We'd recommend the open source DAST tool OWASP ZAP. The scan frequency can be set to monthly, quarterly, or annually. As a best practice, we'd recommend setting this scan to occur as often as possible. Additional free DAST tools can be found here.
For an open source SAST tool, we'd recommend SonarCloud. Additional SAST tools can be found here.