This is a list of possibly-good website security scanners; this page is not an endorsement. I have not tested all or most of them, it's just the beginning of my research.

Many tools that have been advertised as free have ended up being trials, extremely limited in scope, or no longer free at all.

Tested

Again, not endorsements, just tracking what I've used.

Web-based

These scanners can be run right from a browser, and are by and large free. However, this combination also means that they are narrow in scope and light on detail.

Pentest-tools.com

• Free tool is limited to "light" scans, paid account is around $100 a month, but allows for deep scans

ImmuniWeb

• free account allows 10 scans daily and technical reports

securityheaders.com by Probely

• A quick and dirty check for HTTP response headers

Serpworx

• Similar to securityheaders.com, but checks for more and different headers; need to investigate further

Client-based

These scanners must be installed and run from a device you own; be sure to connect via VPN or set rules not to block your IP, or you're likely going to get cutoff from your site while testing.

WPScan

• Focused on WordPress sites, pretty comprehensive
• It's been a while since I used it, but IIRC, it is actually free for researchers up to a point.
  • You do need to register and get a key

Kali Linux Tools

• Not a scanner itself, but with pre-baked VM images and a nice layout, it's a great place to start for self-hosted scanners.
  • I have not tested most of the tools, but wanted to put it up here since I have installed and used to the OS
  • Many/most of the scanners are CLI based
  • Not all tools it lists are free, but it takes out a lot of the hassle of testing/setup

ZAP

• Available on Linux/Mac/Windows, with a variety of deployment methods
• Pretty awesome

Untested

I haven't experimented with these at all, but wanted to track and note them for future use.

Barracuda Site Security Scanner | Barracuda Campus

• Downloadable EXE, does not appear to be available for Linux or macOS

Vulnerability Scanning Tools | OWASP Foundation

• Huge list of tools but haven't investigated/verified any of them, unless noted below
  • Arachni
    • Seems to still be available, but is getting sunset
    • GitHub - Arachni/arachni: Web Application Security Scanner Framework
    • Replaced with Codename SCNR, now a free trial instead of free
  • Astra Pentest
    • Not free at all
  • HostedScan
    • Basically a free trial for 3 sites, no re-scans
  • IOTHREAT
    • Not advertised on their main page, but linked here Scanner | IOTHREAT
    • Semi-free, with the option to purchase the full report for $20
  • SecOps Solutions
    • Pricing | SecOps® Solution
    • Offers free plan, but seems pretty inexpensive at $2/asset/month
  • Security for Everyone
    • Name of company is a misnomer
    • Security For Everyone who can Afford $150/month
      • Starting at 1 asset, and increasing in cost with reduced rates per asset for more assets
  • Webcookies(dot)org
    • Dead
  • ZAP
    • Mentioned above, FOSS and highly customizable
    • Veeery interesting