OSSIM is a pain to install, but does tick all your boxes. But I think its basically abandoned by AT&T to force people on to Alienvault.

It installs to a VM, but has some very weird hard coded quirks, like expecting the network cards to be ethX, and the harddisks to be /dev/sdX. I can’t remember exactly how I got it installed, but I can dig out the libvirt config if it helps.

You may checkout IVRE, it’s a bit weird but it seems like it can do some stuff verywell

I know you said preferably no docker, but greenbone community edition is nice. It’s a fork from nessus back in the day. They don’t really put any restrictions on the community version. If you want to see it in action I have a test server up and running.

I’ve heard wazuh can do authenticated vuln scanning, but since I’ve scaled down my homelab and hardened it to a point that vuln scanning is not currently needed I’ve had no need to do so. I have a friend deploying wazuh at his job so I’m gonna have to reach out to him some time to learn how he is doing it once I start growing my lab again.

I use nuclei for networked vuln scanning, which is all I really need right now. Works well with community rules, but it is a cli application. I really like how I don’t need to deploy it on a dedicated device, I just run it using all rules on the subnets that I want to scan from my laptop, which I have plugged into a vuln-scanning network with open fw rules, and check back in half an hour. Once I get a few more raspberry pis, I’ll have one on such a network that I can just run a scan from.