasticsearch
LicenseGPLv3LGPLv2GPLv2
Last UpdatedJune 2026May 2026Active

Vuls: Agentless by Design

Vuls (Vulnerability Scanner) exemplifies the agentless philosophy: it connects to target servers via SSH, collects package information and system configuration, and compares the results against vulnerability databases — all without installing any agent software on the target.

Key Capabilities:

  • Multi-distribution support: Ubuntu, Debian, CentOS, RHEL, Amazon Linux, FreeBSD, and container images
  • Multiple vulnerability databases: NVD (National Vulnerability Database), JVN (Japan Vulnerability Notes), OVAL definitions
  • CWE (Common Weakness Enumeration) mapping for each discovered vulnerability
  • Fast scan mode: uses yum --security and apt-get upgrade --dry-run for rapid assessment
  • Notification integrations: Slack, Email, ChatWork, and generic webhooks

Docker Compose Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

version: "3.8"
services:
  vuls:
    image: vuls/vuls:latest
    container_name: vuls
    volumes:
      - ./vuls:/vuls
      - ./ssh:/root/.ssh:ro
      - vuls_data:/var/lib/vuls
    environment:
      TZ: "UTC"
    command: ["server", "-listen=0.0.0.0:5515"]

  vulsrepo:
    image: ishidaco/vulsrepo:latest
    container_name: vulsrepo
    ports:
      - "7000:80"
    volumes:
      - vuls_data:/usr/share/nginx/html/results

volumes:
  vuls_data:

Configure scan targets in config.toml:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

[servers]
[servers.web-01]
host = "192.168.1.10"
port = "22"
user = "vuls-scanner"
keyPath = "/root/.ssh/id_rsa"

[servers.db-01]
host = "192.168.1.20"
port = "22"
user = "vuls-scanner"
keyPath = "/root/.ssh/id_rsa"

Run a scan:

1
2

vuls scan
vuls report -format-json -cvedb-path=/var/lib/vuls/cve.sqlite3

VulsRepo provides a web UI for browsing scan results, tracking remediation progress, and generating compliance reports.

CWE-Aware Vulnerability Management

Vuls maps each CVE to its corresponding CWE, enabling you to prioritize remediation by weakness type rather than just severity score. For example, if you consistently see CWE-79 (Cross-Site Scripting), you know to invest in input validation training — a pattern invisible in raw CVE lists.

OpenSCAP: NIST-Certified Compliance Scanning

OpenSCAP is the reference implementation of the SCAP (Security Content Automation Protocol) standard, certified by NIST. It’s not just a vulnerability scanner — it’s a compliance auditing framework that evaluates systems against XCCDF (eXtensible Configuration Checklist Description Format) benchmarks.

Key Capabilities:

  • SCAP 1.2/1.3 certified — the gold standard for government and regulated industry compliance
  • OVAL (Open Vulnerability and Assessment Language) — declarative vulnerability definitions
  • XCCDF benchmarks — standardized compliance checklists for DISA STIG, PCI DSS, USGCB
  • Remediation scripts — OpenSCAP can generate Bash and Ansible remediation for discovered issues
  • HTML/ARF reporting — browser-viewable reports with pass/fail/compliance percentages

Installation and Scanning

1
2
3
4
5

# Install on RHEL/CentOS
yum install openscap-scanner scap-security-guide

# Install on Ubuntu/Debian
apt install libopenscap8 ssg-debian

Run a compliance scan:

1

oscap xccdf eval   --profile xccdf_org.ssgproject.content_profile_cis   --results scan-results.xml   --report scan-report.html   /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Generate remediation:

1

oscap xccdf generate fix   --fix-type ansible   --output remediation.yml   scan-results.xml

Containerized OpenSCAP

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

version: "3.8"
services:
  openscap:
    image: openscap/openscap:latest
    container_name: openscap
    volumes:
      - ./results:/results
      - ./target:/target:ro
    command: >
      oscap xccdf eval
      --profile xccdf_org.ssgproject.content_profile_cis
      --results /results/scan.xml
      --report /results/report.html
      /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml

Wazuh Agent: Lightweight Endpoint Security

While not strictly agentless, Wazuh’s agent is one of the lightest endpoint security agents available — typically consuming less than 50MB of RAM. It bridges the gap between pure agentless scanning and full endpoint security platforms by combining vulnerability detection, file integrity monitoring, log analysis, and intrusion detection in a single agent.

Key Capabilities:

  • Vulnerability detection: correlates installed packages against CVE databases updated daily
  • File integrity monitoring (FIM) : detects unauthorized changes to critical files and registry keys
  • Log analysis: collects and analyzes system and application logs for security events
  • Intrusion detection: monitors network traffic and system calls for suspicious activity
  • Compliance mapping: maps detected vulnerabilities to PCI DSS, GDPR, HIPAA, and NIST 800-53 controls

Wazuh Manager + Agent Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

version: "3.8"
services:
  wazuh-manager:
    image: wazuh/wazuh-manager:latest
    container_name: wazuh-manager
    ports:
      - "1514:1514/udp"
      - "1515:1515"
      - "55000:55000"
    volumes:
      - wazuh_data:/var/ossec/data

  wazuh-indexer:
    image: wazuh/wazuh-indexer:latest
    container_name: wazuh-indexer
    ports:
      - "9200:9200"
    environment:
      - "discovery.type=single-node"

  wazuh-dashboard:
    image: wazuh/wazuh-dashboard:latest
    container_name: wazuh-dashboard
    ports:
      - "443:5601"
    depends_on:
      - wazuh-indexer

volumes:
  wazuh_data:

Agent installation on target server:

1

curl -s https://packages.wazuh.com/4.x/wazuh-install.sh | bash -s -- -a -m wazuh-manager-ip

Choosing the Right Vulnerability Scanner

Choose Vuls when:

  • You prioritize truly agentless scanning (SSH-only access)
  • You need CWE-aware vulnerability classification for root cause analysis
  • You’re scanning a mixed Linux/FreeBSD environment
  • You want fast, lightweight scanning without a heavy management infrastructure

Choose OpenSCAP when:

  • You operate in a regulated industry requiring SCAP-compliant auditing
  • You need NIST-certified compliance reports (DISA STIG, PCI DSS)
  • You want automated remediation script generation
  • Your environment is primarily RHEL/CentOS/Fedora

Choose Wazuh Agent when:

  • You want vulnerability detection integrated with FIM, log analysis, and intrusion detection
  • You need compliance mapping across multiple frameworks (PCI DSS, GDPR, HIPAA)
  • You’re monitoring a heterogeneous environment (Linux, Windows, macOS, cloud)
  • You want centralized dashboards and alerting via Kibana

Why Self-Host Vulnerability Scanning?

Cloud-based vulnerability scanners require shipping your server inventory and package manifests to a third-party SaaS. For organizations in finance, healthcare, or defense, this is a non-starter — internal package lists are themselves sensitive information that could reveal unpatched attack surfaces if leaked.

Self-hosted scanning also eliminates per-asset licensing costs. A single Vuls or OpenSCAP deployment can scan hundreds of servers at zero incremental cost. Compare this to SaaS scanners that charge $10-50 per asset per month, and the savings for a 200-server environment exceed $24,000 annually.

For broader security visibility, combine vulnerability scanning with our guides on intrusion detection systems, server security auditing tools, and runtime security monitoring. Our SIEM platform comparison covers centralized log management for security event correlation.

FAQ

Why use an agentless scanner instead of an agent-based one?

Agentless scanners reduce operational complexity — no software to install, update, or troubleshoot on target servers. They’re ideal for scanning legacy systems where agent installation is restricted, ephemeral containers that don’t persist installed software, and environments where security teams don’t have administrative access to install agents. The trade-off is that agentless scanners have limited visibility into runtime behavior compared to agents.

How often should I run vulnerability scans?

Weekly scans are the minimum for production environments. Critical infrastructure (payment systems, healthcare platforms) should scan daily. Vuls supports cron-based scheduling, Wazuh agents report continuously, and OpenSCAP can be integrated into CI/CD pipelines for pre-deployment scanning.

Can these scanners detect zero-day vulnerabilities?

No scanner can detect true zero-days (vulnerabilities without published CVEs). However, all three tools update their vulnerability databases daily. Vuls can pull from multiple feeds (NVD, JVN, OVAL), Wazuh correlates against multiple sources, and OpenSCAP supports custom OVAL definitions for organization-specific vulnerability checks.

How do I prioritize which vulnerabilities to fix first?

All three tools provide severity ratings (CVSS scores). Vuls adds CWE classification, which helps identify systemic weakness patterns. For practical prioritization, focus on: (1) vulnerabilities with known public exploits, (2) internet-facing services, (3) CVSS ≥ 7.0 on critical systems, and (4) vulnerabilities in authentication and authorization components.

Can I integrate these scanners with my CI/CD pipeline?

Yes. Vuls supports JSON output for pipeline integration. OpenSCAP’s XCCDF results can be parsed by CI tools. Wazuh’s API allows querying agent vulnerability status programmatically. For a complete DevSecOps pipeline, see our container security scanning comparison.

What’s the difference between vulnerability scanning and penetration testing?

Vulnerability scanning is automated identification of known CVEs and misconfigurations — it tells you what’s potentially exploitable. Penetration testing is manual or semi-automated exploitation of those vulnerabilities — it proves what’s actually exploitable. Vulnerability scanning should run continuously; penetration testing should run periodically (quarterly or after major changes). For network-level testing, see our network port scanners guide.

💡 想测试你的市场判断力?我用 Polymarket 做预测市场交易——这是全球最大的预测市场平台,从大选结果到技术监管时间线,什么都可以押注。和赌博不同,这是真正的信息市场:你懂的信息越多,胜率越高。我靠预测技术相关事件的走向已经赚了不少。用我的邀请链接注册:Polymarket.com