awesome-devsecops
Curating the best DevSecOps resources and tooling.
1k stars
35 watching
188 forks
last commit: 2 months ago
Linked from 4 awesome lists
application-securityawesomeawesome-listdevopsdevsecopshacktoberfestsecure-software-development
Resources / Articles | |||
| Our Approach to Employee Security Training | - Guidelines to running security training within an organisation | ||
| DevSecOps: Making Security Central To Your DevOps Pipeline | - An article explains what DevSecOps aims to achieve, why it’s advantageous, and how the DevSecOps lifecycle looks | ||
Resources / Books | |||
| Alice and Bob Learn Application Security | - An accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development | ||
Resources / Communities | |||
| DevSecCon | - A community that runs conferences, a blog, a podcast and a Discord dedicated to DevSecOps | ||
| TAG Security | - TAG Security facilitates collaboration to discover and produce resources that enable secure access, policy control, and safety for operators, administrators, developers, and end-users across the cloud native ecosystem | ||
Resources / Conferences | |||
| AppSec Day | - An Australian application security conference run by OWASP | ||
| DevSecCon | - A network of DevSecOps conferences run by Snyk | ||
Resources / Newsletters | |||
| Shift Security Left | - A free biweekly newsletter for security-aware developers covering application security, secure architecture, DevSecOps, cryptography, incidents, etc. that can be useful for builders and (to a lesser extent) for breakers | ||
Resources / Podcasts | |||
| Absolute AppSec | - Discussions about current events and specific topics related to application security | ||
| Application Security Podcast | - Interviews with industry experts about specific application security concepts | ||
| BeerSecOps | - Breaking down the silos of Dev, Sec and Ops, discussing topics that span these subject areas | ||
| DevSecOps Podcast Series | - Discussions with thought leaders and practitioners to integrate security into the development lifecycle | ||
| The Secure Developer | - Discussion about security tools and best practices for software developers | ||
Resources / Secure Development Guidelines | |||
| Application Security Verification Standard | - A framework of security requirements and controls to help developers design and develop secure web applications | ||
| Coding Standards | - A collection of secure development standards for C, C++, Java and Android development | ||
| Fundamental Practices for Secure Software Development | - Guidelines for implementing key secure development practices throughout the SDLC | ||
| Proactive Controls | - OWASP's list of top ten controls that should be implemented in every software development project | ||
| Secure Coding Guidelines | - A guideline containing specific secure development standards for secure web application development | ||
| Secure Coding Practices Quick Reference Guide | - A checklist to verify that secure development standards have been followed | ||
Resources / Secure Development Lifecycle Framework | |||
| Building Security In Maturity Model (BSIMM) | - A framework for software security created by observing and analysing data from leading software security initiatives | ||
| Secure Development Lifecycle | - A collection of tools and practices that serve as a framework for the secure development lifecycle | ||
| Secure Software Development Framework | - A framework consisting of practices, tasks and implementation examples for a secure development lifecycle | ||
| Software Assurance Maturity Model | 395 | over 2 years ago | - A framework to measure and improve the maturity of the secure development lifecycle |
Resources / Toolchains | |||
| Cloud Security and DevSecOps Best Practices and Securing Web Application Technologies (SWAT) Checklist | - A poster containing the Securing Web Application Technologies (SWAT) Checklist, SANS Cloud Security Curriculum, Cloud Security Top 10, Top 12 Kubernetes Threats, and Secure DevOps Toolchain | ||
| Periodic Table of DevOps Tools | - A collection of DevSecOps tooling categorised by tool functionality | ||
Resources / Training | |||
| Application Security Education | 69 | about 3 years ago | - Training materials created by the Duo application security team, including introductory and advanced training presentations and hands-on labs |
| Cybrary | - Subscription based online courses with dedicated categories for cybersecurity and DevSecOps | ||
| PentesterLab | - Hands on labs to understand and exploit simple and advanced web vulnerabilities | ||
| Practical DevSecOps | - Learn DevSecOps concepts, tools, and techniques from industry experts with practical DevSecOps using state of the art browser-based labs | ||
| SafeStack | - Security training for software development teams, designed to be accessible to individuals and small teams as well as larger organisations | ||
| Secure Code Warrior | - Gamified and hands-on secure development training with support for courses, assessments and tournaments | ||
| SecureFlag | - Hands-on secure coding training for Developers and Build/Release Engineers | ||
| Security Training for Engineers | - A presentation created and open-sourced by PagerDuty to provide security training to software engineers | ||
| Security Training for Everyone | - A presentation created and open-sourced by PagerDuty to provide security training employees | ||
| Semgrep Academy | - Free, on-demand courses covering topics including API security, secure coding and application security | ||
| Web Security Academy | - A set of materials and labs to learn and exploit common web vulnerabilities | ||
| WeHackPuple | - Online courses that teach application security theory and hands-on technical lessons | ||
Resources / Wikis | |||
| DevSecOps Hub | - Introduction to key DevSecOps concepts, processes and technologies | ||
| SecureFlag Knowledge Base | - A repository of information about software vulnerabilities and how to prevent them | ||
Tools / Dependency Management | |||
| Deepfence ThreatMapper | 4,781 | 5 days ago | Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless |
| Dependabot | - Automatically scan GitHub repositories for vulnerabilities and create pull requests to merge in patched dependencies | ||
| Dependency-Check | - Scans dependencies for publicly disclosed vulnerabilities using CLI or build server plugins | ||
| Dependency-Track | - Monitor the volume and severity of vulnerable dependencies across multiple projects over time | ||
| JFrog XRay | - Security and compliance analysis for artifacts stored in JFrog Artifactory | ||
| NPM Audit | - Vulnerable package auditing for node packages built into the npm CLI | ||
| Renovate | - Automatically monitor and update software dependencies for multiple frameworks and languages using a CLI or git repository apps | ||
| Requires.io | - Automated vulnerable dependency monitoring and upgrades for Python projects | ||
| Snyk Open Source | - Automated vulnerable dependency monitoring and upgrades using Snyk's dedicated vulnerability database | ||
Tools / Dynamic Analysis | |||
| Automatic API Attack Tool | 452 | over 1 year ago | - Perform automated security scanning against an API based on an API specification |
| BurpSuite Enterprise Edition | - BurpSuite's web application vulnerability scanner used widely by penetration testers, modified with CI/CD integration and continuous monitoring over multiple web applications | ||
| Gauntlt | 979 | over 2 years ago | - A Behaviour Driven Development framework to run security scans using common security tools and test output, defined using Gherkin syntax |
| Netz | 387 | over 3 years ago | - Discover internet-wide misconfigurations, using zgrab2 and others |
| RESTler | 2,580 | 4 months ago | - A stateful RESTful API scanner based on peer-reviewed research papers |
| SSL Labs Scan | 1,696 | 2 months ago | - Automated scanning for SSL / TLS configuration issues |
| Zed Attack Proxy (ZAP) | 12,560 | 5 days ago | - An open-source web application vulnerability scanner, including an API for CI/CD integration |
Tools / Infrastructure as Code Analysis | |||
| Checkov | 7,016 | 5 days ago | - Scan Terraform, AWS CloudFormation and Kubernetes templates for insecure configuration |
| KICS | 2,034 | 5 days ago | - Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle |
| Spectral DeepConfig | - Find misconfiguration both in infrastructure as well as apps as early as commit time | ||
| Terrascan | 4,700 | 15 days ago | - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure |
| Cfn Nag | 1,255 | 2 months ago | - Scan AWS CloudFormation templates for insecure configuration |
| Clair | 10,273 | 12 days ago | - Scan App Container and Docker containers for publicly disclosed vulnerabilities |
| Dagda | 1,148 | over 1 year ago | - Compares OS and software dependency versions installed in Docker containers with public vulnerability databases, and also performs virus scanning |
| Docker-Bench-Security | 9,076 | 5 months ago | - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production |
| Grype | 8,567 | 1 day ago | - An easy-to-integrate open source vulnerability scanning tool for container images and filesystems |
| Hadolint | 10,304 | about 2 months ago | - Checks a Dockerfile against known rules and validates inline bash code in RUN statements |
| Snyk Container | - Scan Docker and Kubernetes applications for security vulnerabilities during CI/CD or via continuous monitoring | ||
| Trivy | 23,086 | 2 days ago | - Simple and comprehensive vulnerability scanner for containers |
| Regula | 961 | about 1 month ago | - Evaluate Terraform infrastructure-as-code for potential security misconfigurations and compliance violations prior to deployment |
| Terraform Compliance | - A lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code | ||
| Tfsec | 6,663 | 26 days ago | - Scan Terraform templates for security misconfiguration and noncompliance with AWS, Azure and GCP security best practice |
| Kubescape | - An open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters | ||
| Kube-Score | 2,743 | 23 days ago | - Scan Kubernetes object definitions for security and performance misconfiguration |
| Kubectrl Kubesec | 508 | 10 months ago | - Plugin for kubesec.io to perform security risk analysis for Kubernetes resources |
| Ansible-Lint | 3,457 | 6 days ago | - Checks playbooks for practices and behaviour that could potentially be improved. As a community backed project ansible-lint supports only the last two major versions of Ansible |
Tools / Intentionally Vulnerable Applications | |||
| Bad SSL | 2,819 | 5 months ago | - A container running a number of webservers with poor SSL / TLS configuration. Useful for testing tooling |
| Cfngoat | 91 | 2 months ago | - Cloud Formation templates for creating stacks of intentionally insecure services in AWS. Ideal for testing the Cloud Formation Infrastructure as Code Analysis tools above |
| CI/CD Goat | 1,919 | 3 months ago | - A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges |
| Damn Vulnerable Web App | - A web application that provides a safe environment to understand and exploit common web vulnerabilities | ||
| Juice Shop | 10,213 | 13 days ago | - A web application containing the OWASP Top 10 security vulnerabilities and more |
| Kubernetes Goat | 4,240 | 18 days ago | - Intentionally vulnerable cluster environment to learn and practice Kubernetes security |
| NodeGoat | 1,869 | 4 months ago | - A Node.js web application that demonstrates and provides ways to address common security vulnerabilities |
| Pentest-Ground | - Pentest-Ground is a free playground with deliberately vulnerable web applications and network services | ||
| Terragoat | 1,139 | 22 days ago | - Terraform templates for creating stacks of intentionally insecure services in AWS, Azure and GCP. Ideal for testing the Terraform Infrastructure as Code Analysis tools above |
| Vulnerable Web Apps Directory | - A collection of vulnerable web applications for learning purposes | ||
| WrongSecrets | 1,208 | 5 days ago | - Vulnerable app with examples showing how to not use secrets |
Tools / Monitoring | |||
| Csper | - A set of Content Security Policy tools that can test policies, monitor CSP reports and provide metrics and alerts | ||
| Streamdal | - Embed privacy controls in your application code to detect and monitor PII as it enters and leaves your systems, preventing it from reaching unintended databases, data streams, or pipelines | ||
Tools / Secrets Management | |||
| Ansible Vault | - Securely store secrets within Ansible pipelines | ||
| AWS Key Management Service (KMS) | - Create and manage cryptographic keys in AWS | ||
| AWS Secrets Manager | - Securely store retrievable application secrets in AWS | ||
| Azure Key Vault | - Securely store secrets within Azure | ||
| BlackBox | 6,678 | 2 months ago | - Encrypt credentials within your code repository |
| Chef Vault | 406 | 11 days ago | - Securely store secrets within Chef |
| CredStash | 2,058 | over 2 years ago | - Securely store secrets within AWS using KMS and DynamoDB |
| CyberArk Application Access Manager | - Secrets management for applications including secret rotation and auditing | ||
| Docker Secrets | - Store and manage access to secrets within a Docker swarm | ||
| Git Secrets | 12,333 | 6 months ago | - Scan git repositories for secrets committed within code or commit messages |
| Gopass | 5,844 | 5 days ago | - Password manager for teams relying on Git and gpg. Manages secrets in encrypted files and repositories |
| Google Cloud Key Management Service (KMS) | - Securely store secrets within GCP | ||
| HashiCorp Vault | - Securely store secrets via UI, CLI or HTTP API | ||
| Keyscope | 383 | 5 months ago | - Keyscope is an open source key and secret workflow tool (validation, invalidation, etc.) built in Rust |
| Pinterest Knox | 1,229 | 3 months ago | - Securely store, rotate and audit secrets |
| Secrets Operations (SOPS) | 16,431 | 11 days ago | - Encrypt keys stored within YAML, JSON, ENV, INI and BINARY files |
| Teller | 2,851 | 2 months ago | - A secrets management tool for developers - never leave your command line for secrets |
Tools / Secrets Scanning | |||
| CredScan | - A credential scanning tool that can be run as a task in Azure DevOps pipelines | ||
| Detect Secrets | 3,758 | 18 days ago | - An aptly named module for (surprise, surprise) detecting secrets within a code base |
| GitGuardian | - A web-based solution that scans and monitors public and private git repositories for secrets | ||
| Gitleaks | 17,494 | 9 days ago | - Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repositories |
| git-secrets | 12,333 | 6 months ago | - Scans commits, commit messages and merges for secrets. Native support for AWS secret patterns, but can be configured to support other patterns |
| Nightfall | - A web-based platform that monitors for sensitive data disclosure across several SDLC tools, including GitHub repositories | ||
| Repo-supervisor | 633 | over 1 year ago | - Secrets scanning tool that can run as a CLI, as a Docker container or in AWS Lambda |
| SpectralOps | - Automated code security, secrets, tokens and sensitive data scanning | ||
| truffleHog | 15,801 | 3 days ago | - Searches through git repositories for secrets, digging deep into commit history and branches |
Tools / Static Analysis | |||
| DevSkim | 903 | 14 days ago | - A set of IDE plugins, CLIs and other tools that provide security analysis for a number of programming languages |
| Graudit | 1,506 | 2 months ago | - Grep source code for potential security flaws with custom or pre-configured regex signatures |
| Hawkeye | 358 | about 3 years ago | - Modularised CLI tool for project security, vulnerability and general risk highlighting |
| LGTM | - Scan and monitor code for security vulnerabilities using custom or built-in CodeQL queries | ||
| RIPS | - Automated static analysis for PHP, Java and Node.js projects | ||
| SemGrep | - Semgrep is a fast, open-source, static analysis tool that finds bugs and enforces code standards at editor, commit, and CI time | ||
| SonarLint | - An IDE plugin that highlights potential security security issues, code quality issues and bugs | ||
| SonarQube | - Scan code for security and quality issues with support for a wide variety of languages | ||
| FlawFinder | 479 | 2 months ago | - Scan C / C++ code for potential security weaknesses |
| Puma Scan | 446 | almost 2 years ago | - A Visual Studio plugin to scan .NET projects for potential security flaws |
| Conftest | 2,851 | 17 days ago | - Create custom tests to scan any configuration file for security flaws |
| Selefra | 522 | about 1 year ago | - An open-source policy-as-code software that provides analytics for multi-cloud and SaaS |
| Deep Dive | - Static analysis for JVM deployment units including Ear, War, Jar and APK | ||
| Find Security Bugs | 2,261 | about 2 months ago | - SpotBugs plugin for security audits of Java web applications. Supports Eclipse, IntelliJ, Android Studio and SonarQube |
| SpotBugs | 3,471 | 4 days ago | - Static code analysis for Java applications |
| ESLint | - Linting tool for JavaScript with multiple security linting rules available | ||
| Golang Security Checker | 7,742 | 12 days ago | - CLI tool to scan Go code for potential security flaws |
| Security Code Scan | 931 | 3 months ago | - Static code analysis for C# and VB.NET applications |
| Phan | 5,527 | about 2 months ago | - Broad static analysis for PHP applications with some support for security scanning features |
| PHPCS Security Audit | 710 | over 1 year ago | - PHP static analysis with rules for PHP, Drupal 7 and PHP related CVEs |
| Progpilot | 324 | 2 months ago | - Static analysis for PHP source code |
| Bandit | 6,351 | 12 days ago | - Find common security vulnerabilities in Python code |
| Brakeman | 6,988 | 16 days ago | - Static analysis tool which checks Ruby on Rails applications for security vulnerabilities |
| DawnScanner | 734 | 7 months ago | - Security scanning for Ruby scripts and web application. Supports Ruby on Rails, Sinatra and Padrino frameworks |
Tools / Supply Chain Security | |||
| Harden Runner GitHub Action | 598 | 10 days ago | - installs a security agent on the GitHub-hosted runner (Ubuntu VM) to prevent exfiltration of credentials, detect compromised dependencies and build tools, and detect tampering of source code during the build |
| Overlay | 218 | 8 months ago | - a browser extension helping developers evaluate open source packages before picking them |
| Preflight | 153 | almost 2 years ago | - helps you verify scripts and executables to mitigate supply chain attacks in your CI and other systems, such as in the recent |
| Sigstore | sigstore is a set of free to use and open source tools, including , and , handling digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software | ||
| Syft | 6,065 | 1 day ago | - A CLI tool for generating a Software Bill of Materials (SBOM) from container images and filesystems |
Tools / Threat Modelling | |||
| Awesome Threat Modelling | 1,380 | 2 months ago | - A curated list of threat modelling resources |
| SecuriCAD | - Treat modelling and attack simulations for IT infrastructure | ||
| IriusRisk | - Draw threat models and capture threats and countermeasures and manage risk | ||
| Raindance Project | 46 | almost 8 years ago | - Use attack maps to identify attack surface and adversary strategies that may lead to compromise |
| SD Elements | - Identify and rank threats, generate actionable tasks and track related tickets | ||
| Threat Dragon | - Threat model diagramming tool | ||
| Threat Modelling Tool | - Threat model diagramming tool | ||
| Threatspec | - Define threat modelling as code | ||
Related Lists | |||
| Awesome Dynamic Analysis | 933 | 19 days ago | - A collection of dynamic analysis tools and code quality checkers |
| Awesome Platform Engineering | 343 | 3 months ago | A curated list of solutions, tools and resources for |
| Awesome Static Analysis | 13,242 | 6 days ago | - A collection of static analysis tools and code quality checkers |
| Awesome Threat Modelling | 1,380 | 2 months ago | - A curated list of threat modeling resources |
| Vulnerable Web Apps Directory | - A collection of vulnerable web applications for learning purposes | ||
sindresorhus/awesome
bayandin/awesome-awesomeness
shospodarets/awesome-platform-engineering
0ex/more-awesome