{"id":102540,"url":"https://github.com/tysoncung/awesome-devsecops","name":"awesome-devsecops","description":"🔐 A curated list of awesome DevSecOps tools, practices, and resources for securing the software development lifecycle","projects_count":146,"last_synced_at":"2026-06-18T13:00:23.546Z","repository":{"id":321134292,"uuid":"1084624440","full_name":"tysoncung/awesome-devsecops","owner":"tysoncung","description":"🔐 A curated list of awesome DevSecOps tools, practices, and resources for securing the software development lifecycle","archived":false,"fork":false,"pushed_at":"2025-10-27T23:57:57.000Z","size":14,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-01T21:04:01.815Z","etag":null,"topics":["awesome","awesome-list","container-security","cybersecurity","dast","devops","devsecops","infrastructure-security","kubernetes-security","sast","secrets-management","security"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc0-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tysoncung.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-27T23:52:33.000Z","updated_at":"2026-04-27T16:19:39.000Z","dependencies_parsed_at":"2025-10-28T01:25:20.474Z","dependency_job_id":"9e3f93d9-605d-424b-bac6-c4610e668eec","html_url":"https://github.com/tysoncung/awesome-devsecops","commit_stats":null,"previous_names":["tysoncung/awesome-devsecops"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/tysoncung/awesome-devsecops","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tysoncung%2Fawesome-devsecops","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tysoncung%2Fawesome-devsecops/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tysoncung%2Fawesome-devsecops/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tysoncung%2Fawesome-devsecops/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tysoncung","download_url":"https://codeload.github.com/tysoncung/awesome-devsecops/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tysoncung%2Fawesome-devsecops/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34491239,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-18T02:00:06.871Z","response_time":128,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"created_at":"2026-01-02T00:00:37.869Z","updated_at":"2026-06-18T13:00:23.546Z","primary_language":null,"list_of_lists":false,"displayable":true,"categories":["Related Lists","Platforms \u0026 Solutions","Infrastructure Security","Container \u0026 Kubernetes Security","Cloud Security","License","Open Source Security","Security Testing","Security Monitoring \u0026 Incident Response","Learning \u0026 Getting Started","Code Security","Community \u0026 Resources","Vulnerability Management","Secrets Management","Compliance \u0026 Policy","Threat Modeling","Security Automation","Security Champions Programs","CI/CD Security"],"sub_categories":["Conferences","GCP Security","Network Security","Kubernetes Security Tools","AWS Security","Dynamic Application Security Testing (DAST)","Frameworks \u0026 Standards","Static Application Security Testing (SAST)","Software Composition Analysis (SCA)","Podcasts","Blogs \u0026 News","API Security Testing","Runtime Security","Cloud Security Posture Management","Communities","Books \u0026 Guides","Fuzzing","Infrastructure as Code (IaC) Security","Container Scanning","Secrets Detection","Training \u0026 Certification","Azure Security"],"readme":"# Awesome DevSecOps [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)\n\n\u003e A curated list of awesome DevSecOps tools, practices, and resources for integrating security into the software development lifecycle\n\nDevSecOps is the philosophy of integrating security practices within the DevOps process. This list covers tools, frameworks, and best practices for building security into every stage of the software development lifecycle.\n\n## Contents\n\n- [Learning \u0026 Getting Started](#learning--getting-started)\n  - [Books \u0026 Guides](#books--guides)\n  - [Training \u0026 Certification](#training--certification)\n  - [Frameworks \u0026 Standards](#frameworks--standards)\n- [Code Security](#code-security)\n  - [Static Application Security Testing (SAST)](#static-application-security-testing-sast)\n  - [Software Composition Analysis (SCA)](#software-composition-analysis-sca)\n  - [Secrets Detection](#secrets-detection)\n- [Security Testing](#security-testing)\n  - [Dynamic Application Security Testing (DAST)](#dynamic-application-security-testing-dast)\n  - [API Security Testing](#api-security-testing)\n  - [Fuzzing](#fuzzing)\n- [Container \u0026 Kubernetes Security](#container--kubernetes-security)\n  - [Container Scanning](#container-scanning)\n  - [Kubernetes Security Tools](#kubernetes-security-tools)\n  - [Runtime Security](#runtime-security)\n- [Infrastructure Security](#infrastructure-security)\n  - [Infrastructure as Code (IaC) Security](#infrastructure-as-code-iac-security)\n  - [Cloud Security Posture Management](#cloud-security-posture-management)\n  - [Network Security](#network-security)\n- [Secrets Management](#secrets-management)\n- [CI/CD Security](#cicd-security)\n- [Security Monitoring \u0026 Incident Response](#security-monitoring--incident-response)\n- [Compliance \u0026 Policy](#compliance--policy)\n- [Security Automation](#security-automation)\n- [Threat Modeling](#threat-modeling)\n- [Vulnerability Management](#vulnerability-management)\n- [Security Champions Programs](#security-champions-programs)\n- [Open Source Security](#open-source-security)\n- [Cloud Security](#cloud-security)\n- [Platforms \u0026 Solutions](#platforms--solutions)\n- [Community \u0026 Resources](#community--resources)\n- [Related Lists](#related-lists)\n- [Contributing](#contributing)\n\n## Learning \u0026 Getting Started\n\n### Books \u0026 Guides\n\n- [DevSecOps Handbook](https://www.devsecops.org/) - Comprehensive guide to DevSecOps\n- [The Phoenix Project](https://itrevolution.com/the-phoenix-project/) - Novel about IT, DevOps, and helping your business win\n- [Accelerate](https://itrevolution.com/accelerate-book/) - Building and scaling high-performing technology organizations\n- [OWASP DevSecOps Guideline](https://owasp.org/www-project-devsecops-guideline/) - Official OWASP guide\n- [Alice and Bob Learn Application Security](https://www.wiley.com/en-us/Alice+and+Bob+Learn+Application+Security-p-9781119687405) - Beginner-friendly security book\n\n### Training \u0026 Certification\n\n- [Certified DevSecOps Professional (CDP)](https://www.practical-devsecops.com/certified-devsecops-professional/) - Professional certification\n- [SANS DevSecOps Courses](https://www.sans.org/cyber-security-courses/?focus-area=application-security\u0026training-format=) - Professional training\n- [Linux Foundation DevSecOps](https://training.linuxfoundation.org/training/secure-software-development-fundamentals/) - Secure development fundamentals\n- [Cloud Security Alliance CCSK](https://cloudsecurityalliance.org/education/ccsk/) - Cloud security certification\n- [ISC2 CSSLP](https://www.isc2.org/Certifications/CSSLP) - Certified Secure Software Lifecycle Professional\n\n### Frameworks \u0026 Standards\n\n- [NIST Secure Software Development Framework (SSDF)](https://csrc.nist.gov/publications/detail/sp/800-218/final) - Secure SDLC framework\n- [OWASP Top 10](https://owasp.org/www-project-top-ten/) - Top web application security risks\n- [OWASP SAMM](https://owaspsamm.org/) - Software Assurance Maturity Model\n- [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/) - Security configuration benchmarks\n- [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) - Framework for improving critical infrastructure cybersecurity\n- [ISO 27001](https://www.iso.org/isoiec-27001-information-security.html) - Information security management\n\n## Code Security\n\n### Static Application Security Testing (SAST)\n\n**Commercial:**\n\n- [Snyk Code](https://snyk.io/product/snyk-code/) - Developer-first SAST\n  - Real-time scanning in IDE\n  - AI-powered fix suggestions\n  - Low false positives\n  - Multiple language support\n\n- [SonarQube](https://www.sonarqube.org/) - Code quality and security\n  - Supports 29+ languages\n  - Quality gates\n  - Security hotspots\n  - CI/CD integration\n\n- [Checkmarx](https://checkmarx.com/) - Enterprise SAST\n  - Comprehensive coverage\n  - IDE plugins\n  - Remediation guidance\n\n- [Veracode](https://www.veracode.com/) - Application security platform\n  - Static analysis\n  - Dynamic analysis\n  - SCA and penetration testing\n\n**Open Source:**\n\n- [Semgrep](https://semgrep.dev/) - Fast, customizable static analysis\n  - Open source core\n  - Custom rule creation\n  - CI/CD friendly\n  - 30+ languages\n\n- [Bandit](https://github.com/PyCQA/bandit) - Python security linter\n  - Finds common security issues\n  - Configurable\n  - CI integration\n\n- [Brakeman](https://brakemanscanner.org/) - Ruby on Rails security scanner\n  - Static analysis for Rails\n  - Fast scanning\n  - Low false positives\n\n- [SpotBugs](https://spotbugs.github.io/) - Java static analysis\n  - Find bugs in Java code\n  - Security plugin available\n  - Maven/Gradle integration\n\n### Software Composition Analysis (SCA)\n\n- [Snyk Open Source](https://snyk.io/product/open-source-security-management/) - Dependency scanning\n  - Automated fix PRs\n  - License compliance\n  - Real-time monitoring\n\n- [Dependabot](https://github.com/dependabot) - GitHub's dependency updater\n  - Automated security updates\n  - Free for public repos\n  - Multi-ecosystem support\n\n- [OWASP Dependency-Check](https://owasp.org/www-project-dependency-check/) - SCA tool\n  - Free and open source\n  - Identifies known vulnerabilities\n  - Multiple language support\n\n- [WhiteSource (Mend)](https://www.mend.io/) - Open source security\n  - License compliance\n  - Vulnerability detection\n  - Policy enforcement\n\n- [Trivy](https://github.com/aquasecurity/trivy) - Comprehensive scanner\n  - Vulnerabilities in dependencies\n  - Container images\n  - IaC misconfigurations\n\n### Secrets Detection\n\n- [GitGuardian](https://www.gitguardian.com/) - Secrets detection\n  - Real-time scanning\n  - GitHub/GitLab integration\n  - Secret remediation\n\n- [TruffleHog](https://github.com/trufflesecurity/trufflehog) - Find secrets in git repos\n  - High entropy string detection\n  - Git history scanning\n  - Pre-commit hooks\n\n- [Gitleaks](https://github.com/gitleaks/gitleaks) - SAST for secrets\n  - Fast scanning\n  - Custom rules\n  - CI/CD integration\n\n- [detect-secrets](https://github.com/Yelp/detect-secrets) - Prevent secrets in code\n  - Baseline secrets\n  - Pre-commit hooks\n  - Low false positives\n\n## Security Testing\n\n### Dynamic Application Security Testing (DAST)\n\n- [OWASP ZAP](https://www.zaproxy.org/) - Web app security scanner\n  - Free and open source\n  - Automated scanning\n  - Manual testing tools\n  - CI/CD integration\n\n- [Burp Suite](https://portswigger.net/burp) - Web security testing\n  - Industry standard\n  - Manual and automated testing\n  - Extensible with plugins\n  - Free community edition\n\n- [Nuclei](https://github.com/projectdiscovery/nuclei) - Vulnerability scanner\n  - Template-based scanning\n  - Fast and customizable\n  - CI/CD friendly\n  - 3000+ templates\n\n- [Acunetix](https://www.acunetix.com/) - Web vulnerability scanner\n  - Comprehensive scanning\n  - Low false positives\n  - Issue management\n\n### API Security Testing\n\n- [OWASP API Security Top 10](https://owasp.org/www-project-api-security/) - API security risks\n- [Postman](https://www.postman.com/api-platform/api-security/) - API testing with security features\n- [RestAssured](https://rest-assured.io/) - REST API testing\n- [SoapUI](https://www.soapui.org/) - API testing tool\n- [Burp Suite](https://portswigger.net/burp/documentation/desktop/testing-workflow/working-with-apis) - API security testing\n\n### Fuzzing\n\n- [AFL++](https://github.com/AFLplusplus/AFLplusplus) - American Fuzzy Lop\n  - Coverage-guided fuzzing\n  - Fast and effective\n  - Multiple platforms\n\n- [LibFuzzer](https://llvm.org/docs/LibFuzzer.html) - In-process fuzzing\n  - Part of LLVM\n  - Coverage-guided\n  - Easy integration\n\n- [OSS-Fuzz](https://google.github.io/oss-fuzz/) - Continuous fuzzing for OSS\n  - Google's fuzzing service\n  - Free for open source\n  - Automated bug reporting\n\n## Container \u0026 Kubernetes Security\n\n### Container Scanning\n\n- [Trivy](https://github.com/aquasecurity/trivy) - Comprehensive scanner\n  - OS packages\n  - Application dependencies\n  - IaC misconfigurations\n  - Fast and accurate\n\n- [Clair](https://github.com/quay/clair) - Container vulnerability scanner\n  - Static analysis\n  - Continuous monitoring\n  - API-driven\n\n- [Anchore Grype](https://github.com/anchore/grype) - Vulnerability scanner\n  - Fast scanning\n  - Multiple distros\n  - SBOM support\n\n- [Docker Scout](https://docs.docker.com/scout/) - Docker's security tool\n  - Image analysis\n  - Remediation advice\n  - Policy evaluation\n\n- [Snyk Container](https://snyk.io/product/container-vulnerability-management/) - Container security\n  - Base image recommendations\n  - Kubernetes integration\n  - Fix guidance\n\n### Kubernetes Security Tools\n\n- [Falco](https://falco.org/) - Cloud-native runtime security\n  - Runtime threat detection\n  - CNCF project\n  - Custom rules\n  - eBPF-based\n\n- [Kube-bench](https://github.com/aquasecurity/kube-bench) - CIS benchmark checker\n  - Checks K8s security\n  - Based on CIS standards\n  - Easy to run\n\n- [Kube-hunter](https://github.com/aquasecurity/kube-hunter) - Kubernetes penetration testing\n  - Hunt for security weaknesses\n  - Active and passive modes\n  - Reports findings\n\n- [Kubescape](https://github.com/kubescape/kubescape) - K8s security platform\n  - Risk analysis\n  - Compliance scanning\n  - RBAC visualizer\n  - CNCF project\n\n- [Polaris](https://github.com/FairwindsOps/polaris) - Kubernetes best practices\n  - Configuration validation\n  - Admission controller\n  - Dashboard\n\n### Runtime Security\n\n- [Falco](https://falco.org/) - Runtime security\n- [Sysdig Secure](https://sysdig.com/products/secure/) - Container and Kubernetes security\n- [Aqua Security](https://www.aquasec.com/) - Full lifecycle container security\n- [Tracee](https://github.com/aquasecurity/tracee) - Runtime security and forensics\n\n## Infrastructure Security\n\n### Infrastructure as Code (IaC) Security\n\n- [Checkov](https://www.checkov.io/) - IaC static analysis\n  - Terraform, CloudFormation, K8s\n  - 1000+ policies\n  - CI/CD integration\n  - Open source\n\n- [Terrascan](https://github.com/tenable/terrascan) - IaC security scanner\n  - 500+ policies\n  - Multiple IaC tools\n  - Pre-commit hooks\n\n- [tfsec](https://github.com/aquasecurity/tfsec) - Terraform security scanner\n  - Fast scanning\n  - Custom checks\n  - CI/CD friendly\n\n- [KICS](https://github.com/Checkmarx/kics) - IaC security scanner\n  - Keeps Infrastructure as Code Secure\n  - Multiple platforms\n  - Custom queries\n\n- [Snyk IaC](https://snyk.io/product/infrastructure-as-code-security/) - IaC security\n  - Fix guidance\n  - Multiple frameworks\n  - Developer-friendly\n\n### Cloud Security Posture Management\n\n- [Prowler](https://github.com/prowler-cloud/prowler) - AWS/Azure/GCP security tool\n  - CIS benchmarks\n  - 350+ checks\n  - Open source\n\n- [CloudSploit](https://github.com/aquasecurity/cloudsploit) - Cloud security scanner\n  - AWS, Azure, GCP, Oracle\n  - 600+ plugins\n  - Free and open source\n\n- [ScoutSuite](https://github.com/nccgroup/ScoutSuite) - Multi-cloud security auditing\n  - AWS, Azure, GCP, Alibaba, Oracle\n  - HTML reports\n  - Open source\n\n- [CloudCustodian](https://cloudcustodian.io/) - Cloud governance\n  - Policy as code\n  - Multi-cloud\n  - Automated remediation\n\n### Network Security\n\n- [Cilium](https://cilium.io/) - eBPF-based networking and security\n- [Calico](https://www.tigera.io/project-calico/) - Container networking and security\n- [Istio](https://istio.io/) - Service mesh with security features\n- [Open Policy Agent (OPA)](https://www.openpolicyagent.org/) - Policy engine\n\n## Secrets Management\n\n- [HashiCorp Vault](https://www.vaultproject.io/) - Secrets management\n  - Dynamic secrets\n  - Encryption as a service\n  - PKI and TLS certificates\n  - Multi-cloud support\n\n- [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) - AWS secrets service\n  - Automatic rotation\n  - Fine-grained permissions\n  - Integration with AWS services\n\n- [Azure Key Vault](https://azure.microsoft.com/en-us/products/key-vault) - Azure secrets management\n  - Keys, secrets, certificates\n  - HSM support\n  - Managed identities\n\n- [Google Secret Manager](https://cloud.google.com/secret-manager) - GCP secrets service\n  - Encrypted storage\n  - Versioning\n  - IAM integration\n\n- [Doppler](https://www.doppler.com/) - Secrets management platform\n  - Developer-friendly\n  - Multi-environment\n  - Integrations\n\n- [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) - Kubernetes secrets\n  - Encrypted K8s secrets\n  - GitOps-friendly\n  - Open source\n\n## CI/CD Security\n\n- [GitHub Advanced Security](https://github.com/features/security) - GitHub security features\n  - Code scanning\n  - Secret scanning\n  - Dependency review\n\n- [GitLab Security](https://about.gitlab.com/solutions/dev-sec-ops/) - Built-in security scanning\n  - SAST, DAST, SCA\n  - Container scanning\n  - License compliance\n\n- [Jenkins Security Plugins](https://plugins.jenkins.io/security/) - Security plugins\n- [CircleCI Security](https://circleci.com/docs/security-overview/) - CI/CD security\n- [Azure DevOps Security](https://learn.microsoft.com/en-us/azure/devops/organizations/security/) - ADO security\n\n**Best Practices:**\n- Principle of least privilege\n- Secure credential storage\n- Pipeline security scanning\n- Audit logging\n- Infrastructure as Code\n- Immutable pipelines\n\n## Security Monitoring \u0026 Incident Response\n\n- [Wazuh](https://wazuh.com/) - Security monitoring platform\n  - Log analysis\n  - Intrusion detection\n  - Compliance monitoring\n  - Open source\n\n- [OSSEC](https://www.ossec.net/) - Host-based intrusion detection\n  - Log analysis\n  - File integrity checking\n  - Rootkit detection\n\n- [Elastic Security](https://www.elastic.co/security) - SIEM solution\n  - Threat detection\n  - Investigation\n  - Response\n\n- [TheHive](https://thehive-project.org/) - Security incident response platform\n  - Case management\n  - Observable enrichment\n  - Task automation\n\n- [Cortex](https://github.com/TheHive-Project/Cortex) - Observable analysis engine\n  - Automated analysis\n  - Threat intelligence\n  - Integration with TheHive\n\n## Compliance \u0026 Policy\n\n- [Open Policy Agent (OPA)](https://www.openpolicyagent.org/) - Policy engine\n  - Policy as code\n  - Unified framework\n  - Cloud-native\n\n- [Gatekeeper](https://github.com/open-policy-agent/gatekeeper) - OPA for Kubernetes\n  - Admission controller\n  - Policy enforcement\n  - Custom policies\n\n- [Kyverno](https://kyverno.io/) - Kubernetes-native policy management\n  - No new language\n  - Validation, mutation, generation\n  - Easy to use\n\n- [Allstar](https://github.com/ossf/allstar) - GitHub security policy enforcement\n  - Automated enforcement\n  - Configurable policies\n  - Organization-wide\n\n## Security Automation\n\n- [Security Automation Platform (SOAR)](https://www.gartner.com/en/information-technology/glossary/security-orchestration-automation-response-soar) - Automation frameworks\n- [Ansible Security Automation](https://www.ansible.com/use-cases/security-automation) - Security playbooks\n- [DefectDojo](https://github.com/DefectDojo/django-DefectDojo) - Security orchestration\n  - Vulnerability management\n  - Tool integration\n  - Workflow automation\n\n## Threat Modeling\n\n- [OWASP Threat Dragon](https://owasp.org/www-project-threat-dragon/) - Threat modeling tool\n  - Free and open source\n  - Desktop and web\n  - Diagrams and reports\n\n- [Microsoft Threat Modeling Tool](https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling) - Microsoft's tool\n  - STRIDE methodology\n  - Windows application\n  - Template-based\n\n- [IriusRisk](https://www.iriusrisk.com/) - Threat modeling platform\n  - Automated threat modeling\n  - Integration with tools\n  - Collaboration features\n\n- [Threatspec](https://threatspec.org/) - Threat modeling as code\n  - Code-centric\n  - Version controlled\n  - Developer-friendly\n\n## Vulnerability Management\n\n- [DefectDojo](https://github.com/DefectDojo/django-DefectDojo) - Vulnerability management\n- [Faraday](https://github.com/infobyte/faraday) - Collaborative penetration test platform\n- [ArcherySec](https://github.com/archerysec/archerysec) - Vulnerability assessment and management\n- [OpenVAS](https://www.openvas.org/) - Vulnerability scanner\n\n## Security Champions Programs\n\n- [OWASP Security Champions Guide](https://owasp.org/www-project-security-champions-guidebook/) - Building security champions\n- [Security Champions Playbook](https://github.com/c0rdis/security-champions-playbook) - Open source playbook\n\n## Open Source Security\n\n- [OpenSSF](https://openssf.org/) - Open Source Security Foundation\n  - Best practices\n  - Scorecards\n  - Security tooling\n\n- [OpenSSF Scorecard](https://github.com/ossf/scorecard) - Security health metrics\n  - Automated checks\n  - Risk assessment\n  - Open source projects\n\n- [SBOM Tools](https://github.com/microsoft/sbom-tool) - Software Bill of Materials\n  - Dependency tracking\n  - Supply chain security\n  - Compliance\n\n- [Sigstore](https://www.sigstore.dev/) - Software signing\n  - Keyless signing\n  - Transparency log\n  - Open source\n\n## Cloud Security\n\n### AWS Security\n\n- [AWS Security Hub](https://aws.amazon.com/security-hub/) - Centralized security\n- [AWS GuardDuty](https://aws.amazon.com/guardduty/) - Threat detection\n- [AWS Inspector](https://aws.amazon.com/inspector/) - Vulnerability management\n- [CloudTrail](https://aws.amazon.com/cloudtrail/) - Audit logging\n\n### Azure Security\n\n- [Microsoft Defender for Cloud](https://azure.microsoft.com/en-us/products/defender-for-cloud/) - Cloud security posture\n- [Azure Sentinel](https://azure.microsoft.com/en-us/products/microsoft-sentinel/) - SIEM and SOAR\n- [Azure Policy](https://azure.microsoft.com/en-us/products/azure-policy/) - Governance\n\n### GCP Security\n\n- [Security Command Center](https://cloud.google.com/security-command-center) - Security management\n- [Cloud Security Scanner](https://cloud.google.com/security-scanner) - Web vulnerability scanner\n- [Binary Authorization](https://cloud.google.com/binary-authorization) - Deploy-time security\n\n## Platforms \u0026 Solutions\n\n- [Snyk](https://snyk.io/) - Developer security platform\n- [Aqua Security](https://www.aquasec.com/) - Cloud-native security\n- [Sysdig](https://sysdig.com/) - Cloud and container security\n- [Palo Alto Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud) - CNAPP platform\n- [Lacework](https://www.lacework.com/) - Cloud security platform\n\n## Community \u0026 Resources\n\n### Blogs \u0026 News\n\n- [OWASP Blog](https://owasp.org/blog/) - Security news\n- [The DevSecOps Blog](https://www.devsecops.org/blog) - DevSecOps insights\n- [Snyk Blog](https://snyk.io/blog/) - Developer security\n- [Aqua Security Blog](https://blog.aquasec.com/) - Cloud-native security\n\n### Podcasts\n\n- [Absolute AppSec](https://absoluteappsec.com/) - Application security\n- [Application Security Weekly](https://securityweekly.com/category-shows/application-security-weekly/) - AppSec news\n- [Darknet Diaries](https://darknetdiaries.com/) - True security stories\n\n### Communities\n\n- [DevSecOps Slack](https://devsecops.org/) - Community chat\n- [OWASP Slack](https://owasp.org/slack/invite) - OWASP community\n- [r/netsec](https://www.reddit.com/r/netsec/) - Network security\n- [r/devops](https://www.reddit.com/r/devops/) - DevOps community\n\n### Conferences\n\n- [DevSecCon](https://www.devseccon.com/) - DevSecOps conference\n- [RSA Conference](https://www.rsaconference.com/) - Security conference\n- [Black Hat](https://www.blackhat.com/) - InfoSec event\n- [OWASP Global AppSec](https://owasp.org/events/) - Application security\n\n## Related Lists\n\n- [awesome-security](https://github.com/sbilly/awesome-security) - Security resources\n- [awesome-application-security](https://github.com/paragonie/awesome-appsec) - Application security\n- [awesome-kubernetes-security](https://github.com/magnologan/awesome-k8s-security) - Kubernetes security\n- [awesome-cloud-security](https://github.com/Funkmyster/awesome-cloud-security) - Cloud security\n- [awesome-threat-intelligence](https://github.com/hslatman/awesome-threat-intelligence) - Threat intelligence\n\n## Contributing\n\nContributions welcome! Please read the [contribution guidelines](CONTRIBUTING.md) first.\n\n**What to contribute:**\n- DevSecOps tools and platforms\n- Security best practices\n- Training resources\n- Case studies and examples\n- Automation scripts and templates\n\n## License\n\n[![CC0](https://licensebuttons.net/p/zero/1.0/88x31.png)](https://creativecommons.org/publicdomain/zero/1.0/)\n\nTo the extent possible under law, [Tyson Cung](https://github.com/tysoncung) has waived all copyright and related or neighboring rights to this work.\n\n---\n\n**Star ⭐ this repo to stay updated with the latest DevSecOps tools and practices!**\n","projects_url":"https://awesome.ecosyste.ms/api/v1/lists/tysoncung%2Fawesome-devsecops/projects"}