Welcome to FlawGarden, an organization dedicated to building a practical environment for evaluating application security testing tools. Our mission is to enhance the effectiveness of these tools through comprehensive synthetic and real-world benchmarks and a convenient infrastructure to run them.

vulnomicon is our main project. It evaluates some of the most renowned application security testing tools against all the benchmarks we have prepared. The project aims to provide clear insights into these tools' capabilities and limitations, helping security professionals make informed decisions.

bentoo is a tool designed to organize and facilitate benchmarking Static Application Security Testing (SAST) tools. It provides a structured approach to running benchmarks and comparing results, making assessing the effectiveness of different SAST tools easier.

reality-check is a challenging benchmark based on real-world vulnerabilities that have been found and resolved. This project aims to test the robustness and accuracy of application security testing tools against real-life scenarios, offering an actual test of their practical utility.

BenchmarkJava-mutated is an enhanced version of the well-known OWASP Benchmark for Java. It is enriched with various Java language features and employs a selective fuzzing approach to differentiate SAST tools by their functional quality. This project aims to provide a more nuanced evaluation of Java security testing tools.

To get started with any of our projects, please refer to their repositories for detailed instructions on installation, usage, and contribution guidelines.

We welcome contributions from the community! If you're interested in contributing to any of our projects, please check out the open issues on each repository.

All our projects are licensed under the Apache-2.0 or the MIT License except for mutated versions of benchmarks. You are free to use, modify, and distribute our code as long as you include the original copyright and license notice in any copy of the code.

If you have any questions or feedback, please don't hesitate to open an issue on the respective repository or contact us directly at flawgarden.benchmark@gmail.com.

Thank you for visiting FlawGarden! We hope our tools and benchmarks will help improve the security of your applications.