{"id":28396426,"url":"https://github.com/d3lb3/security-code-review","last_synced_at":"2026-02-13T08:04:20.099Z","repository":{"id":170174077,"uuid":"366005717","full_name":"d3lb3/security-code-review","owner":"d3lb3","description":"My personal collection of resources (mostly tools and training materials) for source code security audits.","archived":false,"fork":false,"pushed_at":"2024-08-20T04:05:26.000Z","size":75,"stargazers_count":84,"open_issues_count":1,"forks_count":10,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-11T23:05:39.033Z","etag":null,"topics":["checklists","code-review","owasp","security"],"latest_commit_sha":null,"homepage":"","language":"Modula-3","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/d3lb3.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"Security_Code_Review_Helper.xlsx","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-05-10T10:35:07.000Z","updated_at":"2025-06-10T07:20:23.000Z","dependencies_parsed_at":null,"dependency_job_id":"74a18bb1-db25-441c-8458-1815acbb4010","html_url":"https://github.com/d3lb3/security-code-review","commit_stats":null,"previous_names":["d3lb3/security-code-review"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/d3lb3/security-code-review","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d3lb3%2Fsecurity-code-review","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d3lb3%2Fsecurity-code-review/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d3lb3%2Fsecurity-code-review/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d3lb3%2Fsecurity-code-review/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/d3lb3","download_url":"https://codeload.github.com/d3lb3/security-code-review/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d3lb3%2Fsecurity-code-review/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":276439797,"owners_count":25642752,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-22T02:00:08.972Z","response_time":79,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["checklists","code-review","owasp","security"],"created_at":"2025-05-31T21:38:28.682Z","updated_at":"2025-09-22T17:05:58.002Z","avatar_url":"https://github.com/d3lb3.png","language":"Modula-3","readme":"# Security Code Review Resources\n\nMy personal collection of resources (mostly tools and training materials) for source code security audits. Updated gradually as I discover interesting material on the subject.\n\n* [**Training Materials**](#training-materials)\n  * [Learning Resources](#learning-resources)\n  * [Learning Platforms](#learning-platforms)\n  * [Vulnerable Apps](#vulnerable-apps)\n* [**Tools**](#tools)\n  * [Static Application Security Testing (SAST) Tools](#static-application-security-testing-sast-tools)\n  * [Grep-based Tools](#grep-based-tools)\n  * [Frameworks](#frameworks)\n* [**Lists**](#lists)\n  * [Vulnerability Checklists](#vulnerability-checklists)\n  * [Interesting Keywords \u0026amp; Regex](#interesting-keywords--regex)\n \n## Training Materials\n\n### Learning Resources\n\n- [[Blog Post] Secure Code Review (MITRE's System Engineering Guide)](https://www.mitre.org/publications/systems-engineering-guide/enterprise-engineering/systems-engineering-for-mission-assurance/secure-code-review) : good introduction with definitions.\n- [[Conference] OWASP Appsec Day - The Absolute AppSec Secure Code Review Framework](https://www.youtube.com/watch?v=Kepd1HsoE8o) : strong focus on methodology.\n- [[Conference] Source code security audit speed run by Eldar Marcussen](https://www.youtube.com/watch?v=hpYjjj1UAXs) : methodology and tooling.\n- [[Guide] OWASP Code Review Guide (currently v2)](https://owasp.org/www-pdf-archive/OWASP_Code_Review_Guide_v2.pdf) : (almost) exhaustive guide on secure code review.\n\n### Learning Platforms\n\n- [OWASP's Secure Coding Dojo Example](https://owasp.org/SecureCodingDojo/codereview101)\n- [Secure Code Warrior](https://www.securecodewarrior.com/products/training-ground) (paid service with free trial)\n\n### Vulnerable Apps\n\n- [Vulnerable Task Manager (vtm)](https://github.com/redpointsec/vtm) : vulnerable task manager in Python/Django, correction not available.\n- [OWASP WebGoat](https://github.com/WebGoat/WebGoat) : vulnerable web application with Java backend, correction available.\n- [Damn Vulnerable iOS App 1](https://github.com/prateek147/DVIA) : vulnerable iOS app written in Objective-C, correction available.\n- [Damn Vulnerable iOS App 2](https://github.com/prateek147/DVIA-v2) : vulnerable iOS app written in Swift, correction available.\n\n## Tools\n\n### Static Application Security Testing (SAST) Tools\n\n- [OWASP's Source Code Analysis Tools](https://owasp.org/www-community/Source_Code_Analysis_Tools)\n- [A curated list of static analysis tools and tools and config files (GitHub)](https://github.com/analysis-tools-dev/static-analysis)\n- [Static Application Security Testing Suites used in GitLab's CI/CD](https://docs.gitlab.com/ee/user/application_security/sast/)\n- [grepmarx -  A source code static analysis platform for AppSec enthusiasts](https://github.com/Orange-Cyberdefense/grepmarx)\n- [Joern - Generate queriable code property graphs](https://joern.io/)\n- [Sourcetrail - open-source interactive source explorer](https://github.com/OpenSourceSourceTrail/Sourcetrail)\n\n### Grep-based Tools\n\n- [megagrep](https://github.com/claire-lex/megagrep) : find interesting parts of the code to manually check based on keywords. Comes with additional features such as per-file statistics or dev comments search.\n- [graudit](https://github.com/wireghoul/graudit) : find very specific vulnerabilities based on regular expressions, a lot of false negatives but can be extended with your own regexs.\n- [crass](https://github.com/floyd-fuh/crass) : source code grep-er with a set of selected high-potential strings that may result in (security) problems.\n- [drek](https://github.com/chrisallenlane/drek) : source code grep-er with nice HTML and PDF reports.\n- [DumpsterDiver](https://github.com/securing/DumpsterDiver) : search secrets based on entropy.\n- [Code-Crawler](https://github.com/vmnguyen/Code-Crawler) : automatic tool used for crawling code to find low-hanging fruits.\n\n### Frameworks\n\n- [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) : all-in-one mobile application (Android/iOS/Windows) pen-testing, malware  analysis and security assessment framework capable of performing static  and dynamic analysis.\n\n## Lists\n\n### Vulnerability Checklists\n\n- [Michaela Greiler's checklist](https://github.com/mgreiler/secure-code-review-checklist)\n- [Aggregated checklist from various sources](https://github.com/softwaresecured/secure-code-review-checklist)\n- [OWASP's Code Review Checklist](https://owasp.org/www-pdf-archive/OWASP_Code_Review_Guide_v2.pdf#page=197)\n- [My own custom list based on the above resources](https://github.com/JulienBedel/security-code-review/blob/main/Security_Code_Review_Helper.xlsx)\n\n### Interesting Keywords \u0026 Regex\n\n- [OWASP's Code Review Keywords List](https://owasp.org/www-pdf-archive/OWASP_Code_Review_Guide_v2.pdf#page=207)\n- [Collection of Regex in various languages](https://github.com/va1da5/manual-source-code-review)\n- [My own Keywords List](https://github.com/JulienBedel/security-code-review/tree/main/keywords)\n\n","funding_links":[],"categories":["Modula-3"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fd3lb3%2Fsecurity-code-review","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fd3lb3%2Fsecurity-code-review","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fd3lb3%2Fsecurity-code-review/lists"}