for application scanning you won't be that good with using nessus or nikto, eventhough they can help you as a start.
it's like doing app pentests, where you have either the choice of doing some kind of black box testing, with automated support (e.g. with acunetix or similar, acunetix for at least detecting xss and crawling is free, you could combine this with other free tools like burp that can help to find more, when letting acunetix crawl through the page) and manual test versus (manual / automated) code review. for php software you could try "rips". I did not use it yet, but the description sounded pretty interesting. Sqlmap for e.g. is interesting for checking sql injections... you will find more tools when googling around for the above, owasp or webappsec (and their mailinglist archives) are a good ressourcepool as well.