All systems containing customer information should undergo vulnerability scans regularly. All issues should be documented in accordance with your change management policy. At the very least, critical and high issues should be remediated in a timely manner. Web applications that are in scope also must be scanned. 

For internal vulnerability scanning, some cloud service providers (CSP) have native services such as AWS Inspector for AWS, Microsoft Defender for Azure, and/or Web Security Scanner for GCP. Other tools to consider are SonarCloud, SnykAcunetix, Burpe Suite (by PortSwigger), and Zaproxy. 

We also recommend performing static and dynamic application security testing on in scope production code. Here are some recommended tools based on the what you use for software development:

• For GitHub, utilize the built-in and open source tool CodeQL to query your code and find vulnerabilities.
  Dependabot can also be used with GitHub. 
• For Gitlab, the CI/CD suite can performing various types of scans including SAST, DAST, and API fuzzing.
• For CircleCI, there are several ways to integrate leading DevOps security tools that conduct code scans.

Other open source and commercial tools can be found here. See our recommendations for open-source DAST or SAST tools here.