https://github.com/rezmoss/awesome-security-pipeline
🔐 A curated list of open-source security tools organized by CI/CD pipeline stage. Covers secrets detection, SBOM, SAST, SCA, IaC security, container scanning, Kubernetes security & more. Actively maintained with weekly status updates
https://github.com/rezmoss/awesome-security-pipeline
List: awesome-security-pipeline
appsec awesome awesome-list checkov cicd container-security devops devsecops gitleaks kubernetes-security sast sbom security security-tools supply-chain-security trivy vulnerability-scanner
Last synced: 3 months ago
JSON representation
🔐 A curated list of open-source security tools organized by CI/CD pipeline stage. Covers secrets detection, SBOM, SAST, SCA, IaC security, container scanning, Kubernetes security & more. Actively maintained with weekly status updates
- Host: GitHub
- URL: https://github.com/rezmoss/awesome-security-pipeline
- Owner: rezmoss
- License: cc0-1.0
- Created: 2026-01-29T14:25:42.000Z (5 months ago)
- Default Branch: main
- Last Pushed: 2026-03-22T02:33:07.000Z (4 months ago)
- Last Synced: 2026-03-22T17:48:37.376Z (4 months ago)
- Topics: appsec, awesome, awesome-list, checkov, cicd, container-security, devops, devsecops, gitleaks, kubernetes-security, sast, sbom, security, security-tools, supply-chain-security, trivy, vulnerability-scanner
- Homepage:
- Size: 73.2 KB
- Stars: 8
- Watchers: 1
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
- ultimate-awesome - awesome-security-pipeline - 🔐 A curated list of open-source security tools organized by CI/CD pipeline stage. Covers secrets detection, SBOM, SAST, SCA, IaC security, container scanning, Kubernetes security & more. Actively maintained with weekly status updates. (Other Lists / TeX Lists)
README
# Awesome Security Pipeline
[](https://awesome.re)
[](http://creativecommons.org/publicdomain/zero/1.0/)
> A curated list of open-source security tools organized by CI/CD pipeline stage.
Security shouldn't be an afterthought. This list organizes battle-tested security tools by where they fit in your pipeline, making it easy to build defense-in-depth from commit to production.
## Contents
- [Pre-commit & Secrets Detection](#pre-commit--secrets-detection)
- [SBOM Generation](#sbom-generation)
- [Artifact Signing & Verification](#artifact-signing--verification)
- [Supply Chain Compliance](#supply-chain-compliance)
- [Software Composition Analysis (SCA)](#software-composition-analysis-sca)
- [Static Application Security Testing (SAST)](#static-application-security-testing-sast)
- [Multi-language](#multi-language)
- [Language Specific](#language-specific)
- [Infrastructure as Code Security](#infrastructure-as-code-security)
- [Container Security](#container-security)
- [Image Scanning](#image-scanning)
- [Runtime Security](#runtime-security)
- [Kubernetes Security](#kubernetes-security)
- [Policy as Code](#policy-as-code)
- [Secret Management](#secret-management)
- [API & Dynamic Testing (DAST)](#api--dynamic-testing-dast)
- [Cloud Security](#cloud-security)
- [Reading the Badges](#reading-the-badges)
- [Contributing](#contributing)
- [License](#license)
---
## Pre-commit & Secrets Detection
Catch secrets and credentials before they enter your repository.
- [gitleaks](https://github.com/gitleaks/gitleaks) - Detect and prevent secrets in git repos.   
- [trufflehog](https://github.com/trufflesecurity/trufflehog) - Find credentials in git history and live systems.   
- [detect-secrets](https://github.com/Yelp/detect-secrets) - Prevent secrets from entering codebases.   
- [git-secrets](https://github.com/awslabs/git-secrets) - Prevent committing AWS credentials and secrets.   
- [talisman](https://github.com/thoughtworks/talisman) - Pre-push and pre-commit hooks for secrets detection.   
- [whispers](https://github.com/Skyscanner/whispers) - Identify hardcoded secrets in static code analysis.   
- [pre-commit](https://github.com/pre-commit/pre-commit) - Framework to manage multi-language pre-commit hooks.   
## SBOM Generation
Generate Software Bill of Materials for supply chain visibility.
- [syft](https://github.com/anchore/syft) - Generate SBOMs from container images and filesystems.   
- [cdxgen](https://github.com/CycloneDX/cdxgen) - Create CycloneDX SBOMs for various languages.   
- [cyclonedx-cli](https://github.com/CycloneDX/cyclonedx-cli) - CLI for working with CycloneDX SBOMs.   
- [spdx-sbom-generator](https://github.com/opensbom-generator/spdx-sbom-generator) - Generate SPDX format SBOMs from source code.   
- [tern](https://github.com/tern-tools/tern) - Software composition analysis for container images.   
- [sbom-tool](https://github.com/microsoft/sbom-tool) - Microsoft's scalable SBOM generation tool.   
- [sbomlyze](https://github.com/rezmoss/sbomlyze) - SBOM diff and analysis tool for supply chain drift detection.   
## Artifact Signing & Verification
Sign and verify container images and artifacts for supply chain security.
- [cosign](https://github.com/sigstore/cosign) - Sign and verify container images.   
- [notation](https://github.com/notaryproject/notation) - CNCF signing and verification standard (Notary Project).   
- [rekor](https://github.com/sigstore/rekor) - Immutable tamper-resistant transparency log for signed artifacts.   
## Supply Chain Compliance
Audit and verify supply chain security against industry benchmarks.
- [scorecard](https://github.com/ossf/scorecard) - OpenSSF security health metrics for open source projects.   
- [in-toto](https://github.com/in-toto/in-toto) - Framework to protect supply chain integrity.   
- [slsa-verifier](https://github.com/slsa-framework/slsa-verifier) - Verify SLSA provenance for supply chain security.   
- [chain-bench](https://github.com/aquasecurity/chain-bench) - Audit supply chain against CIS benchmarks.   
## Software Composition Analysis (SCA)
Scan dependencies for known vulnerabilities.
- [grype](https://github.com/anchore/grype) - Vulnerability scanner for container images and filesystems.   
- [trivy](https://github.com/aquasecurity/trivy) - All-in-one security scanner for vulnerabilities and misconfigurations.   
- [osv-scanner](https://github.com/google/osv-scanner) - Vulnerability scanner using the OSV database.   
- [dependency-track](https://github.com/DependencyTrack/dependency-track) - Intelligent component analysis platform.   
- [snyk-cli](https://github.com/snyk/cli) - Find and fix vulnerabilities in dependencies.   
- [bomber](https://github.com/devops-kung-fu/bomber) - Scan SBOMs for vulnerabilities.   
- [vet](https://github.com/safedep/vet) - Policy-driven dependency vetting tool.   
- [deps.dev](https://deps.dev) - Google's dependency insights service (API/Website).
- [safe-chain](https://github.com/AikidoSec/safe-chain) - Block malicious packages during npm/pip install.   
## Static Application Security Testing (SAST)
Analyze source code for security vulnerabilities.
### Multi-language
Tools that support multiple programming languages.
- [semgrep](https://github.com/semgrep/semgrep) - Lightweight static analysis for many languages.   
- [bearer](https://github.com/Bearer/bearer) - Code security scanner for data flows.   
- [horusec](https://github.com/ZupIT/horusec) - Multi-language security analysis tool.   
- [codeql](https://github.com/github/codeql) - Semantic code analysis engine by GitHub.   
- [sonarqube](https://github.com/SonarSource/sonarqube) - Continuous inspection of code quality and security.   
- [spotbugs](https://github.com/spotbugs/spotbugs) - Static analysis tool for finding bugs in Java.   
### Language Specific
Specialized tools for individual programming languages.
#### Python
- [bandit](https://github.com/PyCQA/bandit) - Security linter for Python code.   
- [safety](https://github.com/pyupio/safety) - Check Python dependencies for vulnerabilities.   
- [pyre-check](https://github.com/facebook/pyre-check) - Performant type checker with security analysis.   
#### JavaScript/Node.js
- [njsscan](https://github.com/ajinabraham/njsscan) - Semantic SAST tool for Node.js applications.   
- [eslint-plugin-security](https://github.com/eslint-community/eslint-plugin-security) - ESLint rules for Node.js security.   
#### Go
- [gosec](https://github.com/securego/gosec) - Security checker for Go source code.   
- [govulncheck](https://github.com/golang/vuln) - Official Go vulnerability scanner for dependencies and binaries.   
#### Ruby
- [brakeman](https://github.com/presidentbeef/brakeman) - Static analysis for Ruby on Rails applications.   
#### PHP
- [phpstan](https://github.com/phpstan/phpstan) - PHP static analysis tool.   
- [psalm](https://github.com/vimeo/psalm) - Static analysis tool for PHP with security focus.   
#### Rust
- [cargo-audit](https://github.com/RustSec/rustsec) - Audit Cargo.lock for crates with security vulnerabilities.   
## Infrastructure as Code Security
Scan infrastructure configurations for security misconfigurations.
- [checkov](https://github.com/bridgecrewio/checkov) - Scan cloud infrastructure configurations.   
- [tfsec](https://github.com/aquasecurity/tfsec) - Security scanner for Terraform code.   
- [terrascan](https://github.com/tenable/terrascan) - Detect compliance and security violations in IaC.   
- [kics](https://github.com/Checkmarx/kics) - Find security vulnerabilities and compliance issues in IaC.   
- [trivy](https://github.com/aquasecurity/trivy) - Also scans IaC misconfigurations (Terraform, CloudFormation, etc.).   
- [snyk-iac](https://github.com/snyk/cli) - Infrastructure as Code security scanning.   
- [cfn-lint](https://github.com/aws-cloudformation/cfn-lint) - AWS CloudFormation linter with security rules.   
- [zizmor](https://github.com/zizmorcore/zizmor) - Static analysis for GitHub Actions workflows.   
## Container Security
Secure container images and runtime environments.
### Image Scanning
Scan container images for vulnerabilities before deployment.
- [trivy](https://github.com/aquasecurity/trivy) - Comprehensive vulnerability scanner for containers.   
- [grype](https://github.com/anchore/grype) - Vulnerability scanner for container images.   
- [clair](https://github.com/quay/clair) - Vulnerability static analysis for containers.   
- [anchore-engine](https://github.com/anchore/anchore-engine) - Container analysis and policy evaluation.    *(Migrate to [Syft](https://github.com/anchore/syft) + [Grype](https://github.com/anchore/grype))*
- [docker-bench-security](https://github.com/docker/docker-bench-security) - Check Docker deployment against CIS benchmarks.   
- [dockle](https://github.com/goodwithtech/dockle) - Container image linter for security best practices.   
- [hadolint](https://github.com/hadolint/hadolint) - Dockerfile linter for best practices and security rules (does not perform vulnerability database scanning).   
- [dive](https://github.com/wagoodman/dive) - Explore and analyze Docker image layers and efficiency and inspect image contents (for analysis/inspection, not vulnerability scanning).   
### Runtime Security
Monitor and protect containers at runtime.
- [falco](https://github.com/falcosecurity/falco) - Cloud-native runtime security and threat detection.   
- [tracee](https://github.com/aquasecurity/tracee) - Linux runtime security and forensics using eBPF.   
- [tetragon](https://github.com/cilium/tetragon) - eBPF-based security observability and runtime enforcement.   
- [sysdig-inspect](https://github.com/draios/sysdig-inspect) - System call visualization and container analysis.   
## Kubernetes Security
Secure Kubernetes clusters, manifests, and workloads.
- [kube-bench](https://github.com/aquasecurity/kube-bench) - Check Kubernetes against CIS benchmarks.   
- [kubescape](https://github.com/kubescape/kubescape) - Kubernetes security risk analysis and compliance.   
- [kube-linter](https://github.com/stackrox/kube-linter) - Static analysis for Kubernetes YAML and Helm charts.   
- [kyverno](https://github.com/kyverno/kyverno) - Kubernetes native policy management.   
- [polaris](https://github.com/FairwindsOps/polaris) - Validate Kubernetes best practices and policies.   
- [trivy-operator](https://github.com/aquasecurity/trivy-operator) - Kubernetes-native security reports.   
- [kubiscan](https://github.com/cyberark/KubiScan) - Scan Kubernetes RBAC for risky permissions.   
- [kube-hunter](https://github.com/aquasecurity/kube-hunter) - Hunt for security weaknesses in Kubernetes clusters.   
## Policy as Code
Define and enforce security policies as code across your infrastructure.
- [opa](https://github.com/open-policy-agent/opa) - Open Policy Agent, industry standard for policy as code.   
- [gatekeeper](https://github.com/open-policy-agent/gatekeeper) - OPA for Kubernetes admission control.   
- [datree](https://github.com/datreeio/datree) - Prevent Kubernetes misconfigurations.   
- [conftest](https://github.com/open-policy-agent/conftest) - Test configuration files against OPA policies.   
## Secret Management
Securely manage and distribute secrets in Kubernetes and GitOps workflows.
- [sealed-secrets](https://github.com/bitnami-labs/sealed-secrets) - Encrypt secrets locally, decrypt only in cluster.   
- [external-secrets](https://github.com/external-secrets/external-secrets) - Sync secrets from AWS/Vault/Azure into Kubernetes.   
- [sops](https://github.com/getsops/sops) - Editor-transparent encryption for Git files.   
- [vault](https://github.com/hashicorp/vault) - Secrets management, encryption as a service, and privileged access.   
- [infisical](https://github.com/Infisical/infisical) - Open-source secret management platform with native integrations.   
## API & Dynamic Testing (DAST)
Test running applications for vulnerabilities.
- [zap](https://github.com/zaproxy/zaproxy) - OWASP ZAP web application security scanner.   
- [nuclei](https://github.com/projectdiscovery/nuclei) - Fast and customizable vulnerability scanner.   
- [nikto](https://github.com/sullo/nikto) - Web server scanner for dangerous files and vulnerabilities.   
- [arachni](https://github.com/Arachni/arachni) - Feature-rich web application security scanner.    *(Consider [ZAP](https://github.com/zaproxy/zaproxy) or [Nuclei](https://github.com/projectdiscovery/nuclei) instead)*
- [wapiti](https://github.com/wapiti-scanner/wapiti) - Web application vulnerability scanner.   
- [sqlmap](https://github.com/sqlmapproject/sqlmap) - Automatic SQL injection detection and exploitation.   
## Cloud Security
Assess and audit cloud infrastructure security posture.
- [prowler](https://github.com/prowler-cloud/prowler) - AWS, Azure, and GCP security assessments.   
- [cloudsplaining](https://github.com/salesforce/cloudsplaining) - AWS IAM security assessment tool.   
- [ScoutSuite](https://github.com/nccgroup/ScoutSuite) - Multi-cloud security auditing tool.   
- [steampipe](https://github.com/turbot/steampipe) - Query cloud resources using SQL.   
- [cloudquery](https://github.com/cloudquery/cloudquery) - Cloud asset inventory and security analysis with SQL.   
- [cartography](https://github.com/lyft/cartography) - Map infrastructure relationships and attack surface.   
---
## Reading the Badges
Each tool displays status and activity badges for transparency.
### Maintenance Status (Updated Weekly)
Status badges are **automatically updated every week** by our GitHub Action to reflect current maintenance status.
| Badge | Meaning |
|-------|---------|
|  | **Active** - Updated within the last 6 months |
|  | **Stale** - No updates in 6-12 months; use with caution |
|  | **Unmaintained** - No updates in 12+ months; consider alternatives |
|  | **Archived** - Repository has been archived by owner |
|  | **Deprecated** - Officially superseded; migration recommended |
### Activity Badges
| Badge | Meaning |
|-------|---------|
|  | GitHub star count - indicates community adoption |
|  | Last commit date - shows exact update time |
> **Tip:** While we update status badges weekly, always verify the "Last Commit" badge for the most current information before adopting a tool.
## Contributing
Contributions are welcome! Please read the [contribution guidelines](CONTRIBUTING.md) first.
**Before submitting:**
- Repository must be **at least 1 month old** (anti-spam requirement)
- Repository must have **at least 5 stars**
- Tool must have been **updated within the last 12 months**
- You must **disclose any affiliation** with the tool
See [CONTRIBUTING.md](CONTRIBUTING.md) for full details.
## License
[](http://creativecommons.org/publicdomain/zero/1.0/)
To the extent possible under law, the contributors have waived all copyright and related or neighboring rights to this work.