awesome-platform-engineering

A curated list of awesome tools, resources and various shiny things
https://github.com/dstrates/awesome-platform-engineering

Last synced: 3 days ago
JSON representation

Application Security
- Supply chain security
  - OWASP dependency-check - software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies
  - awesome supply chain security
  - chain-bench - open-source tool for auditing your software supply chain stack for security compliance based on a new CISs Software Supply Chain benchmark
  - legitify - Detect and remediate misconfigurations and security risks across all your GitHub assets
  - steampipe (GitHub compliance mod)
  - harden-runner - Security agent for GitHub-hosted runner: block egress traffic & detect code overwrite to prevent breaches
  - scorecard - OpenSSF Scorecard - Security health metrics for Open Source
  - CVE Prioritizer - Streamline vulnerability patching with CVSS, EPSS, and CISA's Known Exploited Vulnerabilities
  - ossf/allstar - GitHub App to set and enforce security policies
  - OSSGadget - Collection of tools for analyzing open source packages
  - oak - Oak is a software platform for building distributed systems providing externally verifiable (or falsifiable) claims about system behaviors in a transparent way
- API Fuzzing
  - Cherrybomb - CLI tool that helps you avoid undefined user behaviour by validating your API specifications
  - Restler - stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs
  - OWASP ZAP - dynamic security testing and web app scanner
  - Burpsuite - The enterprise-enabled dynamic web vulnerability scanner
  - Dredd - Language-agnostic HTTP API Testing Tool
  - Schemathesis - Specification-centric API testing tool for Open API and GraphQL-based applications
  - Snapchange - Lightweight fuzzing of a memory snapshot using KVM
  - Onefuzz - A self-hosted Fuzzing-As-A-Service platform
  - OSS-Fuzz - continuous fuzzing for open source software
- DAST
  - OWASP ZAP - automatically find security vulnerabilities in your web applications while you are developing and testing your applications
  - Nikto2 - web server scanner
  - Wapiti - Web vulnerability scanner written in Python3
  - Skipfish - Web application security scanner created by lcamtuf for google - Unofficial Mirror [Deprecated]
  - CI Fuzz - CI Fuzz CLI is an open-source solution that lets you run feedback-based fuzz tests from your command line
  - nuclei - Fast and customizable vulnerability scanner based on simple YAML based DSL
  - paulveillard/cybersecurity-dynamic-analysis
  - analysis-tools-dev/dynamic-analysis
- SAST
  - static-analysis - A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality
  - Shisho - Lightweight static analyzer
  - Purple panda - identify privilege escalation paths within and across different clouds
  - opensourcesecurityindex.io
  - Privado - Open Source Static Scanning tool to detect data flows in your code, find data security vulnerabilities & generate accurate Play Store Data Safety Report
- SCA
  - OpenSCA - supports detection of open source component dependencies and vulnerabilities
  - Dependency-track - Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain
  - OSV scanner - Dependency vulnerability scanner written in Go which uses the data provided by [https://osv.dev](https://osv.dev)
  - packj - Packj stops ⚡ Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
  - socket.dev - Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for JavaScript and Python dependencies
  - nancy - A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index
  - deps.dev - Google project for rating dependencies
  - dep-scan - OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies
  - depguard - Go linter that checks if package imports are in a list of acceptable packages
- Secrets detection
  - Trufflehog - Find leaked credentials
  - Detect-secrets - Yelp: An enterprise friendly way of detecting and preventing secrets in code
  - Bridgecrew detect-secrets - Bridgecrew fork of yelp/detect-secrets
  - ggshield - GitGuardian secrets detection.
  - SecretScanner - Deepfence SecretScanner can find unprotected secrets in container images or file systems. Integrated into [ThreatMapper 1.3.0](https://github.com/deepfence/ThreatMapper)
  - Gitleaks - SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos
  - git-secrets - AWSLabs tool for detecting secrets in git. No longer maintained
  - DumpsterDiver - Tool to search secrets in various filetypes. No longer maintained
  - keyscope - SpectralOps tool for secrets validation
  - leaky-repo - benchmarking repo with secrets in it to test and evaluate detection tools
  - Skyscanner/whispers - Identify hardcoded secrets in static structured text
  - auth0/repo-supervisor - Scan your code for security misconfiguration, search for passwords and secrets
  - Ocotopii - An AI-powered Personal Identifiable Information (PII) scanner
  - secretlint - Pluggable linting tool to prevent committing credentials.
  - auth0/repo-supervisor - Scan your code for security misconfiguration, search for passwords and secrets
- Threat modelling
  - Deciduous - security decision tree generator that serves as a threat modelling tool
Continuous integration
- Shell into containers
  - semantic-release - Fully automated version management and package publishing
  - release-please - generate release PRs based on the conventionalcommits.org spec
  - git-cliff - A highly customizable Changelog Generator that follows Conventional Commit specifications ⛰️
  - meta/hermit - hermetically isolated sandboxes to control program execution
  - Spacelift - Spacelift is a sophisticated CI/CD platform for Terraform, CloudFormation, Pulumi, and Kubernetes
  - atlantis - Terraform Pull Request Automation
  - scalr - Terraform Cloud alternative
  - env0 - Manage, deploy, scale, and control all your Terraform, Terragrunt, Pulumi, and related frameworks
  - batect - Build And Testing Environments as Code Tool
  - autorelease - Release automation for GitHub
  - cashapp/hermit - consistent tooling across environments
Dashboards as code
- Shell into containers
  - Grafanalib - Write Grafana dashboards in Python
  - Grafonnet - Jsonnet library for generating Grafana dashboard files
  - Steampipe - AWS Insights Mod - Create dashboards and reports for your AWS resources using Steampipe
  - kennel - Datadog monitors/dashboards/slos as code, avoid chaotic management via UI
Dependency management
- Shell into containers
  - Poetry - Python packaging and dependency management
  - Renovate - Universal dependency update tool that fits into your workflows
  - Dependabot - Automating dependency updates in multiple languages
  - configrd - Sync configurations such as environment variables, application properties and secrets across build pipelines, services and environments
  - tfenv - Terraform version manager based on rbenv
  - asdf - Extendable version manager with support for Ruby, Node.js, Elixir, Erlang & more
  - mise - development environment setup tool that manages dev tools, runtimes, envvars and task runners
  - spack - A flexible package manager that supports multiple versions, configurations, platforms, and compilers
  - Lerna - Lerna is a tool for managing JavaScript projects with multiple packages, built on Yarn
  - chezmoi - Manage your dotfiles across multiple diverse machines, securely
  - just - just is a handy way to save and run project-specific commands
  - changesets - A way to manage your versioning and changelogs with a focus on monorepos
  - earthly - Super simple build framework with fast, repeatable builds and an instantly familiar syntax – like Dockerfile and Makefile had a baby.
  - knip - Find unused files, dependencies and exports in your JavaScript and TypeScript projects
  - Devbox - command-line tool that lets you easily create isolated shells for development
- Build systems
  - Bazel - Bazel is Google's monorepo-oriented build system
  - buck2 - Buck2 is a fast, hermetic, multi-language build system designed by Meta
  - pants - a monorepo-oriented build system, used by Twitter, Foursquare and multiple other companies
  - Nx - Nx is a build system with built-in tooling and advanced CI capabilities. It helps you maintain and scale monorepos, both locally and on CI
Diagrams as code
- Build systems
  - structurizr - Diagrams as code 2.0
  - Pluralith - Terraform to diagrams
  - cdk-dia - CDK to diagrams
  - cfn-diagram - CFN to diagrams
  - mingrammer/diagrams - Draw diagrams in Python code
  - ascii flow - ASCII editor
  - PlantUML - Create diagrams from plaintext language
  - Go diagrams - create system diagrams with Go
  - Cloudcraft - Create AWS diagrams from deployed infrastructure
  - Inframap - Read your tfstate or HCL to generate a graph specific for each provider
Containers
- Threat modelling
  - Trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
  - docker-trim - create a trimmed docker image that contains only parts of the original file system of an existing docker image
  - diffoci - diffoci compares Docker and OCI container images for helping reproducible builds
  - tini - A tiny but valid `init` for containers
  - ko - ko is a simple, fast container image builder for Go applications
  - go-containerregistry - Google Go library for working with container images. Includes tools like `crane`, `gcrane`, `krane` & `k8schain`
  - Dockle - Docker image linting
  - Container-scan - Dockle + Trivy [Deprecated]
  - HadoLint - Dockerfile linter, validate inline bash, written in Haskell
  - docker-bench - checks for dozens of common best-practices
  - aquasecurity/docker-bench
  - Dive - A tool for exploring a docker image, layer contents, and discovering ways to shrink the size of your Docker/OCI image
  - cadvisor - Analyzes resource usage and performance characteristics of running containers
  - Docker-slim - Don't change anything in your Docker container image and minify it by up to 30x
  - dfimage - Reverse-engineer a Dockerfile from a Docker image
  - Whaler - Go program to reverse Docker images into Dockerfiles
  - anchore-engine - A service that analyzes docker images and scans for vulnerabilities
  - grype - A vulnerability scanner for container images and filesystems
  - testcontainers - open source framework for providing throwaway, lightweight instances of anything that can run in a Docker container
  - distroless - Language focused docker images, minus the operating system
  - confidential-containers - leverage Trusted Execution Environments to protect containers and data and to deliver cloud native confidential computing
  - copacetic - CLI tool for directly patching container images!
  - runc - CLI tool for spawning and running containers according to the OCI specification
- Shell into containers
  - cdebug - cdebug - a swiss army knife of container debugging
  - debug-ctr - Command-line tool for interactive container troubleshooting
  - docker-debug - troubleshooting running docker containers
  - docker-opener - Shell-in to any docker container easily
Documentation as code
- Build systems
  - Doxygen - generate docs from annotated C++ code
  - terraform docs - generate docs from Terraform code
  - glow - terminal based markdown reader designed for the CLI
  - runme - Execute your runbooks, docs, and READMEs
Endpoint validation
- Build systems
  - Goss - quick and easy server validation
  - Prometheus Blackbox exporter - Blackbox prober exporter
Git Tools
- Polyrepo operations tools
- Repository management tools
  - pull - Keep your forks up-to-date via automated PRs
  - git-of-theseus - Analyze how a Git repo grows over time
  - bash-git-prompt - An informative and fancy bash prompt for Git users
  - comby - A code rewrite tool for structural search and replace that supports ~every language
API tools
- Threat modelling
  - Vacuum - vacuum is the worlds fastest OpenAPI 3, OpenAPI 2 / Swagger linter and quality analysis tool. Built in go, it tears through API specs faster than you can think. vacuum is compatible with Spectral rulesets and generates compatible reports
  - Spectral - A flexible JSON/YAML linter for creating automated style guides, with baked in support for OpenAPI v3.1, v3.0, and v2.0 as well as AsyncAPI v2.x.
  - openapi-diff - Utility for comparing two OpenAPI specifications.
  - openapi-generator - OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec (v2, v3)
  - ogen - OpenAPI v3 code generator for go
  - swagger-codegen - swagger-codegen contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition.
  - oapi-codegen - Generate Go client and server boilerplate from OpenAPI 3 specifications
  - goa - Goa: Elevate Go API development! Streamlined design, automatic code generation, and seamless HTTP/gRPC support
Artifact signing and attestation
- Threat modelling
  - SLSA - Software Attestations
  - Cosign - code signing and transparency for containers and binaries
  - grafeas - Artifact Metadata API to audit and govern software supply chains
  - in-toto - a framework to protect supply chain integrity
  - notary - project that allows anyone to have trust over arbitrary collections of data
Bug tracking
- Threat modelling
  - Bugasura - AI-powered issue tracker
Chaos engineering
- Threat modelling
  - Chaos Toolkit - the Open Source Platform for Chaos Engineering
  - Chaos Monkey - a resiliency tool that helps applications tolerate random instance failures
  - Toxiproxy - simulate network and system conditions for chaos and resiliency testing
  - Pumba - chaos testing, network emulation and stress testing tool for containers
  - Litmus - Cloud Native Chaos Engineering platform
  - KubeInvaders - Chaotic fun
Chat and ChatOps
- Threat modelling
  - Rocket - open source team communication
  - Mattermost - messaging platform that enables secure team collaboration
  - CloudBot - simple, fast, expandable, open-source Python IRC Bot
  - Hubot - a customizable life embetterment robot
  - Lita - a robot companion for your company's chat room
  - Botkube - chat bot for Kubernetes
  - Rootly - Incident management in Slack
Cloud cost management
- Threat modelling
  - Infracost - Predict cost of infrastructure from Terraform code
  - Terracost - Cloud cost estimation for Terraform in your CLI
  - Zesty - Automated cloud cost optimization for EC2 & RDS
  - Vantage - Automated cloud cost optimization
  - Scalr - Terraform platform that has cost-optimization features
  - Finout - Cloud cost monitoring platform
  - Harness Cloud Cost Management - Detect and stop cloud cost anomalies as they occur
  - Opencost - Cross-cloud cost allocation models for Kubernetes workloads
  - usage.ai - Automated cloud cost optimization for EC2, RDS, ElasticSearch, RedShift
  - cast.ai - Kubernetes automated cost savings
Cloud asset inventory
- Threat modelling
  - Steampipe - `# select * from cloud;`
  - Resoto - Resoto creates an inventory of your cloud, provides deep visibility, and reacts to changes in your infrastructure
  - Cloudquery - Sync cloud assets to any database, transform and visualize
  - Cloudmapper - CloudMapper helps you analyze your AWS environments
  - Cloudgraph - The universal GraphQL API and CSPM tool for AWS, Azure, GCP, K8s, and tencent
  - AWS ClickOps notifier - Get notified when users are taking actions in the AWS Console
  - driftctl - Detect, track and alert on infrastructure drift
  - Scoutsuite - Multi-Cloud Security Auditing Tools
  - prowler - perform AWS security best practices assessments, audits, incident response, continuous monitoring
  - saw - Fast, multi-purpose tool for searching AWS CloudWatch Logs
  - magpie - Magpie is a free, open-source framework and a collection of community developed plugins that can be used to build complete end-to-end security tools such as a CSPM
Continuous deployment
- Shell into containers
  - ArgoCD - Declarative continuous deployment for Kubernetes
  - Flux - Open and extensible continuous delivery solution for Kubernetes
  - dagger - programmable CI/CD engine that runs your pipelines in containers

Programming Languages

Go 56 Python 32 TypeScript 11 Rust 11 Java 7 JavaScript 6 Shell 5 Ruby 2 C 2 Jsonnet 1

awesome-platform-engineering

Application Security

Supply chain security

API Fuzzing

DAST

SAST

SCA

Secrets detection

Threat modelling

Continuous integration

Shell into containers

Dashboards as code

Shell into containers

Dependency management

Shell into containers

Build systems

Diagrams as code

Build systems

Containers

Threat modelling

Shell into containers

Documentation as code

Build systems

Endpoint validation

Build systems

Git Tools

Polyrepo operations tools

Repository management tools

API tools

Threat modelling

Artifact signing and attestation

Threat modelling

Bug tracking

Threat modelling

Chaos engineering

Threat modelling

Chat and ChatOps

Threat modelling

Cloud cost management

Threat modelling

Cloud asset inventory

Threat modelling

Continuous deployment

Shell into containers