Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

awesome-devsecops

Curating the best DevSecOps resources and tooling.
https://github.com/TaptuIT/awesome-devsecops

Last synced: 3 days ago
JSON representation

  • Tools

    • Infrastructure as Code Analysis

      • Hadolint - _Hadolint_ - Checks a Dockerfile against known rules and validates inline bash code in RUN statements.
      • Snyk Container - _Snyk_ - Scan Docker and Kubernetes applications for security vulnerabilities during CI/CD or via continuous monitoring.
      • Trivy - _Aqua Security_ - Simple and comprehensive vulnerability scanner for containers.
      • Regula - _Fugue_ - Evaluate Terraform infrastructure-as-code for potential security misconfigurations and compliance violations prior to deployment.
      • Grype - _Anchore_ - An easy-to-integrate open source vulnerability scanning tool for container images and filesystems.
      • Terraform Compliance - _terraform-compliance_ - A lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.
      • Checkov - _Bridgecrew_ - Scan Terraform, AWS CloudFormation and Kubernetes templates for insecure configuration.
      • KICS - _Checkmarx_ - Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle.
      • Spectral DeepConfig - _Spectral_ - Find misconfiguration both in infrastructure as well as apps as early as commit time.
      • Terrascan - _Accurics_ - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
      • Cfn Nag - _Stelligent_ - Scan AWS CloudFormation templates for insecure configuration.
      • Clair - _Red Hat_ - Scan App Container and Docker containers for publicly disclosed vulnerabilities.
      • Dagda - _Elías Grande_ - Compares OS and software dependency versions installed in Docker containers with public vulnerability databases, and also performs virus scanning.
      • Docker-Bench-Security - _Docker_ - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
      • Tfsec - _Liam Galvin_ - Scan Terraform templates for security misconfiguration and noncompliance with AWS, Azure and GCP security best practice.
      • Kubescape - _Cloud Native Computing Foundation_ - An open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters.
      • Kube-Score - _Gustav Westling_ - Scan Kubernetes object definitions for security and performance misconfiguration.
      • Kubectrl Kubesec - _ControlPlane_ - Plugin for kubesec.io to perform security risk analysis for Kubernetes resources.
      • Ansible-Lint - _Ansible Community_ - Checks playbooks for practices and behaviour that could potentially be improved. As a community backed project ansible-lint supports only the last two major versions of Ansible.

    • Dependency Management

      • Deepfence ThreatMapper - Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless.
      • Dependabot - _GitHub_ - Automatically scan GitHub repositories for vulnerabilities and create pull requests to merge in patched dependencies.
      • Dependency-Check - _OWASP_ - Scans dependencies for publicly disclosed vulnerabilities using CLI or build server plugins.
      • Dependency-Track - _OWASP_ - Monitor the volume and severity of vulnerable dependencies across multiple projects over time.
      • JFrog XRay - _JFrog_ - Security and compliance analysis for artifacts stored in JFrog Artifactory.
      • Renovate - _WhiteSource_ - Automatically monitor and update software dependencies for multiple frameworks and languages using a CLI or git repository apps.
      • Requires.io - _Olivier Mansion & Alexis Tabary_ - Automated vulnerable dependency monitoring and upgrades for Python projects.
      • Snyk Open Source - _Snyk_ - Automated vulnerable dependency monitoring and upgrades using Snyk's dedicated vulnerability database.

    • Dynamic Analysis

      • Automatic API Attack Tool - _Imperva_ - Perform automated security scanning against an API based on an API specification.
      • BurpSuite Enterprise Edition - _PortSwigger_ - BurpSuite's web application vulnerability scanner used widely by penetration testers, modified with CI/CD integration and continuous monitoring over multiple web applications.
      • Gauntlt - _Gauntlt_ - A Behaviour Driven Development framework to run security scans using common security tools and test output, defined using Gherkin syntax.
      • Netz - _Spectral_ - Discover internet-wide misconfigurations, using zgrab2 and others.
      • RESTler - _Microsoft_ - A stateful RESTful API scanner based on peer-reviewed research papers.
      • SSL Labs Scan - _SSL Labs_ - Automated scanning for SSL / TLS configuration issues.
      • Zed Attack Proxy (ZAP) - _OWASP_ - An open-source web application vulnerability scanner, including an API for CI/CD integration.

    • Intentionally Vulnerable Applications

      • Bad SSL - _The Chromium Project_ - A container running a number of webservers with poor SSL / TLS configuration. Useful for testing tooling.
      • Cfngoat - _Bridgecrew_ - Cloud Formation templates for creating stacks of intentionally insecure services in AWS. Ideal for testing the Cloud Formation Infrastructure as Code Analysis tools above.
      • CI/CD Goat - _Cider Security_ - A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.

  • Resources

    • Articles

    • Books

      • Alice and Bob Learn Application Security - _Tanya Janca_ - An accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development.

    • Communities

      • TAG Security - _Cloud Native Computing Foundation_ - TAG Security facilitates collaboration to discover and produce resources that enable secure access, policy control, and safety for operators, administrators, developers, and end-users across the cloud native ecosystem.

    • Conferences

      • AppSec Day - _OWASP_ - An Australian application security conference run by OWASP.

    • Newsletters

      • Shift Security Left - _Cossack Labs_ - A free biweekly newsletter for security-aware developers covering application security, secure architecture, DevSecOps, cryptography, incidents, etc. that can be useful for builders and (to a lesser extent) for breakers.

    • Podcasts

      • Absolute AppSec - _Seth Law & Ken Johnson_ - Discussions about current events and specific topics related to application security.
      • DevSecOps Podcast Series - _OWASP_ - Discussions with thought leaders and practitioners to integrate security into the development lifecycle.
      • The Secure Developer - _Snyk_ - Discussion about security tools and best practices for software developers.

    • Secure Development Guidelines

    • Secure Development Lifecycle Framework

    • Training

      • Application Security Education - _Duo Security_ - Training materials created by the Duo application security team, including introductory and advanced training presentations and hands-on labs.
      • Cybrary - _Cybrary_ - Subscription based online courses with dedicated categories for cybersecurity and DevSecOps.
      • PentesterLab - _PentesterLab_ - Hands on labs to understand and exploit simple and advanced web vulnerabilities.
      • SecureFlag - _OWASP_ - Hands-on secure coding training for Developers and Build/Release Engineers.
      • Security Training for Engineers - _Pager Duty_ - A presentation created and open-sourced by PagerDuty to provide security training to software engineers.
      • SafeStack - _SafeStack_ - Security training for software development teams, designed to be accessible to individuals and small teams as well as larger organisations.
      • Secure Code Warrior - _Secure Code Warrior_ - Gamified and hands-on secure development training with support for courses, assessments and tournaments.
      • Security Training for Everyone - _Pager Duty_ - A presentation created and open-sourced by PagerDuty to provide security training employees.
      • Semgrep Academy - _Semgrep_ - Free, on-demand courses covering topics including API security, secure coding and application security.
      • Web Security Academy - _PortSwigger_ - A set of materials and labs to learn and exploit common web vulnerabilities.

    • Wikis

Programming Languages
Go 8 Python 4 Ruby 2 Java 2 JavaScript 2 Open Policy Agent 2 HTML 1 Shell 1 TypeScript 1 Haskell 1
Categories
Tools 37 Resources 27
Sub Categories
Infrastructure as Code Analysis 19 Training 10 Dependency Management 8 Dynamic Analysis 7 Secure Development Guidelines 5 Intentionally Vulnerable Applications 3 Podcasts 3 Secure Development Lifecycle Framework 2 Articles 2 Wikis 1 Books 1 Conferences 1 Communities 1 Newsletters 1
Keywords
security 10 devsecops 7 kubernetes 6 devops 6 infrastructure-as-code 5 static-analysis 5 go 5 security-tools 4 vulnerability-scanners 4 appsec 4 compliance 4 aws 4 cloudsecurity 3 aws-security 3 vulnerability-detection 3 cloudformation 3 terraform 3 iac 3 golang 3 docker 3 containers 3 linter 3 misconfiguration 2 scanner 2 security-scanner 2 scans 2 azure 2 ci 2 osint 1 dast 1 zap 1 zap-development 1 zaproxy 1 haskell 1 dockerfile-linter 1 dockerfile 1 gcp 1 cloudnative 1 open-policy-agent 1 architecture 1 vulnerability 1 maturity-models 1 owasp-samm 1 education 1 training-materials 1 cloud-native 1 cnapp 1 shellcheck 1 cspm 1 cwpp 1