Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

awesome-devsecops

Curating the best DevSecOps resources and tooling.
https://github.com/JakobTheDev/awesome-devsecops

Last synced: 2 days ago
JSON representation

  • Resources

  • Tools

    • Dependency Management

      • Dependabot - _GitHub_ - Automatically scan GitHub repositories for vulnerabilities and create pull requests to merge in patched dependencies.
      • Dependency-Check - _OWASP_ - Scans dependencies for publicly disclosed vulnerabilities using CLI or build server plugins.
      • Dependency-Track - _OWASP_ - Monitor the volume and severity of vulnerable dependencies across multiple projects over time.
      • JFrog XRay - _JFrog_ - Security and compliance analysis for artifacts stored in JFrog Artifactory.
      • NPM Audit - _NPM_ - Vulnerable package auditing for node packages built into the npm CLI.
      • Renovate - _WhiteSource_ - Automatically monitor and update software dependencies for multiple frameworks and languages using a CLI or git repository apps.
      • Requires.io - _Olivier Mansion & Alexis Tabary_ - Automated vulnerable dependency monitoring and upgrades for Python projects.
      • Snyk Open Source - _Snyk_ - Automated vulnerable dependency monitoring and upgrades using Snyk's dedicated vulnerability database.
      • Dependabot - _GitHub_ - Automatically scan GitHub repositories for vulnerabilities and create pull requests to merge in patched dependencies.
      • Deepfence ThreatMapper - Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless.
      • Dependabot - _GitHub_ - Automatically scan GitHub repositories for vulnerabilities and create pull requests to merge in patched dependencies.
      • Snyk Open Source - _Snyk_ - Automated vulnerable dependency monitoring and upgrades using Snyk's dedicated vulnerability database.
    • Dynamic Analysis

      • BurpSuite Enterprise Edition - _PortSwigger_ - BurpSuite's web application vulnerability scanner used widely by penetration testers, modified with CI/CD integration and continuous monitoring over multiple web applications.
      • Automatic API Attack Tool - _Imperva_ - Perform automated security scanning against an API based on an API specification.
      • Gauntlt - _Gauntlt_ - A Behaviour Driven Development framework to run security scans using common security tools and test output, defined using Gherkin syntax.
      • Netz - _Spectral_ - Discover internet-wide misconfigurations, using zgrab2 and others.
      • RESTler - _Microsoft_ - A stateful RESTful API scanner based on peer-reviewed research papers.
      • SSL Labs Scan - _SSL Labs_ - Automated scanning for SSL / TLS configuration issues.
      • Zed Attack Proxy (ZAP) - _OWASP_ - An open-source web application vulnerability scanner, including an API for CI/CD integration.
    • Infrastructure as Code Analysis

      • Spectral DeepConfig - _Spectral_ - Find misconfiguration both in infrastructure as well as apps as early as commit time.
      • Terrascan - _Accurics_ - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
      • Anchore Engine - _Anchore, Inc_ - Deep inspection of Docker images for CVEs and checking against custom policies. Engine behind their enterprise products that integrate against registries, orchestrators and CI/CD products.
      • Snyk Container - _Snyk_ - Scan Docker and Kubernetes applications for security vulnerabilities during CI/CD or via continuous monitoring.
      • Terraform Compliance - _terraform-compliance_ - A lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.
      • Tfsec - _Liam Galvin_ - Scan Terraform templates for security misconfiguration and noncompliance with AWS, Azure and GCP security best practice.
      • Ansible-Lint - _Ansible Community_ - Checks playbooks for practices and behaviour that could potentially be improved. As a community backed project ansible-lint supports only the last two major versions of Ansible.
      • Terrascan - _Accurics_ - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
      • Kubescape - _Cloud Native Computing Foundation_ - An open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters.
      • Checkov - _Bridgecrew_ - Scan Terraform, AWS CloudFormation and Kubernetes templates for insecure configuration.
      • KICS - _Checkmarx_ - Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle.
      • Cfn Nag - _Stelligent_ - Scan AWS CloudFormation templates for insecure configuration.
      • Clair - _Red Hat_ - Scan App Container and Docker containers for publicly disclosed vulnerabilities.
      • Docker-Bench-Security - _Docker_ - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
      • Hadolint - _Hadolint_ - Checks a Dockerfile against known rules and validates inline bash code in RUN statements.
      • Trivy - _Aqua Security_ - Simple and comprehensive vulnerability scanner for containers.
      • Regula - _Fugue_ - Evaluate Terraform infrastructure-as-code for potential security misconfigurations and compliance violations prior to deployment.
      • Kube-Score - _Gustav Westling_ - Scan Kubernetes object definitions for security and performance misconfiguration.
      • Kubectrl Kubesec - _ControlPlane_ - Plugin for kubesec.io to perform security risk analysis for Kubernetes resources.
      • Dagda - _Elías Grande_ - Compares OS and software dependency versions installed in Docker containers with public vulnerability databases, and also performs virus scanning.
      • Ansible-Lint - _Ansible Community_ - Checks playbooks for practices and behaviour that could potentially be improved. As a community backed project ansible-lint supports only the last two major versions of Ansible.
    • Intentionally Vulnerable Applications

      • Damn Vulnerable Web App - _Ryan Dewhurst_ - A web application that provides a safe environment to understand and exploit common web vulnerabilities.
      • Juice Shop - _OWASP_ - A web application containing the OWASP Top 10 security vulnerabilities and more.
      • Bad SSL - _The Chromium Project_ - A container running a number of webservers with poor SSL / TLS configuration. Useful for testing tooling.
      • Cfngoat - _Bridgecrew_ - Cloud Formation templates for creating stacks of intentionally insecure services in AWS. Ideal for testing the Cloud Formation Infrastructure as Code Analysis tools above.
      • CI/CD Goat - _Cider Security_ - A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.
      • Kubernetes Goat - _Madhu Akula_ - Intentionally vulnerable cluster environment to learn and practice Kubernetes security.
      • NodeGoat - _OWASP_ - A Node.js web application that demonstrates and provides ways to address common security vulnerabilities.
      • Terragoat - _Bridgecrew_ - Terraform templates for creating stacks of intentionally insecure services in AWS, Azure and GCP. Ideal for testing the Terraform Infrastructure as Code Analysis tools above.
      • WrongSecrets - _OWASP_ - Vulnerable app with examples showing how to not use secrets
      • Juice Shop - _OWASP_ - A web application containing the OWASP Top 10 security vulnerabilities and more.
      • Pentest-Ground - _Pentest-Tools.com_ - Pentest-Ground is a free playground with deliberately vulnerable web applications and network services.
    • Monitoring

      • Csper - _Csper_ - A set of Content Security Policy tools that can test policies, monitor CSP reports and provide metrics and alerts.
    • Secrets Management

      • Ansible Vault - _Ansible_ - Securely store secrets within Ansible pipelines.
      • AWS Key Management Service (KMS) - _Amazon AWS_ - Create and manage cryptographic keys in AWS.
      • AWS Secrets Manager - _Amazon AWS_ - Securely store retrievable application secrets in AWS.
      • Azure Key Vault - _Microsoft Azure_ - Securely store secrets within Azure.
      • CyberArk Application Access Manager - _CyberArk_ - Secrets management for applications including secret rotation and auditing.
      • Docker Secrets - _Docker_ - Store and manage access to secrets within a Docker swarm.
      • Google Cloud Key Management Service (KMS) - _Google Cloud Platform_ - Securely store secrets within GCP.
      • HashiCorp Vault - _HashiCorp_ - Securely store secrets via UI, CLI or HTTP API.
      • Secrets Operations (SOPS) - _Mozilla_ - Encrypt keys stored within YAML, JSON, ENV, INI and BINARY files.
      • Teller - _Spectral_ - A secrets management tool for developers - never leave your command line for secrets.
      • Secrets Operations (SOPS) - _Mozilla_ - Encrypt keys stored within YAML, JSON, ENV, INI and BINARY files.
      • BlackBox - _StackExchange_ - Encrypt credentials within your code repository.
      • Chef Vault - _Chef_ - Securely store secrets within Chef.
      • CredStash - _Fugue_ - Securely store secrets within AWS using KMS and DynamoDB.
      • Gopass - _Gopass_ - Password manager for teams relying on Git and gpg. Manages secrets in encrypted files and repositories.
      • Keyscope - _Spectral_ - Keyscope is an open source key and secret workflow tool (validation, invalidation, etc.) built in Rust.
      • Pinterest Knox - _Pinterest_ - Securely store, rotate and audit secrets.
      • Azure Key Vault - _Microsoft Azure_ - Securely store secrets within Azure.
      • Secrets Operations (SOPS) - _Mozilla_ - Encrypt keys stored within YAML, JSON, ENV, INI and BINARY files.
      • Teller - _Spectral_ - A secrets management tool for developers - never leave your command line for secrets.
    • Secrets Scanning

      • CredScan - _Microsoft_ - A credential scanning tool that can be run as a task in Azure DevOps pipelines.
      • GitGuardian - _GitGuardian_ - A web-based solution that scans and monitors public and private git repositories for secrets.
      • Gitleaks - _Zachary Rice_ - Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repositories.
      • SpectralOps - _Spectral_ - Automated code security, secrets, tokens and sensitive data scanning.
      • Gitleaks - _Zachary Rice_ - Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repositories.
      • Detect Secrets - _Yelp_ - An aptly named module for (surprise, surprise) detecting secrets within a code base.
      • Repo-supervisor - _Auth0_ - Secrets scanning tool that can run as a CLI, as a Docker container or in AWS Lambda.
      • truffleHog - _Truffle Security_ - Searches through git repositories for secrets, digging deep into commit history and branches.
      • git-secrets - _AWS Labs_ - Scans commits, commit messages and merges for secrets. Native support for AWS secret patterns, but can be configured to support other patterns.
      • Nightfall - _Nightfall_ - A web-based platform that monitors for sensitive data disclosure across several SDLC tools, including GitHub repositories.
    • Static Analysis

      • LGTM - _Semmle_ - Scan and monitor code for security vulnerabilities using custom or built-in CodeQL queries.
      • RIPS - _RIPS Technologies_ - Automated static analysis for PHP, Java and Node.js projects.
      • SemGrep - _r2c_ - Semgrep is a fast, open-source, static analysis tool that finds bugs and enforces code standards at editor, commit, and CI time.
      • SonarLint - _SonarSource_ - An IDE plugin that highlights potential security security issues, code quality issues and bugs.
      • SonarQube - _SonarSource_ - Scan code for security and quality issues with support for a wide variety of languages.
      • Conftest - _Instrumenta_ - Create custom tests to scan any configuration file for security flaws.
      • Deep Dive - _Discotek.ca_ - Static analysis for JVM deployment units including Ear, War, Jar and APK.
      • ESLint - _JS Foundation_ - Linting tool for JavaScript with multiple security linting rules available.
      • DevSkim - _Microsoft_ - A set of IDE plugins, CLIs and other tools that provide security analysis for a number of programming languages.
      • Graudit - _Eldar Marcussen_ - Grep source code for potential security flaws with custom or pre-configured regex signatures.
      • Hawkeye - _Hawkeyesec_ - Modularised CLI tool for project security, vulnerability and general risk highlighting.
      • FlawFinder - _David Wheeler_ - Scan C / C++ code for potential security weaknesses.
      • Puma Scan - _Puma Security_ - A Visual Studio plugin to scan .NET projects for potential security flaws.
      • Selefra - _Selefra_ - An open-source policy-as-code software that provides analytics for multi-cloud and SaaS.
      • SpotBugs - _SpotBugs_ - Static code analysis for Java applications.
      • Golang Security Checker - _securego_ - CLI tool to scan Go code for potential security flaws.
      • Security Code Scan - _Security Code Scan_ - Static code analysis for C# and VB.NET applications.
      • Phan - _Phan_ - Broad static analysis for PHP applications with some support for security scanning features.
      • PHPCS Security Audit - _Floe_ - PHP static analysis with rules for PHP, Drupal 7 and PHP related CVEs.
      • Progpilot - _Design Security_ - Static analysis for PHP source code.
      • Bandit - _Python Code Quality Authority_ - Find common security vulnerabilities in Python code.
      • Brakeman - _Justin Collins_ - Static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
      • DawnScanner - _Paolo Perego_ - Security scanning for Ruby scripts and web application. Supports Ruby on Rails, Sinatra and Padrino frameworks.
      • Conftest - _Instrumenta_ - Create custom tests to scan any configuration file for security flaws.
      • Find Security Bugs - _OWASP_ - SpotBugs plugin for security audits of Java web applications. Supports Eclipse, IntelliJ, Android Studio and SonarQube.
    • Supply Chain Security

      • Sigstore - sigstore is a set of free to use and open source tools, including [fulcio](https://github.com/sigstore/fulcio), [cosign](https://github.com/sigstore/cosign) and [rekor](https://github.com/sigstore/rekor), handling digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software.
      • Harden Runner GitHub Action - _StepSecurity_ - installs a security agent on the GitHub-hosted runner (Ubuntu VM) to prevent exfiltration of credentials, detect compromised dependencies and build tools, and detect tampering of source code during the build.
      • Overlay - _SCAR_ - a browser extension helping developers evaluate open source packages before picking them.
      • Preflight - _Spectral_ - helps you verify scripts and executables to mitigate supply chain attacks in your CI and other systems, such as in the recent [Codecov hack](https://spectralops.io/blog/credentials-risk-supply-chain-lessons-from-the-codecov-breach/).
    • Threat Modelling

      • SecuriCAD - _Forseeti_ - Treat modelling and attack simulations for IT infrastructure.
      • IriusRisk - _IriusRisk_ - Draw threat models and capture threats and countermeasures and manage risk.
      • SD Elements - _Security Compass_ - Identify and rank threats, generate actionable tasks and track related tickets.
      • Threat Dragon - _OWASP_ - Threat model diagramming tool.
      • Threat Modelling Tool - _Microsoft_ - Threat model diagramming tool.
      • Threatspec - _Threatspec_ - Define threat modelling as code.
      • Raindance Project - _DevSecOps_ - Use attack maps to identify attack surface and adversary strategies that may lead to compromise.