{"id":47816838,"url":"https://github.com/rezmoss/awesome-security-pipeline","last_synced_at":"2026-04-03T18:44:51.784Z","repository":{"id":335314377,"uuid":"1145180875","full_name":"rezmoss/awesome-security-pipeline","owner":"rezmoss","description":"🔐 A curated list of open-source security tools organized by CI/CD pipeline stage. Covers secrets detection, SBOM, SAST, SCA, IaC security, container scanning, Kubernetes security \u0026 more. Actively maintained with weekly status updates","archived":false,"fork":false,"pushed_at":"2026-03-22T02:33:07.000Z","size":75,"stargazers_count":8,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-22T17:48:37.376Z","etag":null,"topics":["appsec","awesome","awesome-list","checkov","cicd","container-security","devops","devsecops","gitleaks","kubernetes-security","sast","sbom","security","security-tools","supply-chain-security","trivy","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc0-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rezmoss.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-29T14:25:42.000Z","updated_at":"2026-03-22T02:33:10.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/rezmoss/awesome-security-pipeline","commit_stats":null,"previous_names":["rezmoss/awesome-security-pipeline"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/rezmoss/awesome-security-pipeline","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rezmoss%2Fawesome-security-pipeline","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rezmoss%2Fawesome-security-pipeline/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rezmoss%2Fawesome-security-pipeline/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rezmoss%2Fawesome-security-pipeline/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rezmoss","download_url":"https://codeload.github.com/rezmoss/awesome-security-pipeline/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rezmoss%2Fawesome-security-pipeline/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31370203,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-03T17:53:18.093Z","status":"ssl_error","status_checked_at":"2026-04-03T17:53:17.617Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","awesome","awesome-list","checkov","cicd","container-security","devops","devsecops","gitleaks","kubernetes-security","sast","sbom","security","security-tools","supply-chain-security","trivy","vulnerability-scanner"],"created_at":"2026-04-03T18:44:49.452Z","updated_at":"2026-04-03T18:44:51.765Z","avatar_url":"https://github.com/rezmoss.png","language":null,"funding_links":[],"categories":["Other Lists"],"sub_categories":["TeX Lists"],"readme":"# Awesome Security Pipeline\n\n[![Awesome](https://awesome.re/badge.svg)](https://awesome.re)\n[![License: CC0-1.0](https://img.shields.io/badge/License-CC0_1.0-lightgrey.svg)](http://creativecommons.org/publicdomain/zero/1.0/)\n\n\u003e A curated list of open-source security tools organized by CI/CD pipeline stage.\n\nSecurity shouldn't be an afterthought. This list organizes battle-tested security tools by where they fit in your pipeline, making it easy to build defense-in-depth from commit to production.\n\n## Contents\n\n- [Pre-commit \u0026 Secrets Detection](#pre-commit--secrets-detection)\n- [SBOM Generation](#sbom-generation)\n- [Artifact Signing \u0026 Verification](#artifact-signing--verification)\n- [Supply Chain Compliance](#supply-chain-compliance)\n- [Software Composition Analysis (SCA)](#software-composition-analysis-sca)\n- [Static Application Security Testing (SAST)](#static-application-security-testing-sast)\n  - [Multi-language](#multi-language)\n  - [Language Specific](#language-specific)\n- [Infrastructure as Code Security](#infrastructure-as-code-security)\n- [Container Security](#container-security)\n  - [Image Scanning](#image-scanning)\n  - [Runtime Security](#runtime-security)\n- [Kubernetes Security](#kubernetes-security)\n- [Policy as Code](#policy-as-code)\n- [Secret Management](#secret-management)\n- [API \u0026 Dynamic Testing (DAST)](#api--dynamic-testing-dast)\n- [Cloud Security](#cloud-security)\n- [Reading the Badges](#reading-the-badges)\n- [Contributing](#contributing)\n- [License](#license)\n\n---\n\n## Pre-commit \u0026 Secrets Detection\n\nCatch secrets and credentials before they enter your repository.\n\n- [gitleaks](https://github.com/gitleaks/gitleaks) - Detect and prevent secrets in git repos. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/gitleaks/gitleaks) ![Last Commit](https://img.shields.io/github/last-commit/gitleaks/gitleaks)\n- [trufflehog](https://github.com/trufflesecurity/trufflehog) - Find credentials in git history and live systems. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/trufflesecurity/trufflehog) ![Last Commit](https://img.shields.io/github/last-commit/trufflesecurity/trufflehog)\n- [detect-secrets](https://github.com/Yelp/detect-secrets) - Prevent secrets from entering codebases. ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/Yelp/detect-secrets) ![Last Commit](https://img.shields.io/github/last-commit/Yelp/detect-secrets)\n- [git-secrets](https://github.com/awslabs/git-secrets) - Prevent committing AWS credentials and secrets. ![Stale](https://img.shields.io/badge/status-stale-yellow) ![Stars](https://img.shields.io/github/stars/awslabs/git-secrets) ![Last Commit](https://img.shields.io/github/last-commit/awslabs/git-secrets)\n- [talisman](https://github.com/thoughtworks/talisman) - Pre-push and pre-commit hooks for secrets detection. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/thoughtworks/talisman) ![Last Commit](https://img.shields.io/github/last-commit/thoughtworks/talisman)\n- [whispers](https://github.com/Skyscanner/whispers) - Identify hardcoded secrets in static code analysis. ![Archived](https://img.shields.io/badge/status-archived-lightgrey) ![Stars](https://img.shields.io/github/stars/Skyscanner/whispers) ![Last Commit](https://img.shields.io/github/last-commit/Skyscanner/whispers)\n- [pre-commit](https://github.com/pre-commit/pre-commit) - Framework to manage multi-language pre-commit hooks. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/pre-commit/pre-commit) ![Last Commit](https://img.shields.io/github/last-commit/pre-commit/pre-commit)\n\n## SBOM Generation\n\nGenerate Software Bill of Materials for supply chain visibility.\n\n- [syft](https://github.com/anchore/syft) - Generate SBOMs from container images and filesystems. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/anchore/syft) ![Last Commit](https://img.shields.io/github/last-commit/anchore/syft)\n- [cdxgen](https://github.com/CycloneDX/cdxgen) - Create CycloneDX SBOMs for various languages. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/CycloneDX/cdxgen) ![Last Commit](https://img.shields.io/github/last-commit/CycloneDX/cdxgen)\n- [cyclonedx-cli](https://github.com/CycloneDX/cyclonedx-cli) - CLI for working with CycloneDX SBOMs. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/CycloneDX/cyclonedx-cli) ![Last Commit](https://img.shields.io/github/last-commit/CycloneDX/cyclonedx-cli)\n- [spdx-sbom-generator](https://github.com/opensbom-generator/spdx-sbom-generator) - Generate SPDX format SBOMs from source code. ![Archived](https://img.shields.io/badge/status-archived-lightgrey) ![Stars](https://img.shields.io/github/stars/opensbom-generator/spdx-sbom-generator) ![Last Commit](https://img.shields.io/github/last-commit/opensbom-generator/spdx-sbom-generator)\n- [tern](https://github.com/tern-tools/tern) - Software composition analysis for container images. ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/tern-tools/tern) ![Last Commit](https://img.shields.io/github/last-commit/tern-tools/tern)\n- [sbom-tool](https://github.com/microsoft/sbom-tool) - Microsoft's scalable SBOM generation tool. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/microsoft/sbom-tool) ![Last Commit](https://img.shields.io/github/last-commit/microsoft/sbom-tool)\n- [sbomlyze](https://github.com/rezmoss/sbomlyze) - SBOM diff and analysis tool for supply chain drift detection. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/rezmoss/sbomlyze) ![Last Commit](https://img.shields.io/github/last-commit/rezmoss/sbomlyze)\n\n## Artifact Signing \u0026 Verification\n\nSign and verify container images and artifacts for supply chain security.\n\n- [cosign](https://github.com/sigstore/cosign) - Sign and verify container images. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/sigstore/cosign) ![Last Commit](https://img.shields.io/github/last-commit/sigstore/cosign)\n- [notation](https://github.com/notaryproject/notation) - CNCF signing and verification standard (Notary Project). ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/notaryproject/notation) ![Last Commit](https://img.shields.io/github/last-commit/notaryproject/notation)\n- [rekor](https://github.com/sigstore/rekor) - Immutable tamper-resistant transparency log for signed artifacts. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/sigstore/rekor) ![Last Commit](https://img.shields.io/github/last-commit/sigstore/rekor)\n\n## Supply Chain Compliance\n\nAudit and verify supply chain security against industry benchmarks.\n\n- [scorecard](https://github.com/ossf/scorecard) - OpenSSF security health metrics for open source projects. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/ossf/scorecard) ![Last Commit](https://img.shields.io/github/last-commit/ossf/scorecard)\n- [in-toto](https://github.com/in-toto/in-toto) - Framework to protect supply chain integrity. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/in-toto/in-toto) ![Last Commit](https://img.shields.io/github/last-commit/in-toto/in-toto)\n- [slsa-verifier](https://github.com/slsa-framework/slsa-verifier) - Verify SLSA provenance for supply chain security. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/slsa-framework/slsa-verifier) ![Last Commit](https://img.shields.io/github/last-commit/slsa-framework/slsa-verifier)\n- [chain-bench](https://github.com/aquasecurity/chain-bench) - Audit supply chain against CIS benchmarks. ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/aquasecurity/chain-bench) ![Last Commit](https://img.shields.io/github/last-commit/aquasecurity/chain-bench)\n\n## Software Composition Analysis (SCA)\n\nScan dependencies for known vulnerabilities.\n\n- [grype](https://github.com/anchore/grype) - Vulnerability scanner for container images and filesystems. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/anchore/grype) ![Last Commit](https://img.shields.io/github/last-commit/anchore/grype)\n- [trivy](https://github.com/aquasecurity/trivy) - All-in-one security scanner for vulnerabilities and misconfigurations. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/aquasecurity/trivy) ![Last Commit](https://img.shields.io/github/last-commit/aquasecurity/trivy)\n- [osv-scanner](https://github.com/google/osv-scanner) - Vulnerability scanner using the OSV database. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/google/osv-scanner) ![Last Commit](https://img.shields.io/github/last-commit/google/osv-scanner)\n- [dependency-track](https://github.com/DependencyTrack/dependency-track) - Intelligent component analysis platform. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/DependencyTrack/dependency-track) ![Last Commit](https://img.shields.io/github/last-commit/DependencyTrack/dependency-track)\n- [snyk-cli](https://github.com/snyk/cli) - Find and fix vulnerabilities in dependencies. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/snyk/cli) ![Last Commit](https://img.shields.io/github/last-commit/snyk/cli)\n- [bomber](https://github.com/devops-kung-fu/bomber) - Scan SBOMs for vulnerabilities. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/devops-kung-fu/bomber) ![Last Commit](https://img.shields.io/github/last-commit/devops-kung-fu/bomber)\n- [vet](https://github.com/safedep/vet) - Policy-driven dependency vetting tool. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/safedep/vet) ![Last Commit](https://img.shields.io/github/last-commit/safedep/vet)\n- [deps.dev](https://deps.dev) - Google's dependency insights service (API/Website).\n- [safe-chain](https://github.com/AikidoSec/safe-chain) - Block malicious packages during npm/pip install. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/AikidoSec/safe-chain) ![Last Commit](https://img.shields.io/github/last-commit/AikidoSec/safe-chain)\n\n## Static Application Security Testing (SAST)\n\nAnalyze source code for security vulnerabilities.\n\n### Multi-language\n\nTools that support multiple programming languages.\n\n- [semgrep](https://github.com/semgrep/semgrep) - Lightweight static analysis for many languages. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/semgrep/semgrep) ![Last Commit](https://img.shields.io/github/last-commit/semgrep/semgrep)\n- [bearer](https://github.com/Bearer/bearer) - Code security scanner for data flows. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/Bearer/bearer) ![Last Commit](https://img.shields.io/github/last-commit/Bearer/bearer)\n- [horusec](https://github.com/ZupIT/horusec) - Multi-language security analysis tool. ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/ZupIT/horusec) ![Last Commit](https://img.shields.io/github/last-commit/ZupIT/horusec)\n- [codeql](https://github.com/github/codeql) - Semantic code analysis engine by GitHub. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/github/codeql) ![Last Commit](https://img.shields.io/github/last-commit/github/codeql)\n- [sonarqube](https://github.com/SonarSource/sonarqube) - Continuous inspection of code quality and security. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/SonarSource/sonarqube) ![Last Commit](https://img.shields.io/github/last-commit/SonarSource/sonarqube)\n- [spotbugs](https://github.com/spotbugs/spotbugs) - Static analysis tool for finding bugs in Java. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/spotbugs/spotbugs) ![Last Commit](https://img.shields.io/github/last-commit/spotbugs/spotbugs)\n\n### Language Specific\n\nSpecialized tools for individual programming languages.\n\n#### Python\n- [bandit](https://github.com/PyCQA/bandit) - Security linter for Python code. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/PyCQA/bandit) ![Last Commit](https://img.shields.io/github/last-commit/PyCQA/bandit)\n- [safety](https://github.com/pyupio/safety) - Check Python dependencies for vulnerabilities. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/pyupio/safety) ![Last Commit](https://img.shields.io/github/last-commit/pyupio/safety)\n- [pyre-check](https://github.com/facebook/pyre-check) - Performant type checker with security analysis. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/facebook/pyre-check) ![Last Commit](https://img.shields.io/github/last-commit/facebook/pyre-check)\n\n#### JavaScript/Node.js\n- [njsscan](https://github.com/ajinabraham/njsscan) - Semantic SAST tool for Node.js applications. ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/ajinabraham/njsscan) ![Last Commit](https://img.shields.io/github/last-commit/ajinabraham/njsscan)\n- [eslint-plugin-security](https://github.com/eslint-community/eslint-plugin-security) - ESLint rules for Node.js security. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/eslint-community/eslint-plugin-security) ![Last Commit](https://img.shields.io/github/last-commit/eslint-community/eslint-plugin-security)\n\n#### Go\n- [gosec](https://github.com/securego/gosec) - Security checker for Go source code. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/securego/gosec) ![Last Commit](https://img.shields.io/github/last-commit/securego/gosec)\n- [govulncheck](https://github.com/golang/vuln) - Official Go vulnerability scanner for dependencies and binaries. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/golang/vuln) ![Last Commit](https://img.shields.io/github/last-commit/golang/vuln)\n\n#### Ruby\n- [brakeman](https://github.com/presidentbeef/brakeman) - Static analysis for Ruby on Rails applications. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/presidentbeef/brakeman) ![Last Commit](https://img.shields.io/github/last-commit/presidentbeef/brakeman)\n\n#### PHP\n- [phpstan](https://github.com/phpstan/phpstan) - PHP static analysis tool. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/phpstan/phpstan) ![Last Commit](https://img.shields.io/github/last-commit/phpstan/phpstan)\n- [psalm](https://github.com/vimeo/psalm) - Static analysis tool for PHP with security focus. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/vimeo/psalm) ![Last Commit](https://img.shields.io/github/last-commit/vimeo/psalm)\n\n#### Rust\n- [cargo-audit](https://github.com/RustSec/rustsec) - Audit Cargo.lock for crates with security vulnerabilities. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/RustSec/rustsec) ![Last Commit](https://img.shields.io/github/last-commit/RustSec/rustsec)\n\n## Infrastructure as Code Security\n\nScan infrastructure configurations for security misconfigurations.\n\n- [checkov](https://github.com/bridgecrewio/checkov) - Scan cloud infrastructure configurations. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/bridgecrewio/checkov) ![Last Commit](https://img.shields.io/github/last-commit/bridgecrewio/checkov)\n- [tfsec](https://github.com/aquasecurity/tfsec) - Security scanner for Terraform code. ![Stale](https://img.shields.io/badge/status-stale-yellow) ![Stars](https://img.shields.io/github/stars/aquasecurity/tfsec) ![Last Commit](https://img.shields.io/github/last-commit/aquasecurity/tfsec)\n- [terrascan](https://github.com/tenable/terrascan) - Detect compliance and security violations in IaC. ![Archived](https://img.shields.io/badge/status-archived-lightgrey) ![Stars](https://img.shields.io/github/stars/tenable/terrascan) ![Last Commit](https://img.shields.io/github/last-commit/tenable/terrascan)\n- [kics](https://github.com/Checkmarx/kics) - Find security vulnerabilities and compliance issues in IaC. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/Checkmarx/kics) ![Last Commit](https://img.shields.io/github/last-commit/Checkmarx/kics)\n- [trivy](https://github.com/aquasecurity/trivy) - Also scans IaC misconfigurations (Terraform, CloudFormation, etc.). ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/aquasecurity/trivy) ![Last Commit](https://img.shields.io/github/last-commit/aquasecurity/trivy)\n- [snyk-iac](https://github.com/snyk/cli) - Infrastructure as Code security scanning. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/snyk/cli) ![Last Commit](https://img.shields.io/github/last-commit/snyk/cli)\n- [cfn-lint](https://github.com/aws-cloudformation/cfn-lint) - AWS CloudFormation linter with security rules. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/aws-cloudformation/cfn-lint) ![Last Commit](https://img.shields.io/github/last-commit/aws-cloudformation/cfn-lint)\n- [zizmor](https://github.com/zizmorcore/zizmor) - Static analysis for GitHub Actions workflows. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/zizmorcore/zizmor) ![Last Commit](https://img.shields.io/github/last-commit/zizmorcore/zizmor)\n\n## Container Security\n\nSecure container images and runtime environments.\n\n### Image Scanning\n\nScan container images for vulnerabilities before deployment.\n\n- [trivy](https://github.com/aquasecurity/trivy) - Comprehensive vulnerability scanner for containers. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/aquasecurity/trivy) ![Last Commit](https://img.shields.io/github/last-commit/aquasecurity/trivy)\n- [grype](https://github.com/anchore/grype) - Vulnerability scanner for container images. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/anchore/grype) ![Last Commit](https://img.shields.io/github/last-commit/anchore/grype)\n- [clair](https://github.com/quay/clair) - Vulnerability static analysis for containers. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/quay/clair) ![Last Commit](https://img.shields.io/github/last-commit/quay/clair)\n- [anchore-engine](https://github.com/anchore/anchore-engine) - Container analysis and policy evaluation. ![Archived](https://img.shields.io/badge/status-archived-lightgrey) ![Stars](https://img.shields.io/github/stars/anchore/anchore-engine) ![Last Commit](https://img.shields.io/github/last-commit/anchore/anchore-engine) *(Migrate to [Syft](https://github.com/anchore/syft) + [Grype](https://github.com/anchore/grype))*\n- [docker-bench-security](https://github.com/docker/docker-bench-security) - Check Docker deployment against CIS benchmarks. ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/docker/docker-bench-security) ![Last Commit](https://img.shields.io/github/last-commit/docker/docker-bench-security)\n- [dockle](https://github.com/goodwithtech/dockle) - Container image linter for security best practices. ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/goodwithtech/dockle) ![Last Commit](https://img.shields.io/github/last-commit/goodwithtech/dockle)\n- [hadolint](https://github.com/hadolint/hadolint) - Dockerfile linter for best practices and security rules (does not perform vulnerability database scanning). ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/hadolint/hadolint) ![Last Commit](https://img.shields.io/github/last-commit/hadolint/hadolint)\n- [dive](https://github.com/wagoodman/dive) - Explore and analyze Docker image layers and efficiency and inspect image contents (for analysis/inspection, not vulnerability scanning). ![Stale](https://img.shields.io/badge/status-stale-yellow) ![Stars](https://img.shields.io/github/stars/wagoodman/dive) ![Last Commit](https://img.shields.io/github/last-commit/wagoodman/dive)\n\n### Runtime Security\n\nMonitor and protect containers at runtime.\n\n- [falco](https://github.com/falcosecurity/falco) - Cloud-native runtime security and threat detection. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/falcosecurity/falco) ![Last Commit](https://img.shields.io/github/last-commit/falcosecurity/falco)\n- [tracee](https://github.com/aquasecurity/tracee) - Linux runtime security and forensics using eBPF. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/aquasecurity/tracee) ![Last Commit](https://img.shields.io/github/last-commit/aquasecurity/tracee)\n- [tetragon](https://github.com/cilium/tetragon) - eBPF-based security observability and runtime enforcement. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/cilium/tetragon) ![Last Commit](https://img.shields.io/github/last-commit/cilium/tetragon)\n- [sysdig-inspect](https://github.com/draios/sysdig-inspect) - System call visualization and container analysis. ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/draios/sysdig-inspect) ![Last Commit](https://img.shields.io/github/last-commit/draios/sysdig-inspect)\n\n## Kubernetes Security\n\nSecure Kubernetes clusters, manifests, and workloads.\n\n- [kube-bench](https://github.com/aquasecurity/kube-bench) - Check Kubernetes against CIS benchmarks. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/aquasecurity/kube-bench) ![Last Commit](https://img.shields.io/github/last-commit/aquasecurity/kube-bench)\n- [kubescape](https://github.com/kubescape/kubescape) - Kubernetes security risk analysis and compliance. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/kubescape/kubescape) ![Last Commit](https://img.shields.io/github/last-commit/kubescape/kubescape)\n- [kube-linter](https://github.com/stackrox/kube-linter) - Static analysis for Kubernetes YAML and Helm charts. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/stackrox/kube-linter) ![Last Commit](https://img.shields.io/github/last-commit/stackrox/kube-linter)\n- [kyverno](https://github.com/kyverno/kyverno) - Kubernetes native policy management. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/kyverno/kyverno) ![Last Commit](https://img.shields.io/github/last-commit/kyverno/kyverno)\n- [polaris](https://github.com/FairwindsOps/polaris) - Validate Kubernetes best practices and policies. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/FairwindsOps/polaris) ![Last Commit](https://img.shields.io/github/last-commit/FairwindsOps/polaris)\n- [trivy-operator](https://github.com/aquasecurity/trivy-operator) - Kubernetes-native security reports. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/aquasecurity/trivy-operator) ![Last Commit](https://img.shields.io/github/last-commit/aquasecurity/trivy-operator)\n- [kubiscan](https://github.com/cyberark/KubiScan) - Scan Kubernetes RBAC for risky permissions. ![Stale](https://img.shields.io/badge/status-stale-yellow) ![Stars](https://img.shields.io/github/stars/cyberark/KubiScan) ![Last Commit](https://img.shields.io/github/last-commit/cyberark/KubiScan)\n- [kube-hunter](https://github.com/aquasecurity/kube-hunter) - Hunt for security weaknesses in Kubernetes clusters. ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/aquasecurity/kube-hunter) ![Last Commit](https://img.shields.io/github/last-commit/aquasecurity/kube-hunter)\n\n## Policy as Code\n\nDefine and enforce security policies as code across your infrastructure.\n\n- [opa](https://github.com/open-policy-agent/opa) - Open Policy Agent, industry standard for policy as code. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/open-policy-agent/opa) ![Last Commit](https://img.shields.io/github/last-commit/open-policy-agent/opa)\n- [gatekeeper](https://github.com/open-policy-agent/gatekeeper) - OPA for Kubernetes admission control. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/open-policy-agent/gatekeeper) ![Last Commit](https://img.shields.io/github/last-commit/open-policy-agent/gatekeeper)\n- [datree](https://github.com/datreeio/datree) - Prevent Kubernetes misconfigurations. ![Archived](https://img.shields.io/badge/status-archived-lightgrey) ![Stars](https://img.shields.io/github/stars/datreeio/datree) ![Last Commit](https://img.shields.io/github/last-commit/datreeio/datree)\n- [conftest](https://github.com/open-policy-agent/conftest) - Test configuration files against OPA policies. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/open-policy-agent/conftest) ![Last Commit](https://img.shields.io/github/last-commit/open-policy-agent/conftest)\n\n## Secret Management\n\nSecurely manage and distribute secrets in Kubernetes and GitOps workflows.\n\n- [sealed-secrets](https://github.com/bitnami-labs/sealed-secrets) - Encrypt secrets locally, decrypt only in cluster. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/bitnami-labs/sealed-secrets) ![Last Commit](https://img.shields.io/github/last-commit/bitnami-labs/sealed-secrets)\n- [external-secrets](https://github.com/external-secrets/external-secrets) - Sync secrets from AWS/Vault/Azure into Kubernetes. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/external-secrets/external-secrets) ![Last Commit](https://img.shields.io/github/last-commit/external-secrets/external-secrets)\n- [sops](https://github.com/getsops/sops) - Editor-transparent encryption for Git files. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/getsops/sops) ![Last Commit](https://img.shields.io/github/last-commit/getsops/sops)\n- [vault](https://github.com/hashicorp/vault) - Secrets management, encryption as a service, and privileged access. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/hashicorp/vault) ![Last Commit](https://img.shields.io/github/last-commit/hashicorp/vault)\n- [infisical](https://github.com/Infisical/infisical) - Open-source secret management platform with native integrations. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/Infisical/infisical) ![Last Commit](https://img.shields.io/github/last-commit/Infisical/infisical)\n\n## API \u0026 Dynamic Testing (DAST)\n\nTest running applications for vulnerabilities.\n\n- [zap](https://github.com/zaproxy/zaproxy) - OWASP ZAP web application security scanner. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/zaproxy/zaproxy) ![Last Commit](https://img.shields.io/github/last-commit/zaproxy/zaproxy)\n- [nuclei](https://github.com/projectdiscovery/nuclei) - Fast and customizable vulnerability scanner. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/projectdiscovery/nuclei) ![Last Commit](https://img.shields.io/github/last-commit/projectdiscovery/nuclei)\n- [nikto](https://github.com/sullo/nikto) - Web server scanner for dangerous files and vulnerabilities. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/sullo/nikto) ![Last Commit](https://img.shields.io/github/last-commit/sullo/nikto)\n- [arachni](https://github.com/Arachni/arachni) - Feature-rich web application security scanner. ![Stale](https://img.shields.io/badge/status-stale-yellow) ![Stars](https://img.shields.io/github/stars/Arachni/arachni) ![Last Commit](https://img.shields.io/github/last-commit/Arachni/arachni) *(Consider [ZAP](https://github.com/zaproxy/zaproxy) or [Nuclei](https://github.com/projectdiscovery/nuclei) instead)*\n- [wapiti](https://github.com/wapiti-scanner/wapiti) - Web application vulnerability scanner. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/wapiti-scanner/wapiti) ![Last Commit](https://img.shields.io/github/last-commit/wapiti-scanner/wapiti)\n- [sqlmap](https://github.com/sqlmapproject/sqlmap) - Automatic SQL injection detection and exploitation. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/sqlmapproject/sqlmap) ![Last Commit](https://img.shields.io/github/last-commit/sqlmapproject/sqlmap)\n\n## Cloud Security\n\nAssess and audit cloud infrastructure security posture.\n\n- [prowler](https://github.com/prowler-cloud/prowler) - AWS, Azure, and GCP security assessments. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/prowler-cloud/prowler) ![Last Commit](https://img.shields.io/github/last-commit/prowler-cloud/prowler)\n- [cloudsplaining](https://github.com/salesforce/cloudsplaining) - AWS IAM security assessment tool. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/salesforce/cloudsplaining) ![Last Commit](https://img.shields.io/github/last-commit/salesforce/cloudsplaining)\n- [ScoutSuite](https://github.com/nccgroup/ScoutSuite) - Multi-cloud security auditing tool. ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/nccgroup/ScoutSuite) ![Last Commit](https://img.shields.io/github/last-commit/nccgroup/ScoutSuite)\n- [steampipe](https://github.com/turbot/steampipe) - Query cloud resources using SQL. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/turbot/steampipe) ![Last Commit](https://img.shields.io/github/last-commit/turbot/steampipe)\n- [cloudquery](https://github.com/cloudquery/cloudquery) - Cloud asset inventory and security analysis with SQL. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/cloudquery/cloudquery) ![Last Commit](https://img.shields.io/github/last-commit/cloudquery/cloudquery)\n- [cartography](https://github.com/lyft/cartography) - Map infrastructure relationships and attack surface. ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/lyft/cartography) ![Last Commit](https://img.shields.io/github/last-commit/lyft/cartography)\n\n---\n\n## Reading the Badges\n\nEach tool displays status and activity badges for transparency.\n\n### Maintenance Status (Updated Weekly)\n\nStatus badges are **automatically updated every week** by our GitHub Action to reflect current maintenance status.\n\n| Badge | Meaning |\n|-------|---------|\n| ![Active](https://img.shields.io/badge/status-active-brightgreen) | **Active** - Updated within the last 6 months |\n| ![Stale](https://img.shields.io/badge/status-stale-yellow) | **Stale** - No updates in 6-12 months; use with caution |\n| ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) | **Unmaintained** - No updates in 12+ months; consider alternatives |\n| ![Archived](https://img.shields.io/badge/status-archived-lightgrey) | **Archived** - Repository has been archived by owner |\n| ![Deprecated](https://img.shields.io/badge/status-deprecated-lightgrey) | **Deprecated** - Officially superseded; migration recommended |\n\n### Activity Badges\n\n| Badge | Meaning |\n|-------|---------|\n| ![Stars](https://img.shields.io/badge/stars-★-blue) | GitHub star count - indicates community adoption |\n| ![Last Commit](https://img.shields.io/badge/last%20commit-date-green) | Last commit date - shows exact update time |\n\n\u003e **Tip:** While we update status badges weekly, always verify the \"Last Commit\" badge for the most current information before adopting a tool.\n\n## Contributing\n\nContributions are welcome! Please read the [contribution guidelines](CONTRIBUTING.md) first.\n\n**Before submitting:**\n- Repository must be **at least 1 month old** (anti-spam requirement)\n- Repository must have **at least 5 stars**\n- Tool must have been **updated within the last 12 months**\n- You must **disclose any affiliation** with the tool\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for full details.\n\n## License\n\n[![CC0](https://mirrors.creativecommons.org/presskit/buttons/88x31/svg/cc-zero.svg)](http://creativecommons.org/publicdomain/zero/1.0/)\n\nTo the extent possible under law, the contributors have waived all copyright and related or neighboring rights to this work.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frezmoss%2Fawesome-security-pipeline","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frezmoss%2Fawesome-security-pipeline","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frezmoss%2Fawesome-security-pipeline/lists"}