awesome-devsecops

DevSecOps guide

Curates resources and tooling for security practices in software development.

Curating the best DevSecOps resources and tooling.

GitHub
1k stars
35 watching
193 forks
last commit: 4 months ago
Linked from 4 awesome lists

application-securityawesomeawesome-listdevopsdevsecopshacktoberfestsecure-software-development

Resources / Articles
Our Approach to Employee Security Training - Guidelines to running security training within an organisation
DevSecOps: Making Security Central To Your DevOps Pipeline - An article explains what DevSecOps aims to achieve, why it’s advantageous, and how the DevSecOps lifecycle looks

Resources / Books
Alice and Bob Learn Application Security - An accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development

Resources / Communities
DevSecCon - A community that runs conferences, a blog, a podcast and a Discord dedicated to DevSecOps
TAG Security - TAG Security facilitates collaboration to discover and produce resources that enable secure access, policy control, and safety for operators, administrators, developers, and end-users across the cloud native ecosystem

Resources / Conferences
AppSec Day - An Australian application security conference run by OWASP
DevSecCon - A network of DevSecOps conferences run by Snyk

Resources / Newsletters
Shift Security Left - A free biweekly newsletter for security-aware developers covering application security, secure architecture, DevSecOps, cryptography, incidents, etc. that can be useful for builders and (to a lesser extent) for breakers

Resources / Podcasts
Absolute AppSec - Discussions about current events and specific topics related to application security
Application Security Podcast - Interviews with industry experts about specific application security concepts
BeerSecOps - Breaking down the silos of Dev, Sec and Ops, discussing topics that span these subject areas
DevSecOps Podcast Series - Discussions with thought leaders and practitioners to integrate security into the development lifecycle
The Secure Developer - Discussion about security tools and best practices for software developers

Resources / Secure Development Guidelines
Application Security Verification Standard - A framework of security requirements and controls to help developers design and develop secure web applications
Coding Standards - A collection of secure development standards for C, C++, Java and Android development
Fundamental Practices for Secure Software Development - Guidelines for implementing key secure development practices throughout the SDLC
Proactive Controls - OWASP's list of top ten controls that should be implemented in every software development project
Secure Coding Guidelines - A guideline containing specific secure development standards for secure web application development
Secure Coding Practices Quick Reference Guide - A checklist to verify that secure development standards have been followed

Resources / Secure Development Lifecycle Framework
Building Security In Maturity Model (BSIMM) - A framework for software security created by observing and analysing data from leading software security initiatives
Secure Development Lifecycle - A collection of tools and practices that serve as a framework for the secure development lifecycle
Secure Software Development Framework - A framework consisting of practices, tasks and implementation examples for a secure development lifecycle
Software Assurance Maturity Model 397 over 2 years ago - A framework to measure and improve the maturity of the secure development lifecycle

Resources / Toolchains
Cloud Security and DevSecOps Best Practices and Securing Web Application Technologies (SWAT) Checklist - A poster containing the Securing Web Application Technologies (SWAT) Checklist, SANS Cloud Security Curriculum, Cloud Security Top 10, Top 12 Kubernetes Threats, and Secure DevOps Toolchain
Periodic Table of DevOps Tools - A collection of DevSecOps tooling categorised by tool functionality

Resources / Training
Application Security Education 71 over 3 years ago - Training materials created by the Duo application security team, including introductory and advanced training presentations and hands-on labs
Cybrary - Subscription based online courses with dedicated categories for cybersecurity and DevSecOps
PentesterLab - Hands on labs to understand and exploit simple and advanced web vulnerabilities
Practical DevSecOps - Learn DevSecOps concepts, tools, and techniques from industry experts with practical DevSecOps using state of the art browser-based labs
SafeStack - Security training for software development teams, designed to be accessible to individuals and small teams as well as larger organisations
Secure Code Warrior - Gamified and hands-on secure development training with support for courses, assessments and tournaments
SecureFlag - Hands-on secure coding training for Developers and Build/Release Engineers
Security Training for Engineers - A presentation created and open-sourced by PagerDuty to provide security training to software engineers
Security Training for Everyone - A presentation created and open-sourced by PagerDuty to provide security training employees
Semgrep Academy - Free, on-demand courses covering topics including API security, secure coding and application security
Web Security Academy - A set of materials and labs to learn and exploit common web vulnerabilities
WeHackPuple - Online courses that teach application security theory and hands-on technical lessons

Resources / Wikis
DevSecOps Hub - Introduction to key DevSecOps concepts, processes and technologies
SecureFlag Knowledge Base - A repository of information about software vulnerabilities and how to prevent them

Tools / Dependency Management
Deepfence ThreatMapper 4,837 6 days ago Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless
Dependabot - Automatically scan GitHub repositories for vulnerabilities and create pull requests to merge in patched dependencies
Dependency-Check - Scans dependencies for publicly disclosed vulnerabilities using CLI or build server plugins
Dependency-Track - Monitor the volume and severity of vulnerable dependencies across multiple projects over time
JFrog XRay - Security and compliance analysis for artifacts stored in JFrog Artifactory
NPM Audit - Vulnerable package auditing for node packages built into the npm CLI
Renovate - Automatically monitor and update software dependencies for multiple frameworks and languages using a CLI or git repository apps
Requires.io - Automated vulnerable dependency monitoring and upgrades for Python projects
Snyk Open Source - Automated vulnerable dependency monitoring and upgrades using Snyk's dedicated vulnerability database

Tools / Dynamic Analysis
Automatic API Attack Tool 457 over 1 year ago - Perform automated security scanning against an API based on an API specification
BurpSuite Enterprise Edition - BurpSuite's web application vulnerability scanner used widely by penetration testers, modified with CI/CD integration and continuous monitoring over multiple web applications
Gauntlt 982 over 2 years ago - A Behaviour Driven Development framework to run security scans using common security tools and test output, defined using Gherkin syntax
Netz 388 over 3 years ago - Discover internet-wide misconfigurations, using zgrab2 and others
RESTler 2,610 about 1 month ago - A stateful RESTful API scanner based on peer-reviewed research papers
SSL Labs Scan 1,704 4 months ago - Automated scanning for SSL / TLS configuration issues
Zed Attack Proxy (ZAP) 12,743 6 days ago - An open-source web application vulnerability scanner, including an API for CI/CD integration

Tools / Infrastructure as Code Analysis
Checkov 7,126 7 days ago - Scan Terraform, AWS CloudFormation and Kubernetes templates for insecure configuration
KICS 2,093 7 days ago - Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle
Spectral DeepConfig - Find misconfiguration both in infrastructure as well as apps as early as commit time
Terrascan 4,766 9 days ago - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure
Cfn Nag 1,260 4 months ago - Scan AWS CloudFormation templates for insecure configuration
Clair 10,359 8 days ago - Scan App Container and Docker containers for publicly disclosed vulnerabilities
Dagda 1,159 over 1 year ago - Compares OS and software dependency versions installed in Docker containers with public vulnerability databases, and also performs virus scanning
Docker-Bench-Security 9,146 about 1 month ago - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production
Grype 8,812 6 days ago - An easy-to-integrate open source vulnerability scanning tool for container images and filesystems
Hadolint 10,453 24 days ago - Checks a Dockerfile against known rules and validates inline bash code in RUN statements
Snyk Container - Scan Docker and Kubernetes applications for security vulnerabilities during CI/CD or via continuous monitoring
Trivy 23,679 7 days ago - Simple and comprehensive vulnerability scanner for containers
Regula 962 3 months ago - Evaluate Terraform infrastructure-as-code for potential security misconfigurations and compliance violations prior to deployment
Terraform Compliance - A lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code
Tfsec 6,718 about 2 months ago - Scan Terraform templates for security misconfiguration and noncompliance with AWS, Azure and GCP security best practice
Kubescape - An open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters
Kube-Score 2,788 13 days ago - Scan Kubernetes object definitions for security and performance misconfiguration
Kubectrl Kubesec 509 11 months ago - Plugin for kubesec.io to perform security risk analysis for Kubernetes resources
Ansible-Lint 3,491 6 days ago - Checks playbooks for practices and behaviour that could potentially be improved. As a community backed project ansible-lint supports only the last two major versions of Ansible

Tools / Intentionally Vulnerable Applications
Bad SSL 2,854 6 months ago - A container running a number of webservers with poor SSL / TLS configuration. Useful for testing tooling
Cfngoat 92 4 months ago - Cloud Formation templates for creating stacks of intentionally insecure services in AWS. Ideal for testing the Cloud Formation Infrastructure as Code Analysis tools above
CI/CD Goat 1,946 4 months ago - A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges
Damn Vulnerable Web App - A web application that provides a safe environment to understand and exploit common web vulnerabilities
Juice Shop 10,466 10 days ago - A web application containing the OWASP Top 10 security vulnerabilities and more
Kubernetes Goat 4,421 8 days ago - Intentionally vulnerable cluster environment to learn and practice Kubernetes security
NodeGoat 1,885 5 months ago - A Node.js web application that demonstrates and provides ways to address common security vulnerabilities
Pentest-Ground - Pentest-Ground is a free playground with deliberately vulnerable web applications and network services
Terragoat 1,154 2 months ago - Terraform templates for creating stacks of intentionally insecure services in AWS, Azure and GCP. Ideal for testing the Terraform Infrastructure as Code Analysis tools above
Vulnerable Web Apps Directory - A collection of vulnerable web applications for learning purposes
WrongSecrets 1,233 6 days ago - Vulnerable app with examples showing how to not use secrets

Tools / Monitoring
Csper - A set of Content Security Policy tools that can test policies, monitor CSP reports and provide metrics and alerts
Streamdal - Embed privacy controls in your application code to detect and monitor PII as it enters and leaves your systems, preventing it from reaching unintended databases, data streams, or pipelines

Tools / Secrets Management
Ansible Vault - Securely store secrets within Ansible pipelines
AWS Key Management Service (KMS) - Create and manage cryptographic keys in AWS
AWS Secrets Manager - Securely store retrievable application secrets in AWS
Azure Key Vault - Securely store secrets within Azure
BlackBox 6,687 about 2 months ago - Encrypt credentials within your code repository
Chef Vault 407 about 2 months ago - Securely store secrets within Chef
CredStash 2,059 almost 3 years ago - Securely store secrets within AWS using KMS and DynamoDB
CyberArk Application Access Manager - Secrets management for applications including secret rotation and auditing
Docker Secrets - Store and manage access to secrets within a Docker swarm
Git Secrets 12,442 7 months ago - Scan git repositories for secrets committed within code or commit messages
Gopass 5,926 12 days ago - Password manager for teams relying on Git and gpg. Manages secrets in encrypted files and repositories
Google Cloud Key Management Service (KMS) - Securely store secrets within GCP
HashiCorp Vault - Securely store secrets via UI, CLI or HTTP API
Keyscope 387 6 months ago - Keyscope is an open source key and secret workflow tool (validation, invalidation, etc.) built in Rust
Pinterest Knox 1,233 9 days ago - Securely store, rotate and audit secrets
Secrets Operations (SOPS) 17,010 10 days ago - Encrypt keys stored within YAML, JSON, ENV, INI and BINARY files
Teller 2,895 4 months ago - A secrets management tool for developers - never leave your command line for secrets

Tools / Secrets Scanning
CredScan - A credential scanning tool that can be run as a task in Azure DevOps pipelines
Detect Secrets 3,829 29 days ago - An aptly named module for (surprise, surprise) detecting secrets within a code base
GitGuardian - A web-based solution that scans and monitors public and private git repositories for secrets
Gitleaks 17,964 16 days ago - Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repositories
git-secrets 12,442 7 months ago - Scans commits, commit messages and merges for secrets. Native support for AWS secret patterns, but can be configured to support other patterns
Nightfall - A web-based platform that monitors for sensitive data disclosure across several SDLC tools, including GitHub repositories
Repo-supervisor 637 over 1 year ago - Secrets scanning tool that can run as a CLI, as a Docker container or in AWS Lambda
SpectralOps - Automated code security, secrets, tokens and sensitive data scanning
truffleHog 17,263 5 days ago - Searches through git repositories for secrets, digging deep into commit history and branches

Tools / Static Analysis
DevSkim 910 9 days ago - A set of IDE plugins, CLIs and other tools that provide security analysis for a number of programming languages
Graudit 1,538 4 months ago - Grep source code for potential security flaws with custom or pre-configured regex signatures
Hawkeye 358 about 3 years ago - Modularised CLI tool for project security, vulnerability and general risk highlighting
LGTM - Scan and monitor code for security vulnerabilities using custom or built-in CodeQL queries
RIPS - Automated static analysis for PHP, Java and Node.js projects
SemGrep - Semgrep is a fast, open-source, static analysis tool that finds bugs and enforces code standards at editor, commit, and CI time
SonarLint - An IDE plugin that highlights potential security security issues, code quality issues and bugs
SonarQube - Scan code for security and quality issues with support for a wide variety of languages
FlawFinder 489 4 months ago - Scan C / C++ code for potential security weaknesses
Puma Scan 446 about 2 years ago - A Visual Studio plugin to scan .NET projects for potential security flaws
Conftest 2,877 9 days ago - Create custom tests to scan any configuration file for security flaws
Selefra 524 about 1 year ago - An open-source policy-as-code software that provides analytics for multi-cloud and SaaS
Deep Dive - Static analysis for JVM deployment units including Ear, War, Jar and APK
Find Security Bugs 2,283 3 months ago - SpotBugs plugin for security audits of Java web applications. Supports Eclipse, IntelliJ, Android Studio and SonarQube
SpotBugs 3,512 8 days ago - Static code analysis for Java applications
ESLint - Linting tool for JavaScript with multiple security linting rules available
Golang Security Checker 7,852 10 days ago - CLI tool to scan Go code for potential security flaws
Security Code Scan 944 5 months ago - Static code analysis for C# and VB.NET applications
Phan 5,539 15 days ago - Broad static analysis for PHP applications with some support for security scanning features
PHPCS Security Audit 710 almost 2 years ago - PHP static analysis with rules for PHP, Drupal 7 and PHP related CVEs
Progpilot 330 4 months ago - Static analysis for PHP source code
Bandit 6,485 8 days ago - Find common security vulnerabilities in Python code
Brakeman 7,015 9 days ago - Static analysis tool which checks Ruby on Rails applications for security vulnerabilities
DawnScanner 737 9 months ago - Security scanning for Ruby scripts and web application. Supports Ruby on Rails, Sinatra and Padrino frameworks

Tools / Supply Chain Security
Harden Runner GitHub Action 621 24 days ago - installs a security agent on the GitHub-hosted runner (Ubuntu VM) to prevent exfiltration of credentials, detect compromised dependencies and build tools, and detect tampering of source code during the build
Overlay 222 9 months ago - a browser extension helping developers evaluate open source packages before picking them
Preflight 153 almost 2 years ago - helps you verify scripts and executables to mitigate supply chain attacks in your CI and other systems, such as in the recent
Sigstore sigstore is a set of free to use and open source tools, including , and , handling digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software
Syft 6,248 6 days ago - A CLI tool for generating a Software Bill of Materials (SBOM) from container images and filesystems

Tools / Threat Modelling
Awesome Threat Modelling 1,407 4 months ago - A curated list of threat modelling resources
SecuriCAD - Treat modelling and attack simulations for IT infrastructure
IriusRisk - Draw threat models and capture threats and countermeasures and manage risk
Raindance Project 46 almost 8 years ago - Use attack maps to identify attack surface and adversary strategies that may lead to compromise
SD Elements - Identify and rank threats, generate actionable tasks and track related tickets
Threat Dragon - Threat model diagramming tool
Threat Modelling Tool - Threat model diagramming tool
Threatspec - Define threat modelling as code
Awesome Dynamic Analysis 947 9 days ago - A collection of dynamic analysis tools and code quality checkers
Awesome Platform Engineering 357 28 days ago A curated list of solutions, tools and resources for
Awesome Static Analysis 13,359 3 days ago - A collection of static analysis tools and code quality checkers
Awesome Threat Modelling 1,407 4 months ago - A curated list of threat modeling resources
Vulnerable Web Apps Directory - A collection of vulnerable web applications for learning purposes

Backlinks from these awesome lists:

More related projects: