Home

Awesome

Ultimate DevSecOps library

Contribution rules

If you want to contribute to this library of knowledge please create proper PR (Pull Request) with description what you are adding following these set of rules:

Note: Currently this is an early version of the library. I recommend PR after first official release.

DevSecOps library info:

stars watchers watchers

This library contains list of tools and methodologies accompanied with resources. The main goal is to provide to the engineers a guide through opensource DevSecOps tooling. This repository covers only cyber security in the cloud and the DevSecOps scope.

Table of Contents

What is DevSecOps

DevSecOps focuses on security automation, testing and enforcement during DevOps - Release - SDLC cycles. The whole meaning behind this methodology is connecting together Development, Security and Operations. DevSecOps is methodology providing different methods, techniques and processes backed mainly with tooling focusing on developer / security experience.

DevSecOps takes care that security is part of every stage of DevOps loop - Plan, Code, Build, Test, Release, Deploy, Operate, Monitor.

Various definitions:

Tooling

Pre-commit time tools

In this section you can find lifecycle helpers, precommit hook tools and threat modeling tools. Threat modeling tools are specific category by themselves allowing you to simulate and discover potential gaps before you start to develop the software or during the process.

Modern DevSecOps tools allow using Threat modeling as code or generation of threat models based on the existing code annotations.

NameURLDescriptionMeta
git-secretshttps://github.com/awslabs/git-secretsAWS labs tool preventing you from committing secrets to a git repositoryGit Secrets
git-houndhttps://github.com/tillson/git-houndSearchers secrets in gitgit-hound
goSDLhttps://github.com/slackhq/goSDLSecurity Development Lifecycle checklistgoSDL
ThreatPlaybookhttps://github.com/we45/ThreatPlaybookThreat modeling as codeGitLeaks
Threat Dragonhttps://github.com/OWASP/threat-dragonOWASP Threat modeling toolThreatDragon
threatspechttps://github.com/threatspec/threatspecThreat modeling as codethreatspec
pytmhttps://github.com/izar/pytmA Pythonic framework for threat modelingpytm
Threagilehttps://github.com/Threagile/threagileA Go framework for threat modelingThreagile
MAL-langhttps://mal-lang.org/#what A language to create cyber threat modeling systems for specific domainsMal
Microsoft Threat modeling toolhttps://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-toolMicrosoft threat modeling toolMS Threat modeling tool
Talismanhttps://github.com/thoughtworks/talismanA tool to detect and prevent secrets from getting checked inTalisman
SEDATEDhttps://github.com/OWASP/SEDATEDThe SEDATED® Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure) focuses on preventing sensitive data such as user credentials and tokens from being pushed to Git.Talisman
Sonarlinthttps://github.com/SonarSource/sonarlint-coreSonar linting utility for IDESonarlint
DevSkimhttps://github.com/microsoft/DevSkimDevSkim is a framework of IDE extensions and language analyzers that provide inline security analysisDevSkim
detect-secretshttps://github.com/Yelp/detect-secretsDetects secrets in your codebaseDevSkim
tflinthttps://github.com/terraform-linters/tflintA Pluggable Terraform Lintertflint
Steampipe Code Pluginhttps://github.com/turbot/steampipe-plugin-codeUse SQL to detect secrets from source code and data sources.GitHub stars

Secrets management

Secrets management includes managing, versioning, encryption, discovery, rotating, provisioning of passwords, certificates, configuration values and other types of secrets.

NameURLDescriptionMeta
GitLeakshttps://github.com/zricethezav/gitleaksGitleaks is a scanning tool for detecting hardcoded secretsGitLeaks
ggshieldhttps://github.com/gitguardian/ggshieldGitGuardian shield (ggshield) is a CLI application that runs in your local environment or in a CI environment and helps you detect more than 350+ types of secrets and sensitive files.ggshield
TruffleHoghttps://github.com/trufflesecurity/truffleHogTruffleHog is a scanning tool for detecting hardcoded secretsTruffleHog
Hashicorp Vaulthttps://github.com/hashicorp/vaultHashicorp Vault secrets managementVault
Mozilla SOPShttps://github.com/mozilla/sops Mozilla Secrets OperationsSOPS
AWS secrets manager GH actionhttps://github.com/marketplace/actions/aws-secrets-manager-actionsAWS secrets manager docsAWS Secrets manager action
GitRobhttps://github.com/michenriksen/gitrobGitrob is a tool to help find potentially sensitive files pushed to public repositories on GithubGitRob
git-wild-hunthttps://github.com/d1vious/git-wild-huntA tool to hunt for credentials in the GitHubgit-wild-hunt
aws-vaulthttps://github.com/99designs/aws-vaultAWS Vault is a tool to securely store and access AWS credentials in a development environmentaws-vault
Knoxhttps://github.com/pinterest/knoxKnox is a service for storing and rotation of secrets, keys, and passwords used by other servicesKnox
Chef vaulthttps://github.com/chef/chef-vaultallows you to encrypt a Chef Data Bag ItemChef vault
Ansible vaultAnsible vault docsEncryption/decryption utility for Ansible data filesAnsible vault

OSS and Dependency management

Dependency security testing and analysis is very important part of discovering supply chain attacks. SBOM creation and following dependency scanning (Software composition analysis) is critical part of continuous integration (CI). Data series and data trends tracking should be part of CI tooling. You need to know what you produce and what you consume in context of libraries and packages.

NameURLDescriptionMeta
CycloneDXhttps://github.com/orgs/CycloneDX/repositoriesCycloneDX format for SBOMCycloneDX
cdxgenhttps://github.com/AppThreat/cdxgenGenerates CycloneDX SBOM, supports many languages and package managers.CycloneDX
SPDXhttps://github.com/spdx/spdx-specSPDX format for SBOM - Software Package Data ExchangeSpDX
Snykhttps://github.com/snyk/snykSnyk scans and monitors your projects for security vulnerabilitiesSnyk
vulncosthttps://github.com/snyk/vulncostSecurity Scanner for VS CodeVulncost
Dependency Combobulatorhttps://github.com/apiiro/combobulatorDependency-related attacks detection and prevention through heuristics and insight engine (support multiple dependency schemes)Combobulator
DependencyTrackhttps://github.com/DependencyTrack/dependency-trackDependency security tracking platformDependencyTrack
DependencyCheckhttps://github.com/jeremylong/DependencyCheckSimple dependency security scanner good for CIDependencyCheck
Retire.jshttps://github.com/retirejs/retire.js/Helps developers to detect the use of JS-library versions with known vulnerabilitiesRetire.js
PHP security checkerhttps://github.com/fabpot/local-php-security-checkerCheck vulnerabilities in PHP dependenciesRetire.js
bundler-audithttps://github.com/rubysec/bundler-auditPatch-level verification for bundlerBundler audit
gemnasiumhttps://gitlab.com/gitlab-org/security-products/analyzers/gemnasium Dependency Scanning Analyzer based on Gemnasium
Dependabothttps://github.com/dependabot/dependabot-coreAutomated dependency updates built into GitHub providing security alertsDependabot
Renovatebothttps://github.com/renovatebot/renovateAutomated dependency updates, patches multi-platform and multi-languageRenovatebot
npm-checkhttps://www.npmjs.com/package/npm-checkCheck for outdated, incorrect, and unused dependencies.npm-check
Security Scorecardshttps://securityscorecards.devChecks for several security health metrics on open source libraries and provides a score (0-10) to be considered in the decision making of what libraries to use.scorecard
Syfthttps://github.com/anchore/syftCLI tool and library for generating an SBOM from container images (and filesystems).syft
OSS Review Toolkithttps://github.com/oss-review-toolkit/ortA suite of tools to automate software compliance checks.ort

Supply chain specific tools

Supply chain is often the target of attacks. Which libraries you use can have a massive impact on security of the final product (artifacts). CI (continuous integration) must be monitored inside the tasks and jobs in pipeline steps. Integrity checks must be stored out of the system and in ideal case several validation runs with comparison of integrity hashes / or attestation must be performed.

NameURLDescriptionMeta
Tekton chainshttps://github.com/tektoncd/chainsKubernetes Custom Resource Definition (CRD) controller that allows you to manage your supply chain security in Tekton.Chains
in-totohttps://github.com/in-toto/attestation/tree/v0.1.0/specAn in-toto attestation is authenticated metadata about one or more software artifactsin-toto
SLSAOfficial GitHub linkSupply-chain Levels for Software ArtifactsSLSA
kritishttps://github.com/grafeas/kritisSolution for securing your software supply chain for Kubernetes appsKritis
ratifyhttps://github.com/deislabs/ratifyArtifact Ratification Frameworkratify
chain-benchhttps://github.com/aquasecurity/chain-benchSupply Chain Audit Toolchain-bench

SAST

Static code review tools working with source code and looking for known patterns and relationships of methods, variables, classes and libraries. SAST works with the raw code and usually not with build packages.

NameURLDescriptionMeta
Brakemanhttps://github.com/presidentbeef/brakemanBrakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilitiesBrakeman
Semgrephttps://semgrep.dev/Hi-Quality Open source, works on 17+ languagesSemgrep
Bandithttps://github.com/PyCQA/bandit Python specific SAST toolBandit
libsasthttps://github.com/ajinabraham/libsast Generic SAST for Security Engineers. Powered by regex based pattern matcher and semantic aware semgreplibsast
ESLinthttps://eslint.org/Find and fix problems in your JavaScript code
nodejsscanhttps://github.com/ajinabraham/nodejsscanNodeJs SAST scanner with GUINodeJSscan
FindSecurityBugshttps://find-sec-bugs.github.io/The SpotBugs plugin for security audits of Java web applicationsFindSecuritybugs
SonarQube communityhttps://github.com/SonarSource/sonarqubeDetect security issues in code review with Static Application Security Testing (SAST)SonarQube
gosechttps://github.com/securego/gosecInspects source code for security problems by scanning the Go AST.gosec
Safetyhttps://github.com/pyupio/safetyChecks Python dependencies for known security vulnerabilities .Safety
Bearerhttps://github.com/Bearer/bearerDetect security issues in various languages (JavaScript/TypeScript, Ruby, Java, PHP...) .Safety
mobsfscanhttps://github.com/MobSF/mobsfscanDetect security issues in Android and iOS source code (Java/Kotlin and Objective C/Swift)Safety

Note: Semgrep is free CLI tool, however some rulesets (https://semgrep.dev/r) are having various licences, some can be free to use and can be commercial.

OWASP curated list of SAST tools : https://owasp.org/www-community/Source_Code_Analysis_Tools

DAST

Dynamic application security testing (DAST) is a type of application testing (in most cases web) that checks your application from the outside by active communication and analysis of the responses based on injected inputs. DAST tools rely on inputs and outputs to operate. A DAST tool uses these to check for security problems while the software is actually running and is actively deployed on the server (or serverless function).

NameURLDescriptionMeta
Zap proxyhttps://owasp.org/www-project-zap/Zap proxy providing various docker containers for CI/CD pipelineZAP
Aktohttps://github.com/akto-api-security/akto/)API Security Testing with 150+ YAML TestsAkto
Wapitihttps://github.com/wapiti-scanner/wapiti Light pipeline ready scanning toolWapiti
Nucleihttps://github.com/projectdiscovery/nucleiTemplate based security scanning toolNuclei
purpleteamhttps://github.com/purpleteam-labs/purpleteamCLI DAST tool incubator projectpurpleteam
oss-fuzzhttps://github.com/google/oss-fuzz OSS-Fuzz: Continuous Fuzzing for Open Source Softwareosss-fuzz
niktohttps://github.com/sullo/niktoNikto web server scannernikto
skipfishhttps://code.google.com/archive/p/skipfish/Skipfish is an active web application security reconnaissance toolskipfish

Continuous deployment security

NameURLDescriptionMeta
SecureCodeBoxhttps://github.com/secureCodeBox/secureCodeBoxToolchain for continuous scanning of applications and infrastructureSCB
OpenSCAPhttps://github.com/OpenSCAP/openscapOpen Source Security Compliance Solutionoscap
ThreatMapperhttps://github.com/deepfence/ThreatMapperThreatMapper hunts for vulnerabilities in your production platforms, and ranks these vulnerabilities based on their risk-of-exploit.kube-hunter

Kubernetes

NameURLDescriptionMeta
KubiScanhttps://github.com/cyberark/KubiScanA tool for scanning Kubernetes cluster for risky permissionsKubiscan
Kubeaudithttps://github.com/Shopify/kubeauditAudit Kubernetes clusters for various different security concernskube-audit
Kubescapehttps://github.com/armosec/kubescapeThe first open-source tool for testing if Kubernetes is deployed according to the NSA-CISA and the MITRE ATT&CK®.kubescape
kubesechttps://github.com/controlplaneio/kubesecSecurity risk analysis for Kubernetes resourceskubesec
kube-benchhttps://github.com/aquasecurity/kube-bench Kubernetes benchmarking toolKubiscan
kube-scorehttps://github.com/zegl/kube-scoreStatic code analysis of your Kubernetes object definitionskube-score
kube-hunterhttps://github.com/aquasecurity/kube-hunterActive scanner for k8s (purple)kube-hunter
Calicohttps://github.com/projectcalico/calicoCalico is an open source networking and network security solution for containersCalico
Kranehttps://github.com/appvia/kraneSimple Kubernetes RBAC static analysis toolkrane
Gatekeeperhttps://github.com/open-policy-agent/gatekeeperOpen policy agent gatekeeper for k8sgatekeeper
Inspektor-gadgethttps://github.com/kinvolk/inspektor-gadgetCollection of tools (or gadgets) to debug and inspect k8sinspector
kube-linterhttps://github.com/stackrox/kube-linter Static analysis for Kuberneteskube-linter
mizu-api-traffic-viewerhttps://github.com/up9inc/mizuA simple-yet-powerful API traffic viewer for Kubernetes enabling you to view all API communication between microservices to help your debug and troubleshoot regressions.GitHub stars
HelmSnykhttps://github.com/snyk-labs/helm-snykThe Helm plugin for Snyk provides a subcommand for testing the images.GitHub stars
Kubewardenhttps://github.com/orgs/kubewarden/repositoriesPolicy as code for kubernetes from SUSE.GitHub stars
Kubernetes-sigs BOMhttps://github.com/kubernetes-sigs/bomKubernetes BOM generatorGitHub stars
Capsulehttps://github.com/clastix/capsuleA multi-tenancy and policy-based framework for KubernetesGitHub stars
Badrobothttps://github.com/controlplaneio/badrobotBadrobot is a Kubernetes Operator audit toolGitHub stars
kube-scanhttps://github.com/octarinesec/kube-scank8s cluster risk assessment toolkube-scan
Istiohttps://istio.ioIstio is a service mesh based on Envoy. Engage encryption, role-based access, and authentication across services.GitHub stars
Kubernetes Insightshttps://github.com/turbot/steampipe-mod-kubernetes-insightsVisualize Kubernetes inventory and permissions through relationship graphs.GitHub stars
Kubernetes Compliancehttps://github.com/turbot/steampipe-mod-kubernetes-complianceCheck compliance of Kubernetes configurations to security best practices.GitHub stars
trivy-operatorhttps://github.com/aquasecurity/trivy-operatorKubernetes-native security toolkit.GitHub stars

Containers

NameURLDescriptionMeta
Harborhttps://github.com/goharbor/harborTrusted cloud native registry projectHarbor
Anchorehttps://github.com/anchore/anchore-engineCentralized service for inspection, analysis, and certification of container imagesAnchore
Clairhttps://github.com/quay/clairDocker vulnerability scannerClair
Deepfence ThreatMapperhttps://github.com/deepfence/ThreatMapperApache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless.ThreatMapper
Docker benchhttps://github.com/docker/docker-bench-security Docker benchmarking against CISdocker bench
Falcohttps://github.com/falcosecurity/falcoContainer runtime protectionFalco
Trivyhttps://github.com/aquasecurity/trivyComprehensive scanner for vulnerabilities in container imagesTrivy
Notaryhttps://github.com/notaryproject/notaryDocker signingNotary
Cosignhttps://github.com/sigstore/cosignContainer signingCosign
watchtowerhttps://github.com/containrrr/watchtowerUpdates the running version of your containerized appwatchtower
Grypehttps://github.com/anchore/grypeVulnerability scanner for container images (and also filesystems).Grype
Copacetichttps://github.com/project-copacetic/copaceticCLI tool for directly patching container imagesCopacetic

Multi-Cloud

NameURLDescriptionMeta
Cloudsploithttps://github.com/aquasecurity/cloudsploitDetection of security risks in cloud infrastructureCloudsploit
ScoutSuitehttps://github.com/nccgroup/ScoutSuiteNCCgroup mutlicloud scanning toolScoutSuite
CloudCustodianhttps://github.com/cloud-custodian/cloud-custodian/Multicloud security analysis frameworkCloudCustodian
CloudGraphhttps://github.com/cloudgraphdev/cliGraphQL API + Security for AWS, Azure, GCP, and K8sCloudGraph
Steampipehttps://github.com/turbot/steampipeInstantly query your cloud, code, logs & more with SQL. Build on thousands of open-source benchmarks & dashboards for security & insights.GitHub stars

AWS

AWS specific DevSecOps tooling. Tools here cover different areas like inventory management, misconfiguration scanning or IAM roles and policies review.

NameURLDescriptionMeta
Dragoneyehttps://github.com/indeni/dragoneyeDragoneye Indeni AWS scannerDragoneye
Prowlerhttps://github.com/toniblyx/prowlerProwler is a command line tool that helps with AWS security assessment, auditing, hardening and incident response.Prowler
aws-inventoryhttps://github.com/nccgroup/aws-inventoryHelps to discover all AWS resources created in an accountaws-inventory
PacBothttps://github.com/tmobile/pacbotPolicy as Code Bot (PacBot)pacbot
Komiserhttps://github.com/mlabouardy/komiserMonitoring dashboard for costs and securitykomiser
Cloudsplaininghttps://github.com/salesforce/cloudsplainingIAM analysis frameworkcloudsplaining
ElectricEyehttps://github.com/jonrau1/ElectricEyeContinuously monitor your AWS services for configurationsElectricEye
Cloudmapperhttps://github.com/duo-labs/cloudmapperCloudMapper helps you analyze your Amazon Web Services (AWS) environmentscloudmapper
cartographyhttps://github.com/lyft/cartographyConsolidates AWS infrastructure assets and the relationships between them in an intuitive graphcartography
policy_sentryhttps://github.com/salesforce/policy_sentryIAM Least Privilege Policy Generatorpolicycentry
AirIAMhttps://github.com/bridgecrewio/AirIAMIAM Least Privilege anmalyzer and TerraformerAirIam
StreamAlerthttps://github.com/airbnb/streamalertAirBnB serverless, real-time data analysis framework which empowers you to ingest, analyze, and alertStreamAlert
CloudQueryhttps://github.com/cloudquery/cloudquery/AirBnB serverless, real-time data analysis framework which empowers you to ingest, analyze, and alertCloudQuery
S3Scannerhttps://github.com/sa7mon/S3Scanner/A tool to find open S3 buckets and dump their contentsS3Scanner
aws-iam-authenticatorhttps://github.com/kubernetes-sigs/aws-iam-authenticator/A tool to use AWS IAM credentials to authenticate to a Kubernetes clusterauthenticator
kube2iamhttps://github.com/jtblin/kube2iam/A tool to use AWS IAM credentials to authenticate to a Kubernetes clusterkube2iam
AWS open source security samplesOfficial AWS opensource repoCollection of official AWS open-source resourcesAmazon AWS
AWS Firewall factoryGlobaldatanet FMS automationDeploy, update, and stage your WAFs while managing them centrally via FMSGlobaldatanet Firewall factory
ParlimentParlimentParliament is an AWS IAM linting libraryIAM linting
YorYorAdds informative and consistent tags across infrastructure-as-code frameworks such as Terraform, CloudFormation, and ServerlessYor
AWS Insightshttps://github.com/turbot/steampipe-mod-aws-insightsVisualize AWS inventory and permissions through relationship graphs.GitHub stars
AWS Compliancehttps://github.com/turbot/steampipe-mod-aws-complianceCheck compliance of AWS configurations to security best practices.GitHub stars

Google cloud platform

GCP specific DevSecOps tooling. Tools here cover different areas like inventory management, misconfiguration scanning or IAM roles and policies review.

NameURLDescriptionMeta
Forsetihttps://github.com/forseti-security/forseti-securityComplex security orchestration and scanning platformForseti
GCP Insightshttps://github.com/turbot/steampipe-mod-gcp-insightsVisualize GCP inventory and permissions through relationship graphs.GitHub stars
GCP Compliancehttps://github.com/turbot/steampipe-mod-gcp-complianceCheck compliance of GCP configurations to security best practices.GitHub stars

Microsoft Azure

Azure specific DevSecOps tooling. Tools here cover different areas like inventory management, misconfiguration scanning or IAM roles and policies review.

NameURLDescriptionMeta
Azure Insightshttps://github.com/turbot/steampipe-mod-azure-insightsVisualize Azure inventory and permissions through relationship graphs.GitHub stars
Azure Compliancehttps://github.com/turbot/steampipe-mod-azure-complianceCheck compliance of Azure configurations to security best practices.GitHub stars
PSRule.Rules.Azurehttps://github.com/Azure/PSRule.Rules.AzureCheck ARM, Bicep or Live Azure Tenant for security configuration best practicesGitHub stars
PSRule.Rules.AzureDevOpshttps://github.com/cloudyspells/PSRule.Rules.AzureDevOpsCheck Azure DevOps project for security configuration best practicesGitHub stars

Policy as code

Policy as code is the idea of writing code in a high-level language to manage and automate policies. By representing policies as code in text files, proven software development best practices can be adopted such as version control, automated testing, and automated deployment. (Source: https://docs.hashicorp.com/sentinel/concepts/policy-as-code)

NameURLDescriptionMeta
Open Policy agenthttps://github.com/open-policy-agent/opaGeneral-purpose policy engine that enables unified, context-aware policy enforcement across the entire stackOPA
Kyvernohttps://github.com/kyverno/kyvernoKyverno is a policy engine designed for Kuberneteskyverno
Inspechttps://github.com/inspec/inspecChef InSpec is an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.Inspec
Cloud Formation guardhttps://github.com/aws-cloudformation/cloudformation-guardCloud Formation policy as codecf-guard
cnspechttps://github.com/mondoohq/cnspeccnspec is a cloud-native and powerful Policy as Code engine to assess the security and compliance of your business-critical infrastructure. cnspec finds vulnerabilities and misconfigurations on all systems in your infrastructure including: public and private cloud environments, Kubernetes clusters, containers, container registries, servers and endpoints, SaaS products, infrastructure as code, APIs, and more.cf-guard

Chaos engineering

Chaos Engineering is the discipline of experimenting on a system in order to build confidence in the system’s capability to withstand turbulent conditions in production.

Reading and manifestos: https://principlesofchaos.org/

NameURLDescriptionMeta
chaos-meshhttps://github.com/chaos-mesh/chaos-meshIt is a cloud-native Chaos Engineering platform that orchestrates chaos on Kubernetes environmentsChaos mesh
Chaos monkeyhttps://netflix.github.io/chaosmonkey/Chaos Monkey is responsible for randomly terminating instances in production to ensure that engineers implement their services to be resilient to instance failures.Chaos monkey
Chaos Enginehttps://thalesgroup.github.io/chaos-engine/The Chaos Engine is a tool that is designed to intermittently destroy or degrade application resources running in cloud based infrastructure. These events are designed to occur while the appropriate resources are available to resolve the issue if the platform fails to do so on it's own.Chaos Engine
chaoskubehttps://github.com/linki/chaoskube Test how your system behaves under arbitrary pod failures.chaoskube
Kube-Invadershttps://github.com/lucky-sideburn/KubeInvadersGamified chaos engineering tool for Kuberneteschaoskube
kube-monkeyhttps://github.com/asobti/kube-monkeyGamified chaos engineering tool for Kuberneteskube-monkey
Litmus Chaoshttps://litmuschaos.io/Litmus is an end-to-end chaos engineering platform for cloud native infrastructure and applications. Litmus is designed to orchestrate and analyze chaos in their environments.Litmus
Gremlinhttps://github.com/gremlin/gremlin-pythonChaos enginnering SaaS platform with free plan and some open source librariesGremlin
AWS FIS sampleshttps://github.com/aws-samples/aws-fault-injection-simulator-samplesAWS Fault injection simulator samplesAWS
CloudNukehttps://github.com/gruntwork-io/cloud-nukeCLI tool to delete all resources in an AWS accountCloudNuke

Infrastructure as code security

Scanning your infrastructure when it is only code helps shift-left the security. Many tools offer in IDE scanning and providing real-time advisory do Cloud engineers.

NameURLDescriptionMeta
KICShttps://github.com/Checkmarx/kicsCheckmarx security testing opensource for IaCCheckmarx
Checkovhttps://github.com/bridgecrewio/checkovCheckov is a static code analysis tool for infrastructure-as-codeCheckov
Trivyhttps://github.com/aquasecurity/trivyComprehensive scanner for infrastructure-as-codeTrivy
terrascanhttps://github.com/accurics/terrascanTerrascan is a static code analyzer for Infrastructure as Codeterrascan
cfn_naghttps://github.com/stelligent/cfn_nagLooks for insecure patterns in CloudFormationcfnag
Sysdig IaC scanner actionhttps://github.com/sysdiglabs/cloud-iac-scanner-actionScans your repository with Sysdig IAC Scanner and report the vulnerabilities.sysdig iac scanner
Terraform Compliance for AWShttps://github.com/turbot/steampipe-mod-terraform-aws-complianceCheck compliance of Terraform configurations to AWS security best practices.GitHub stars
Terraform Compliance for Azurehttps://github.com/turbot/steampipe-mod-terraform-azure-complianceCheck compliance of Terraform configurations to Azure security best practices.GitHub stars
Terraform Compliance for GCPhttps://github.com/turbot/steampipe-mod-terraform-gcp-complianceCheck compliance of Terraform configurations to GCP security best practices.GitHub stars
Terraform Compliance for OCIhttps://github.com/turbot/steampipe-mod-terraform-oci-complianceCheck compliance of Terraform configurations to OCI security best practices.GitHub stars

Network Intrusion Prevention

Network Intrusion Prevention (NIP) is a security mechanism used to detect and prevent unauthorized access, attacks, or malicious activities on a computer network. It is designed to monitor network traffic in real-time, identify potential threats, and take proactive measures to mitigate them.

NameURLDescriptionMeta
CrowdSechttps://github.com/crowdsecurity/crowdsec)Crowdsec is an open-source, lightweight software, detecting peers with aggressive behaviours to prevent them from accessing your systems.CrowdSec

Orchestration

Event driven security help to drive, automate and execute tasks for security processes. The tools here and not dedicated security tools but are helping to automate and orchestrate security tasks or are part of most modern security automation frameworks or tools.

NameURLDescriptionMeta
StackStormhttps://github.com/StackStorm/st2Platform for integration and automation across services and tools supporting event driven securityStackStorm
Camundahttps://github.com/camunda/camunda-bpm-platformWorkflow and process automationCamunda
DefectDojohttps://github.com/DefectDojo/django-DefectDojoSecurity orchestration and vulnerability management platformDefectDojo
Faradayhttps://github.com/infobyte/faradaySecurity suite for Security Orchestration, vulnerability management and centralized informationFaraday

Methodologies, whitepapers and architecture

List of resources worth investigating:

AWS DevOps whitepapers:

AWS blog:

Microsoft whitepapers:

GCP whitepapers:

Other

Here are the other links and resources that do not fit in any previous category. They can meet multiple categories in time or help you in your learning.

NameURLDescriptionMeta
Automated Security Helper (ASH)https://github.com/aws-samples/automated-security-helperASH is a one stop shop for security scanners, and does not require any installation. It will identify the different frameworks, and download the relevant, up to date tools. ASH is running on isolated Docker containers, keeping the user environment clean, with a single aggregated report. The following frameworks are supported: Git, Python, Javascript, Cloudformation, Terraform and Jupyter Notebooks.ASH
Mobile security frameworkhttps://github.com/MobSF/Mobile-Security-Framework-MobSFSAST, DAST and pentesting tool for mobile appsMobSF
Legitifyhttps://github.com/Legit-Labs/legitifyDetect and remediate misconfigurations and security risks across all your GitHub and GitLab assetsLegitify

Training - https://www.practical-devsecops.com/devsecops-university/

DevSecOps videos - Hackitect playground

License

MIT license

Marek Šottl (c) 2022