What are best practices for running vulnerability scanners on a research project?

I would like your opinions on what are some best practices using vulnerability scanners on your projects, and what you liked or didn’t like.

Are these projects webapps? What protocols are in play? HTTP? SMTP? SSH? For that you might like

Or are you talking about scanning for vulnerabilities within the dependencies in your source code? For that you might like

These are both listed under “Flagship Projects: Projects that have demonstrated strategic value to OWASP and application security as a whole” at

In regards to SSL/TLS/HTTPS I use these two resources for checking configuration:

For both sites it’s probably a good idea to check the box that will exclude your results from the list of public results so that you don’t advertise yourself if you get anything less than an A. Both of these scanners are unique enough to warrant using each of them. For instance, I’ve seen sites that get an A+ on ssllabs, but an F on Mozilla’s Observatory.