Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

awesome-devsecops

Curating the best DevSecOps resources and tooling.
https://github.com/JakobTheDev/awesome-devsecops

Last synced: 2 days ago
JSON representation

  • Resources

  • Tools

    • Dependency Management

      • Dependabot - _GitHub_ - Automatically scan GitHub repositories for vulnerabilities and create pull requests to merge in patched dependencies.
      • Dependency-Check - _OWASP_ - Scans dependencies for publicly disclosed vulnerabilities using CLI or build server plugins.
      • Dependency-Track - _OWASP_ - Monitor the volume and severity of vulnerable dependencies across multiple projects over time.
      • JFrog XRay - _JFrog_ - Security and compliance analysis for artifacts stored in JFrog Artifactory.
      • NPM Audit - _NPM_ - Vulnerable package auditing for node packages built into the npm CLI.
      • Renovate - _WhiteSource_ - Automatically monitor and update software dependencies for multiple frameworks and languages using a CLI or git repository apps.
      • Requires.io - _Olivier Mansion & Alexis Tabary_ - Automated vulnerable dependency monitoring and upgrades for Python projects.
      • Snyk Open Source - _Snyk_ - Automated vulnerable dependency monitoring and upgrades using Snyk's dedicated vulnerability database.
      • Dependabot - _GitHub_ - Automatically scan GitHub repositories for vulnerabilities and create pull requests to merge in patched dependencies.
      • Deepfence ThreatMapper - Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless.
      • Dependabot - _GitHub_ - Automatically scan GitHub repositories for vulnerabilities and create pull requests to merge in patched dependencies.
      • Snyk Open Source - _Snyk_ - Automated vulnerable dependency monitoring and upgrades using Snyk's dedicated vulnerability database.

    • Dynamic Analysis

      • BurpSuite Enterprise Edition - _PortSwigger_ - BurpSuite's web application vulnerability scanner used widely by penetration testers, modified with CI/CD integration and continuous monitoring over multiple web applications.
      • Automatic API Attack Tool - _Imperva_ - Perform automated security scanning against an API based on an API specification.
      • Gauntlt - _Gauntlt_ - A Behaviour Driven Development framework to run security scans using common security tools and test output, defined using Gherkin syntax.
      • Netz - _Spectral_ - Discover internet-wide misconfigurations, using zgrab2 and others.
      • RESTler - _Microsoft_ - A stateful RESTful API scanner based on peer-reviewed research papers.
      • SSL Labs Scan - _SSL Labs_ - Automated scanning for SSL / TLS configuration issues.
      • Zed Attack Proxy (ZAP) - _OWASP_ - An open-source web application vulnerability scanner, including an API for CI/CD integration.

    • Infrastructure as Code Analysis

      • Spectral DeepConfig - _Spectral_ - Find misconfiguration both in infrastructure as well as apps as early as commit time.
      • Terrascan - _Accurics_ - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
      • Anchore Engine - _Anchore, Inc_ - Deep inspection of Docker images for CVEs and checking against custom policies. Engine behind their enterprise products that integrate against registries, orchestrators and CI/CD products.
      • Snyk Container - _Snyk_ - Scan Docker and Kubernetes applications for security vulnerabilities during CI/CD or via continuous monitoring.
      • Terraform Compliance - _terraform-compliance_ - A lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.
      • Tfsec - _Liam Galvin_ - Scan Terraform templates for security misconfiguration and noncompliance with AWS, Azure and GCP security best practice.
      • Ansible-Lint - _Ansible Community_ - Checks playbooks for practices and behaviour that could potentially be improved. As a community backed project ansible-lint supports only the last two major versions of Ansible.
      • Terrascan - _Accurics_ - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
      • Kubescape - _Cloud Native Computing Foundation_ - An open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters.
      • Checkov - _Bridgecrew_ - Scan Terraform, AWS CloudFormation and Kubernetes templates for insecure configuration.
      • KICS - _Checkmarx_ - Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle.
      • Cfn Nag - _Stelligent_ - Scan AWS CloudFormation templates for insecure configuration.
      • Clair - _Red Hat_ - Scan App Container and Docker containers for publicly disclosed vulnerabilities.
      • Docker-Bench-Security - _Docker_ - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
      • Hadolint - _Hadolint_ - Checks a Dockerfile against known rules and validates inline bash code in RUN statements.
      • Trivy - _Aqua Security_ - Simple and comprehensive vulnerability scanner for containers.
      • Regula - _Fugue_ - Evaluate Terraform infrastructure-as-code for potential security misconfigurations and compliance violations prior to deployment.
      • Kube-Score - _Gustav Westling_ - Scan Kubernetes object definitions for security and performance misconfiguration.
      • Kubectrl Kubesec - _ControlPlane_ - Plugin for kubesec.io to perform security risk analysis for Kubernetes resources.
      • Dagda - _Elías Grande_ - Compares OS and software dependency versions installed in Docker containers with public vulnerability databases, and also performs virus scanning.
      • Ansible-Lint - _Ansible Community_ - Checks playbooks for practices and behaviour that could potentially be improved. As a community backed project ansible-lint supports only the last two major versions of Ansible.

    • Intentionally Vulnerable Applications

      • Damn Vulnerable Web App - _Ryan Dewhurst_ - A web application that provides a safe environment to understand and exploit common web vulnerabilities.
      • Juice Shop - _OWASP_ - A web application containing the OWASP Top 10 security vulnerabilities and more.
      • Bad SSL - _The Chromium Project_ - A container running a number of webservers with poor SSL / TLS configuration. Useful for testing tooling.
      • Cfngoat - _Bridgecrew_ - Cloud Formation templates for creating stacks of intentionally insecure services in AWS. Ideal for testing the Cloud Formation Infrastructure as Code Analysis tools above.
      • CI/CD Goat - _Cider Security_ - A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.
      • Kubernetes Goat - _Madhu Akula_ - Intentionally vulnerable cluster environment to learn and practice Kubernetes security.
      • NodeGoat - _OWASP_ - A Node.js web application that demonstrates and provides ways to address common security vulnerabilities.
      • Terragoat - _Bridgecrew_ - Terraform templates for creating stacks of intentionally insecure services in AWS, Azure and GCP. Ideal for testing the Terraform Infrastructure as Code Analysis tools above.
      • WrongSecrets - _OWASP_ - Vulnerable app with examples showing how to not use secrets
      • Juice Shop - _OWASP_ - A web application containing the OWASP Top 10 security vulnerabilities and more.
      • Pentest-Ground - _Pentest-Tools.com_ - Pentest-Ground is a free playground with deliberately vulnerable web applications and network services.

    • Monitoring

      • Csper - _Csper_ - A set of Content Security Policy tools that can test policies, monitor CSP reports and provide metrics and alerts.

    • Secrets Management

      • Ansible Vault - _Ansible_ - Securely store secrets within Ansible pipelines.
      • AWS Key Management Service (KMS) - _Amazon AWS_ - Create and manage cryptographic keys in AWS.
      • AWS Secrets Manager - _Amazon AWS_ - Securely store retrievable application secrets in AWS.
      • Azure Key Vault - _Microsoft Azure_ - Securely store secrets within Azure.
      • CyberArk Application Access Manager - _CyberArk_ - Secrets management for applications including secret rotation and auditing.
      • Docker Secrets - _Docker_ - Store and manage access to secrets within a Docker swarm.
      • Google Cloud Key Management Service (KMS) - _Google Cloud Platform_ - Securely store secrets within GCP.
      • HashiCorp Vault - _HashiCorp_ - Securely store secrets via UI, CLI or HTTP API.
      • Secrets Operations (SOPS) - _Mozilla_ - Encrypt keys stored within YAML, JSON, ENV, INI and BINARY files.
      • Teller - _Spectral_ - A secrets management tool for developers - never leave your command line for secrets.
      • Secrets Operations (SOPS) - _Mozilla_ - Encrypt keys stored within YAML, JSON, ENV, INI and BINARY files.
      • BlackBox - _StackExchange_ - Encrypt credentials within your code repository.
      • Chef Vault - _Chef_ - Securely store secrets within Chef.
      • CredStash - _Fugue_ - Securely store secrets within AWS using KMS and DynamoDB.
      • Gopass - _Gopass_ - Password manager for teams relying on Git and gpg. Manages secrets in encrypted files and repositories.
      • Keyscope - _Spectral_ - Keyscope is an open source key and secret workflow tool (validation, invalidation, etc.) built in Rust.
      • Pinterest Knox - _Pinterest_ - Securely store, rotate and audit secrets.
      • Azure Key Vault - _Microsoft Azure_ - Securely store secrets within Azure.
      • Secrets Operations (SOPS) - _Mozilla_ - Encrypt keys stored within YAML, JSON, ENV, INI and BINARY files.
      • Teller - _Spectral_ - A secrets management tool for developers - never leave your command line for secrets.

    • Secrets Scanning

      • CredScan - _Microsoft_ - A credential scanning tool that can be run as a task in Azure DevOps pipelines.
      • GitGuardian - _GitGuardian_ - A web-based solution that scans and monitors public and private git repositories for secrets.
      • Gitleaks - _Zachary Rice_ - Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repositories.
      • SpectralOps - _Spectral_ - Automated code security, secrets, tokens and sensitive data scanning.
      • Gitleaks - _Zachary Rice_ - Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repositories.
      • Detect Secrets - _Yelp_ - An aptly named module for (surprise, surprise) detecting secrets within a code base.
      • Repo-supervisor - _Auth0_ - Secrets scanning tool that can run as a CLI, as a Docker container or in AWS Lambda.
      • truffleHog - _Truffle Security_ - Searches through git repositories for secrets, digging deep into commit history and branches.
      • git-secrets - _AWS Labs_ - Scans commits, commit messages and merges for secrets. Native support for AWS secret patterns, but can be configured to support other patterns.
      • Nightfall - _Nightfall_ - A web-based platform that monitors for sensitive data disclosure across several SDLC tools, including GitHub repositories.

    • Static Analysis

      • LGTM - _Semmle_ - Scan and monitor code for security vulnerabilities using custom or built-in CodeQL queries.
      • RIPS - _RIPS Technologies_ - Automated static analysis for PHP, Java and Node.js projects.
      • SemGrep - _r2c_ - Semgrep is a fast, open-source, static analysis tool that finds bugs and enforces code standards at editor, commit, and CI time.
      • SonarLint - _SonarSource_ - An IDE plugin that highlights potential security security issues, code quality issues and bugs.
      • SonarQube - _SonarSource_ - Scan code for security and quality issues with support for a wide variety of languages.
      • Conftest - _Instrumenta_ - Create custom tests to scan any configuration file for security flaws.
      • Deep Dive - _Discotek.ca_ - Static analysis for JVM deployment units including Ear, War, Jar and APK.
      • ESLint - _JS Foundation_ - Linting tool for JavaScript with multiple security linting rules available.
      • DevSkim - _Microsoft_ - A set of IDE plugins, CLIs and other tools that provide security analysis for a number of programming languages.
      • Graudit - _Eldar Marcussen_ - Grep source code for potential security flaws with custom or pre-configured regex signatures.
      • Hawkeye - _Hawkeyesec_ - Modularised CLI tool for project security, vulnerability and general risk highlighting.
      • FlawFinder - _David Wheeler_ - Scan C / C++ code for potential security weaknesses.
      • Puma Scan - _Puma Security_ - A Visual Studio plugin to scan .NET projects for potential security flaws.
      • Selefra - _Selefra_ - An open-source policy-as-code software that provides analytics for multi-cloud and SaaS.
      • SpotBugs - _SpotBugs_ - Static code analysis for Java applications.
      • Golang Security Checker - _securego_ - CLI tool to scan Go code for potential security flaws.
      • Security Code Scan - _Security Code Scan_ - Static code analysis for C# and VB.NET applications.
      • Phan - _Phan_ - Broad static analysis for PHP applications with some support for security scanning features.
      • PHPCS Security Audit - _Floe_ - PHP static analysis with rules for PHP, Drupal 7 and PHP related CVEs.
      • Progpilot - _Design Security_ - Static analysis for PHP source code.
      • Bandit - _Python Code Quality Authority_ - Find common security vulnerabilities in Python code.
      • Brakeman - _Justin Collins_ - Static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
      • DawnScanner - _Paolo Perego_ - Security scanning for Ruby scripts and web application. Supports Ruby on Rails, Sinatra and Padrino frameworks.
      • Conftest - _Instrumenta_ - Create custom tests to scan any configuration file for security flaws.
      • Find Security Bugs - _OWASP_ - SpotBugs plugin for security audits of Java web applications. Supports Eclipse, IntelliJ, Android Studio and SonarQube.

    • Supply Chain Security

      • Sigstore - sigstore is a set of free to use and open source tools, including [fulcio](https://github.com/sigstore/fulcio), [cosign](https://github.com/sigstore/cosign) and [rekor](https://github.com/sigstore/rekor), handling digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software.
      • Harden Runner GitHub Action - _StepSecurity_ - installs a security agent on the GitHub-hosted runner (Ubuntu VM) to prevent exfiltration of credentials, detect compromised dependencies and build tools, and detect tampering of source code during the build.
      • Overlay - _SCAR_ - a browser extension helping developers evaluate open source packages before picking them.
      • Preflight - _Spectral_ - helps you verify scripts and executables to mitigate supply chain attacks in your CI and other systems, such as in the recent [Codecov hack](https://spectralops.io/blog/credentials-risk-supply-chain-lessons-from-the-codecov-breach/).

    • Threat Modelling

      • SecuriCAD - _Forseeti_ - Treat modelling and attack simulations for IT infrastructure.
      • IriusRisk - _IriusRisk_ - Draw threat models and capture threats and countermeasures and manage risk.
      • SD Elements - _Security Compass_ - Identify and rank threats, generate actionable tasks and track related tickets.
      • Threat Dragon - _OWASP_ - Threat model diagramming tool.
      • Threat Modelling Tool - _Microsoft_ - Threat model diagramming tool.
      • Threatspec - _Threatspec_ - Define threat modelling as code.
      • Raindance Project - _DevSecOps_ - Use attack maps to identify attack surface and adversary strategies that may lead to compromise.
Programming Languages
Go 14 Python 8 Ruby 5 JavaScript 5 Shell 4 Java 4 PHP 3 C# 3 HTML 3 TypeScript 3
Categories
Tools 118 Resources 79 Related Lists 5
Sub Categories
Secure Development Guidelines 46 Static Analysis 25 Infrastructure as Code Analysis 21 Secrets Management 20 Training 13 Dependency Management 12 Threat Modelling 12 Intentionally Vulnerable Applications 11 Secrets Scanning 10 Dynamic Analysis 7 Podcasts 5 Supply Chain Security 4 Secure Development Lifecycle Framework 4 Toolchains 2 Wikis 2 Communities 2 Articles 2 Books 1 Monitoring 1 Conferences 1 Newsletters 1
Keywords
security 25 devsecops 11 kubernetes 9 security-tools 9 static-analysis 9 devops 8 static-code-analysis 8 docker 7 golang 6 appsec 6 aws 5 linter 5 go 5 vulnerability-scanners 4 vulnerability-detection 4 owasp 4 vulnerabilities 4 infrastructure-as-code 4 secrets 4 terraform 3 security-scanner 3 aws-security 3 azure 3 cloudformation 3 gcp 3 php 3 security-audit 3 ctf 3 cloudsecurity 3 ruby 3 compliance 3 containers 3 secret-management 3 testing 3 vault 3 analysis 3 ci 2 nodejs 2 iac 2 analyzer 2 owasp-top-ten 2 k8s 2 security-automation 2 open-policy-agent 2 rails 2 javascript 2 python 2 redteam 2 scanner 2 pentesting 2