.svg){kind=icon}
email
A framework for securing software update systems.
The Update Framework (TUF) maintains the security of software update systems, providing protection even against attackers that compromise the repository or signing keys. TUF provides a flexible framework and specification that developers can adopt into any software update system.
Related contents:
GuardDog is a CLI tool to Identify malicious PyPI and npm packages.
GuardDog is a CLI tool that allows to identify malicious PyPI and npm packages or Go modules. It runs a set of heuristics on the package source code (through Semgrep rules) and on the package metadata.
GuardDog can be used to scan local or remote PyPI and npm packages or Go modules using any of the available heuristics.
Related contents:
External Secrets Operator reads information from a third-party service like AWS Secrets Manager and automatically injects the values as Kubernetes Secrets.
Related contents:
NGINX configuration static analyzer.
Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
Cross-platform secret & config manager for development and CI environments
Novops, the universal secret and configuration manager for development, applications and CI.
Related contents:
LFIer is a powerful and efficient tool for detecting Local File Inclusion (LFI) vulnerabilities in web applications.
LFIer is a tool engineered to detect Local File Inclusion (LFI) vulnerabilities in web applications. It scans URLs with parameters, injects various payloads, and checks for indicators in the responses to identify potential LFI vulnerabilities. Leveraging asynchronous programming, LFIer ensures efficient and accurate scanning, even in environments protected by WAFs or cloud-based defenses.
Related contents:
𝗟𝗙𝗜𝗲𝗿 : L’outil INDISPENSABLE pour détecter les failles LFI ! @ Laurent Biagiotti's LinkedIn 
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. MobSF can be used for a variety of use cases such as mobile application security, penetration testing, malware analysis, and privacy analysis. The Static Analyzer supports popular mobile app binaries like APK, IPA, APPX and source code. Meanwhile, the Dynamic Analyzer supports both Android and iOS applications and offers a platform for interactive instrumented testing, runtime data and network traffic analysis. MobSF seamlessly integrates with your DevSecOps or CI/CD pipeline, facilitated by REST APIs and CLI tools, enhancing your security workflow with ease.
Security scanner detecting Python Pickle files performing suspicious actions
Validate the isolation posture of your container environment.
Am I Isolated is a security posture benchmarking tool.
It evaluates a given runtime environment and attempts to look for things which may be a security problem, as well as providing suggestions for solving the security problem.
Open Source DevSecOps. CI/CD and DevSecOps Automation
The leading application vulnerability management tool.
Built for both DevSecOps and traditional application security.
DevSecOps, ASPM, Vulnerability Management. All on one platform.
DefectDojo is a DevSecOps, ASPM (application security posture management), and vulnerability management tool. DefectDojo orchestrates end-to-end security testing, vulnerability tracking, deduplication, remediation, and reporting.
Source: Savez-vous ce qui est un OpenVOC ? @ Florian Dudaev's LinkedIn 
.
Universal Artifact Repository Manager.
Definitive artifact management for flexible development and trusted delivery at any scale.
JFrog Artifactory is the single solution for housing and managing all the artifacts, binaries, packages, files, containers, and components for use throughout your software supply chain.
JFrog Artifactory serves as your central hub for DevOps, integrating with your tools and processes to improve automation, increase integrity, and incorporate best practices along the way.
Docker Scout is a solution for proactively enhancing your software supply chain security. By analyzing your images, Docker Scout compiles an inventory of components, also known as a Software Bill of Materials (SBOM). The SBOM is matched against a continuously updated vulnerability database to pinpoint security weaknesses.
Telling tales on you for leaking secrets!.
Squealer scans a git repository or filesystem for secrets that are being leaked deep within the commit history.
Using a pre-commit hook, Talisman validates the outgoing changeset for things that look suspicious — such as tokens, passwords, and private keys.
Talisman is a tool that scans git changesets to ensure that potential secrets or sensitive information do not leave the developer's workstation.
It validates the outgoing changeset for things that look suspicious - such as potential SSH keys, authorization tokens, private keys etc.
An authoritative list of awesome devsecops tools with the help from community experiments and contributions.
Inspired by the awesome-* trend on GitHub. This is a collection of documents, presentations, videos, training materials, tools, services and general leadership that support the DevSecOps mission. These are the essential building blocks and tidbits that can help you to arrange for a DevSecOps experiment or to help you build out your own DevSecOps program.
IAM Least Privilege Policy Generator.
Policy Sentry is an AWS IAM Least Privilege Policy Generator, auditor, and analysis database. It compiles database tables based on the AWS IAM Documentation on Actions, Resources, and Condition Keys and leverages that data to create least-privilege IAM policies.
Automatically detect potential vulnerabilities and analyze repository metrics to prioritize open source security research targets .
sastsweep is a tool designed for identifying vulnerabilities in open source codebases at scale. It can gather and filter on key repository metrics such as popularity and project size, enabling targeted vulnerability research. It automatically detects potential vulnerabilities using semgrep and provides a streamlined HTML report, allowing researchers to quickly drill down to the affected portion of the codebase.
A command-line tool to get valuable information out of AWS CloudTrail and a general purpose toolbox for working with IAM policies
Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources.
Cloud Custodian enables you to manage your cloud resources by filtering, tagging, and then applying actions to them. The YAML DSL allows defininition of rules to enable well-managed cloud infrastructure that's both secure and cost optimized.
Cloud Custodian, also known as c7n, is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed cloud infrastructure, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.
An enterprise friendly way of detecting and preventing secrets in code.
detect-secrets is an aptly named module for (surprise, surprise) detecting secrets within a code base.