.svg){kind=icon}
An authoritative list of awesome devsecops tools with the help from community experiments and contributions.
Inspired by the awesome-* trend on GitHub. This is a collection of documents, presentations, videos, training materials, tools, services and general leadership that support the DevSecOps mission. These are the essential building blocks and tidbits that can help you to arrange for a DevSecOps experiment or to help you build out your own DevSecOps program.
IAM Least Privilege Policy Generator.
Policy Sentry is an AWS IAM Least Privilege Policy Generator, auditor, and analysis database. It compiles database tables based on the AWS IAM Documentation on Actions, Resources, and Condition Keys and leverages that data to create least-privilege IAM policies.
Automatically detect potential vulnerabilities and analyze repository metrics to prioritize open source security research targets .
sastsweep is a tool designed for identifying vulnerabilities in open source codebases at scale. It can gather and filter on key repository metrics such as popularity and project size, enabling targeted vulnerability research. It automatically detects potential vulnerabilities using semgrep and provides a streamlined HTML report, allowing researchers to quickly drill down to the affected portion of the codebase.
A command-line tool to get valuable information out of AWS CloudTrail and a general purpose toolbox for working with IAM policies
Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources.
Cloud Custodian enables you to manage your cloud resources by filtering, tagging, and then applying actions to them. The YAML DSL allows defininition of rules to enable well-managed cloud infrastructure that's both secure and cost optimized.
Cloud Custodian, also known as c7n, is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed cloud infrastructure, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.
An enterprise friendly way of detecting and preventing secrets in code.
detect-secrets is an aptly named module for (surprise, surprise) detecting secrets within a code base.
Git Security Scanning & Secrets Detection.
A tool for finding security issues in GitHub Actions setups.
Centralized Cloud-Based Secrets Management Platform.
Securely manage, orchestrate, and govern secrets at scale with Doppler’s developer-first cloud hosted platform.
🧪 Correlate Semgrep scans with Python test coverage to prioritize SAST findings and get bug fix suggestions via a self-hosted LLM.
vulncov correlates Semgrep scans with Python test code coverage to identify which vulnerable code has been executed by unit tests, helping prioritize SAST findings and reduce false positives. It also leverages a self-hosted LLM to suggest bug fixes!
Node Version Audit is a convenience tool to easily check a given Node.js version against a regularly updated list of CVE exploits, new releases, and end of life dates.
Node Version Audit is not: exploit detection/mitigation, vendor-specific version tracking, a replacement for staying informed on Node.js releases and security exploits.
Sample Go app repo with test and release pipelines optimized for software supply chain security (S3C).
Template Go app repo with local test/lint/build/vulnerability check workflow, and on tag image test/build/release pipelines, with ko generative SBOM, cosign attestation, and SLSA build provenance
Code signing and transparency for containers and binaries.
Signing OCI containers (and other artifacts) using Sigstore!
Cosign aims to make signatures invisible infrastructure.
Gato, or GitHub Attack Toolkit, is an enumeration and attack tool that allows both blue teamers and offensive security practitioners to identify and exploit pipeline vulnerabilities within a GitHub organization's public and private repositories.
Software Bill of Materials (SBOM) Analysis.
SBOM quality score - Quality metrics for your sboms.
sbomqs is your primary tool to assess an SBOM's quality and compliance. The higher the score the more consumable & compliant your SBOMs are.
Octoscan is a static vulnerability scanner for GitHub action workflows.
A flexible detection platform that simplifies rule management and deployment with K8s CronJob and Helm. Venator is flexible enough to run standalone or with other job schedulers like Nomad.
Venator is optimized for Kubernetes deployment but is flexible enough to run standalone or with other job schedulers like Nomad. It provides a highly adaptable detection engine that prioritizes simplicity, extensibility, and ease of maintenance. Supporting multiple query engines and publishers, Venator allows you to easily switch between different data lakes or services with minimal changes, avoiding vendor lock-in and dependence on specific SIEM solutions for signal generation.
Comprehensive Open Source Security and SBOM Management. Secure Your Products From Repo to Release.
Stop vulnerabilities, automate compliance, and mitigate third-party risk in your applications.
OPEN SOURCE ORCHESTRATION AND CORRELATION TOOL. ASOC, ASPM, DevSecOps, Vulnerability Management Using ArcherySec.
Automate Your Application Security Orchestration And Correlation (ASOC) Using ArcherySec.
ArcherySec allow to interact with continuous integration/continuous delivery (CI/CD) toolchains to specify testing, and control the release of a given build based on results. Its include prioritization functions, enabling you to focus on the most critical vulnerabilities. ArcherySec uses popular open source tools to perform comprehensive scanning for web application and network. The developers can also utilize the tool for implementation of their DevOps CI/CD environment.