devsecops
Automated monitoring of the top PyPI and npm packages for supply chain compromise. Polls both registries for new releases, diffs each release against its predecessor, and uses an LLM (via Cursor Agent CLI) to classify diffs as benign or malicious. Malicious findings trigger a Slack alert.
Related contents:
Check your AWS CLI commands for security risks before you run them.
Security linter for AWS CLI commands. Catches misconfigurations before they hit your cloud.
703 security checks across 91 AWS services. Findings include severity ratings and a remediated command.
Related contents:
A Better Secrets Scanner. Detect Leaked API Keys & Credentials. A Better Secrets Scanner built for configurability and speed.
Betterleaks is a tool for detecting secrets like passwords, API keys, and tokens in git repos, files, and whatever else you wanna throw at it via stdin. If you wanna learn more about how the detection engine works check out this blog: Regex is (almost) all you need.
Related contents:
A multi-platform CI/CD vulnerability detection and attack automation tool for identifying security weaknesses in pipeline configurations.
Trajan scans CI/CD pipelines for security vulnerabilities that attackers use to compromise software supply chains. It supports GitHub Actions, GitLab CI, Azure DevOps, Jenkins, and JFrog.
Give your agents access, not your secrets. The open-source secret vault for AI agents. Store once. Inject anywhere. Agents never see the keys.
Open-source credential vault. Your agents call services and never see a key.
OneCLI is an open-source gateway that sits between your AI agents and the services they call. Instead of baking API keys into every agent, you store credentials once in OneCLI and the gateway injects them transparently. Agents never see the secrets.
Hide .env secrets from prAIng eyes.
secrets live in local encrypted stores (per project) and are injected directly into apps at runtime, never touching disk as plaintext.
Related contents:
Automatically load secrets from your preferred vault as environment variables or files, and clear them once your shell command is over.
Lade (/leɪd/) is a tool allowing you to automatically load secrets from your preferred vault into environment variables or files. It limits the exposure of secrets to the time the command requiring the secrets lives.
Related contents:
Unified Security Platform from Code to Runtime.
Protect against malicious code installed via npm, yarn, pnpm, npx, and pnpx with Aikido Safe Chain. Free to use, no tokens required.
Git integration usable to store encrypted secrets in the git repository while having the plaintext available in the working tree. An alternative to git-crypt using age instead of GPG.
Do not use this tool unless you understand the security implications. I am by no mean a security expert and this code hasn't been audited. Use at your own risk.
krops is a lightweight toolkit to deploy NixOS systems, remotely or locally.
Implementing Open Source Security Tooling into your CI/CD Pipeline
Securing your Continuous Integration and Continuous Deployment (CI/CD) pipeline is no longer optional—it’s essential. This guide is your go-to resource for building, implementing, and optimizing secure CI/CD workflows. Whether you’re a developer, DevOps engineer, or security professional, we provide information on the open-source tools and guidance you need to model security at every stage of your pipeline. From securing code and builds to monitoring post-deployment environments, our hub empowers teams to integrate security seamlessly into their workflows without sacrificing speed or agility. Explore, learn, and transform your CI/CD processes into a fortress of innovation and resilience.
Related contents:
OpenSource compliance CLI for GitLab CI/CD.
Analyze your GitLab CI/CD pipelines for security and compliance: pipeline composition (templates, components, version constraints), container images (mutable tags, trusted registries), and branch protection settings.
Plumber is a compliance scanner for GitLab. It reads your .gitlab-ci.yml and repository settings, then checks for security and compliance issues.
Related contents:
Brakeman Security Scanner. Secure Your Rails Applications
Brakeman is a free vulnerability scanner designed for Ruby on Rails applications. Statically analyze Rails application code to find security issues at any stage of development.
Secure visual editor for .env files that masks sensitive secrets while allowing easy editing.
Dotenv Mask Editor provides a table-based interface for .env files. It is designed to reduce the accidental exposure of sensitive values by masking strings that meet a length threshold. All processing is done locally within your editor.
Related contents:
Simple, CLI-friendly secret storage that lets you safely commit encrypted secrets to version control.
Simple, password-based encrypted vault for .env and infrastructure secrets. Like git-crypt or sops, but dramatically simpler. Ideal for small teams and IaC workflows
lockenv provides a secure way to store sensitive files (like .env files, configuration files, certificates) in an encrypted .lockenv file that can be safely committed to your repository. Files are encrypted using a password-derived key and can be easily extracted when needed.
ENV management tool, consolidate and manage .env and env variables.
Related contents:
Update a GitHub Secret in all your repos at the same time.
This CLI tool allows you to update the value of a GitHub Secret on multiple repositories at once. This is useful if you're using a user account and not an org, as users do not have the concept of user level secrets.
Related contents:
Database DevSecOps.
Bytebase is an open-source database DevOps tool, it's the only database CI/CD project included by the CNCF Landscape and Platform Engineering. It offers a web-based collaboration workspace to help DBAs and Developers manage the lifecycle of application database schemas.
Related contents:
Fort Knox for your secrets. encrypted/remote secret manager.
Manage secrets with encryption or cloud providers - or both!
Related contents:
CycloneDX Bill of Materials Standard.
CycloneDX is a modern standard for the software supply chain.
The International Standard for Bill of Materials (ECMA-424) The OWASP Foundation and Ecma International Technical Committee for Software & System Transparency (TC54) drive the continued advancement of the specification.
Related contents:
The Airgap Native Package Manager for Kubernetes. airplane mode for your application delivery.
A free open source tool that enables continuous software delivery on systems that are disconnected from the internet. Zarf is a free and open source tool that enables declarative creation & distribution of software into air-gapped/constrained/standalone environments. Zarf provides a way to package and deploy software in a way that is repeatable, secure, and reliable.
Related contents:
A modern open-source Kubernetes auditing and investigation tool.
Replik8s is a modern open-source Kubernetes auditing and investigation tool. It is designed to address the common limitations of traditional security tools, which rely on narrow data collection and predefined logic. RepliK8s allows cloning Kubernetes clusters and serving back exact replicas of the original data, as well as conducting analysis through a tool-agnostic query language.
Linting tool for CloudFormation templates. The cfn-nag tool looks for patterns in CloudFormation templates that may indicate insecure infrastructure.
Related contents:
Open Source Cloud Security Tool.
Prowler is the Open Cloud Security platform for AWS, Azure, GCP, Kubernetes, M365 and more. It helps for continuous monitoring, security assessments & audits, incident response, compliance, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, ENS and more.
Related contents:
AI-assisted SAST, SCA and Secrets Detection. Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
Semgrep is a fast, open-source, static analysis tool that searches code, finds bugs, and enforces secure guardrails and coding standards. Semgrep supports 30+ languages and can run in an IDE, as a pre-commit check, and as part of CI/CD workflows.
Related contents:
ChopChop is a command-line tool for dynamic application security testing on web applications, initially written by the Michelin CERT.
Its goal is to scan several endpoints and identify exposition of services/files/folders through the webroot. Checks/Signatures are declared in a config file (by default: chopchop.yml), fully configurable, and especially by developers.
Codefather protects your codebase by controlling who can change what. Set authorization levels, lock down files, and enforce your rules—offline via CLI or online with GitHub Actions.
Declarative secrets, every environment, any provider.
SecretSpec separates the declaration of what secrets an application needs from where they are stored, enabling portable applications that work across different secret storage backends without code changes.
Related contents:
🔎 Static code analysis engine to find security issues in code. Opengrep, a fork of Semgrep, under the LGPL 2.1 license.
Opengrep is an ultra-fast static analysis tool for searching code patterns with the power of semantic grep. Analyze large code bases at the speed of thought with intuitive pattern matching and customizable rules. Find and fix security vulnerabilities, fast – ship more secure code.
Opengrep supports 30+ languages, including:
Apex · Bash · C · C++ · C# · Clojure · Dart · Dockerfile · Elixir · HTML · Go · Java · JavaScript · JSX · JSON · Julia · Jsonnet · Kotlin · Lisp · Lua · OCaml · PHP · Python · R · Ruby · Rust · Scala · Scheme · Solidity · Swift · Terraform · TypeScript · TSX · YAML · XML · Generic (ERB, Jinja, etc.)
Use @decorator comments in your .env file(s) to create a declarative schema for your config and a new function call syntax to securely load secrets from external sources.
Varlock is our tool that uses this parser to actually load your .env files, and then applies the schema that you have defined. It is a CLI, library, and will communicate with a native Mac application that enables using biometric auth to securely encrypt your local secrets.
SOPS is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP
Related contents:
Scan for secrets in dangling commits on GitHub using GH Archive data.
This tool scans for secrets in dangling (dereferenced) commits on GitHub created by force push events. A force push occurs when developers overwrite commit history, which often contains mistakes, like hard-coded credentials. This project relies on archived force push event data in the GHArchive to identify the relevant commits.
Related contents:
Fearless Kubernetes App Updates. Check your Kubernetes manifests before it hits the cluster.
kubechecks allows users of Github and Gitlab to see exactly what their changes will affect on their current ArgoCD deployments, as well as automatically run various conformance test suites prior to merge.
Kingfisher is a blazingly fast secret‑scanning and validation tool built in Rust. It combines Intel’s hardware‑accelerated Hyperscan regex engine with language‑aware parsing via Tree‑Sitter, and ships with hundreds of built‑in rules to detect, validate, and triage secrets before they ever reach production.
Related contents:
zizmor is a static analysis tool for GitHub Actions. It can find many common security issues in typical GitHub Actions CI/CD setups.
Related contents:
Safer python package installs with audit and consent 𝘣𝘦𝘧𝘰𝘳𝘦 install.
Pipask is a drop-in replacement for pip that performs security checks before installing a package. Unlike pip, which needs to download and execute code from source distribution first to get dependency metadata, pipask relies on metadata from PyPI whenever possible. If 3rd party code execution is necessary, pipask asks for consent first. The actual installation is handed over to pip if installation is approved.
Cloud native secrets management for developers - never leave your command line for secrets.
Never leave your terminal to use secrets while developing, testing, and building your apps.
Instead of custom scripts, tokens in your .zshrc files, visible EXPORTs in your bash history, misplaced .env.production files and more around your workstation -- just use teller and connect it to any vault, key store, or cloud service you like (Teller support Hashicorp Vault, AWS Secrets Manager, Google Secret Manager, and many more).
Fix Inventory is an open-source cloud asset inventory tool for infrastructure and security engineers.
Fix Inventory helps you identify and remove the most critical risks in AWS, GCP, Azure and Kubernetes.
Fix Inventory enables a broad set of exploration and automation scenarios. Its foundation is a graph-based data model, which exposes resource metadata and dependency relationships between your service's assets.
A powerful CLI allows you to search, explore, and manage your cloud resources.
Related contents:
A framework for securing software update systems.
The Update Framework (TUF) maintains the security of software update systems, providing protection even against attackers that compromise the repository or signing keys. TUF provides a flexible framework and specification that developers can adopt into any software update system.
Related contents:
🐍 🔍 GuardDog is a CLI tool to Identify malicious PyPI and npm packages.
GuardDog is a CLI tool that allows to identify malicious PyPI and npm packages or Go modules. It runs a set of heuristics on the package source code (through Semgrep rules) and on the package metadata. GuardDog can be used to scan local or remote PyPI and npm packages or Go modules using any of the available heuristics.
Related contents:
External Secrets Operator reads information from a third-party service like AWS Secrets Manager and automatically injects the values as Kubernetes Secrets.
Related contents:
- (Almost) Every infrastructure decision I endorse or regret after 4 years running infrastructure at a startup @ Jack's home on the web.
- How Maintainer Burnout Is Causing a Kubernetes Security Disaster @ The New Stack.
- GitOps architecture, patterns and anti-patterns @ Platform Engineering.
- Discover the External Secret Operator (ESO) OVHcloud Provider to manage your Kubernetes secrets 🎉 @ OVHcloud.
NGINX configuration static analyzer.
Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
Cross-platform secret & config manager for development and CI environments
Novops, the universal secret and configuration manager for development, applications and CI.
Related contents:
🔍 LFIer is a powerful and efficient tool for detecting Local File Inclusion (LFI) vulnerabilities in web applications.
🔍 LFIer is a tool engineered to detect Local File Inclusion (LFI) vulnerabilities in web applications. It scans URLs with parameters, injects various payloads, and checks for indicators in the responses to identify potential LFI vulnerabilities. Leveraging asynchronous programming, LFIer ensures efficient and accurate scanning, even in environments protected by WAFs or cloud-based defenses.
Related contents:
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. MobSF can be used for a variety of use cases such as mobile application security, penetration testing, malware analysis, and privacy analysis. The Static Analyzer supports popular mobile app binaries like APK, IPA, APPX and source code. Meanwhile, the Dynamic Analyzer supports both Android and iOS applications and offers a platform for interactive instrumented testing, runtime data and network traffic analysis. MobSF seamlessly integrates with your DevSecOps or CI/CD pipeline, facilitated by REST APIs and CLI tools, enhancing your security workflow with ease.
Security scanner detecting Python Pickle files performing suspicious actions
Validate the isolation posture of your container environment.
Am I Isolated is a security posture benchmarking tool.
It evaluates a given runtime environment and attempts to look for things which may be a security problem, as well as providing suggestions for solving the security problem.
Open Source DevSecOps. CI/CD and DevSecOps Automation
The leading application vulnerability management tool. Built for both DevSecOps and traditional application security. DevSecOps, ASPM, Vulnerability Management. All on one platform.
DefectDojo is a DevSecOps, ASPM (application security posture management), and vulnerability management tool. DefectDojo orchestrates end-to-end security testing, vulnerability tracking, deduplication, remediation, and reporting.
Source: Savez-vous ce qui est un OpenVOC ? @ Florian Dudaev's LinkedIn :fr:.
Universal Artifact Repository Manager.
Definitive artifact management for flexible development and trusted delivery at any scale.
JFrog Artifactory is the single solution for housing and managing all the artifacts, binaries, packages, files, containers, and components for use throughout your software supply chain. JFrog Artifactory serves as your central hub for DevOps, integrating with your tools and processes to improve automation, increase integrity, and incorporate best practices along the way.
Docker Scout is a solution for proactively enhancing your software supply chain security. By analyzing your images, Docker Scout compiles an inventory of components, also known as a Software Bill of Materials (SBOM). The SBOM is matched against a continuously updated vulnerability database to pinpoint security weaknesses.
Telling tales on you for leaking secrets!.
Squealer scans a git repository or filesystem for secrets that are being leaked deep within the commit history.
Using a pre-commit hook, Talisman validates the outgoing changeset for things that look suspicious — such as tokens, passwords, and private keys.
Talisman is a tool that scans git changesets to ensure that potential secrets or sensitive information do not leave the developer's workstation. It validates the outgoing changeset for things that look suspicious - such as potential SSH keys, authorization tokens, private keys etc.
An authoritative list of awesome devsecops tools with the help from community experiments and contributions.
Inspired by the awesome-* trend on GitHub. This is a collection of documents, presentations, videos, training materials, tools, services and general leadership that support the DevSecOps mission. These are the essential building blocks and tidbits that can help you to arrange for a DevSecOps experiment or to help you build out your own DevSecOps program.
IAM Least Privilege Policy Generator.
Policy Sentry is an AWS IAM Least Privilege Policy Generator, auditor, and analysis database. It compiles database tables based on the AWS IAM Documentation on Actions, Resources, and Condition Keys and leverages that data to create least-privilege IAM policies.
Automatically detect potential vulnerabilities and analyze repository metrics to prioritize open source security research targets .
sastsweep is a tool designed for identifying vulnerabilities in open source codebases at scale. It can gather and filter on key repository metrics such as popularity and project size, enabling targeted vulnerability research. It automatically detects potential vulnerabilities using semgrep and provides a streamlined HTML report, allowing researchers to quickly drill down to the affected portion of the codebase.
A command-line tool to get valuable information out of AWS CloudTrail and a general purpose toolbox for working with IAM policies
Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources.
Cloud Custodian enables you to manage your cloud resources by filtering, tagging, and then applying actions to them. The YAML DSL allows defininition of rules to enable well-managed cloud infrastructure that's both secure and cost optimized.
Cloud Custodian, also known as c7n, is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed cloud infrastructure, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.
An enterprise friendly way of detecting and preventing secrets in code.
detect-secrets is an aptly named module for (surprise, surprise) detecting secrets within a code base.
Centralized Cloud-Based Secrets Management Platform.
Securely manage, orchestrate, and govern secrets at scale with Doppler’s developer-first cloud hosted platform.
Related contents: