awesome-devsecops
🔐 A curated list of awesome DevSecOps tools, practices, and resources for securing the software development lifecycle
https://github.com/tysoncung/awesome-devsecops
Last synced: 15 days ago
JSON representation
-
CI/CD Security
-
Network Security
- GitHub Advanced Security - GitHub security features
- CircleCI Security - CI/CD security
- Azure DevOps Security - ADO security
-
-
Cloud Security
-
AWS Security
- AWS Security Hub - Centralized security
- AWS GuardDuty - Threat detection
- AWS Inspector - Vulnerability management
- CloudTrail - Audit logging
-
Azure Security
- Azure Sentinel - SIEM and SOAR
- Azure Policy - Governance
-
-
Code Security
-
Secrets Detection
- GitGuardian - Secrets detection
- TruffleHog - Find secrets in git repos
- Gitleaks - SAST for secrets
- detect-secrets - Prevent secrets in code
-
Software Composition Analysis (SCA)
- Snyk Open Source - Dependency scanning
- Dependabot - GitHub's dependency updater
- OWASP Dependency-Check - SCA tool
- WhiteSource (Mend) - Open source security
- Trivy - Comprehensive scanner
-
Static Application Security Testing (SAST)
-
-
Community & Resources
-
Blogs & News
- The DevSecOps Blog - DevSecOps insights
- Snyk Blog - Developer security
-
Communities
- OWASP Slack - OWASP community
- r/netsec - Network security
- r/devops - DevOps community
-
Conferences
- RSA Conference - Security conference
- Black Hat - InfoSec event
- OWASP Global AppSec - Application security
-
Podcasts
- Absolute AppSec - Application security
- Application Security Weekly - AppSec news
- Darknet Diaries - True security stories
-
-
Compliance & Policy
-
Network Security
- Gatekeeper - OPA for Kubernetes
- Kyverno - Kubernetes-native policy management
- Allstar - GitHub security policy enforcement
-
-
Container & Kubernetes Security
-
Container Scanning
- Clair - Container vulnerability scanner
- Anchore Grype - Vulnerability scanner
- Docker Scout - Docker's security tool
- Snyk Container - Container security
-
Kubernetes Security Tools
- Falco - Cloud-native runtime security
- Kube-bench - CIS benchmark checker
- Kube-hunter - Kubernetes penetration testing
- Kubescape - K8s security platform
- Polaris - Kubernetes best practices
-
Runtime Security
- Sysdig Secure - Container and Kubernetes security
- Aqua Security - Full lifecycle container security
- Tracee - Runtime security and forensics
-
-
Infrastructure Security
-
Cloud Security Posture Management
- Prowler - AWS/Azure/GCP security tool
- CloudSploit - Cloud security scanner
- ScoutSuite - Multi-cloud security auditing
- CloudCustodian - Cloud governance
-
Infrastructure as Code (IaC) Security
-
Network Security
- Cilium - eBPF-based networking and security
- Calico - Container networking and security
- Istio - Service mesh with security features
- Open Policy Agent (OPA) - Policy engine
-
-
Learning & Getting Started
-
Books & Guides
- DevSecOps Handbook - Comprehensive guide to DevSecOps
- OWASP DevSecOps Guideline - Official OWASP guide
- Alice and Bob Learn Application Security - Beginner-friendly security book
- The Phoenix Project - Novel about IT, DevOps, and helping your business win
-
Frameworks & Standards
- NIST Secure Software Development Framework (SSDF) - Secure SDLC framework
- OWASP Top 10 - Top web application security risks
- OWASP SAMM - Software Assurance Maturity Model
- NIST Cybersecurity Framework - Framework for improving critical infrastructure cybersecurity
- ISO 27001 - Information security management
-
Training & Certification
- Certified DevSecOps Professional (CDP) - Professional certification
- SANS DevSecOps Courses - Professional training
- ISC2 CSSLP - Certified Secure Software Lifecycle Professional
-
-
Open Source Security
-
Network Security
- OpenSSF - Open Source Security Foundation
- OpenSSF Scorecard - Security health metrics
- SBOM Tools - Software Bill of Materials
- Sigstore - Software signing
-
-
Platforms & Solutions
-
GCP Security
- Snyk - Developer security platform
- Palo Alto Prisma Cloud - CNAPP platform
-
-
Related Lists
-
Conferences
- awesome-security - Security resources
- awesome-application-security - Application security
- awesome-kubernetes-security - Kubernetes security
- awesome-cloud-security - Cloud security
- awesome-threat-intelligence - Threat intelligence
-
-
Secrets Management
-
Network Security
- HashiCorp Vault - Secrets management
- AWS Secrets Manager - AWS secrets service
- Azure Key Vault - Azure secrets management
- Doppler - Secrets management platform
- Sealed Secrets - Kubernetes secrets
-
-
Security Automation
-
Network Security
- Security Automation Platform (SOAR) - Automation frameworks
- Ansible Security Automation - Security playbooks
- DefectDojo - Security orchestration
-
-
Security Champions Programs
-
Network Security
- OWASP Security Champions Guide - Building security champions
- Security Champions Playbook - Open source playbook
-
-
Security Monitoring & Incident Response
-
Network Security
- Wazuh - Security monitoring platform
- OSSEC - Host-based intrusion detection
- Elastic Security - SIEM solution
- Cortex - Observable analysis engine
-
-
Security Testing
-
API Security Testing
- OWASP API Security Top 10 - API security risks
- Postman - API testing with security features
- RestAssured - REST API testing
- SoapUI - API testing tool
-
Dynamic Application Security Testing (DAST)
- OWASP ZAP - Web app security scanner
- Burp Suite - Web security testing
- Nuclei - Vulnerability scanner
- Acunetix - Web vulnerability scanner
-
Fuzzing
-
-
Threat Modeling
-
Network Security
- OWASP Threat Dragon - Threat modeling tool
- Microsoft Threat Modeling Tool - Microsoft's tool
- IriusRisk - Threat modeling platform
- Threatspec - Threat modeling as code
-
-
Vulnerability Management
-
Network Security
- Faraday - Collaborative penetration test platform
- ArcherySec - Vulnerability assessment and management
- OpenVAS - Vulnerability scanner
-
Programming Languages
Categories
Code Security
16
Infrastructure Security
13
Container & Kubernetes Security
12
Learning & Getting Started
12
Security Testing
11
Community & Resources
11
Cloud Security
6
Related Lists
5
Secrets Management
5
Open Source Security
4
Security Monitoring & Incident Response
4
Threat Modeling
4
Compliance & Policy
3
Vulnerability Management
3
Security Automation
3
CI/CD Security
3
Platforms & Solutions
2
License
2
Security Champions Programs
2
Sub Categories
Network Security
35
Conferences
10
Static Application Security Testing (SAST)
7
Software Composition Analysis (SCA)
5
Frameworks & Standards
5
Infrastructure as Code (IaC) Security
5
Kubernetes Security Tools
5
Dynamic Application Security Testing (DAST)
4
Secrets Detection
4
Container Scanning
4
Cloud Security Posture Management
4
Books & Guides
4
API Security Testing
4
AWS Security
4
Training & Certification
3
Communities
3
Podcasts
3
Runtime Security
3
Fuzzing
3
Blogs & News
2
GCP Security
2
Azure Security
2
Keywords
security
23
kubernetes
10
devsecops
10
security-tools
7
aws
6
golang
5
vulnerabilities
5
devops
5
go
5
azure
4
vulnerability-detection
4
cloud
4
docker
4
vulnerability-scanners
4
python
4
infrastructure-as-code
4
static-analysis
3
oci
3
vulnerability
3
appsec
3
containers
3
iac
3
gcp
3
awesome-list
3
security-audit
3
vulnerability-management
3
linter
2
security-scanner
2
misconfiguration
2
compliance
2
data-loss-prevention
2
dlp
2
cspm
2
scanning
2
open-source
2
secret
2
security-automation
2
owasp
2
awesome
2
cis-benchmark
2
pentesting
2
fuzz-testing
2
cloudsecurity
2
aws-security
2
vulnerability-assessment
2
fuzzing
2
cloud-security
2
terraform
2
cyclonedx
1
container-image
1