devsecops
CycloneDX Bill of Materials Standard.
CycloneDX is a modern standard for the software supply chain.
The International Standard for Bill of Materials (ECMA-424) The OWASP Foundation and Ecma International Technical Committee for Software & System Transparency (TC54) drive the continued advancement of the specification.
Related contents:
The Airgap Native Package Manager for Kubernetes. airplane mode for your application delivery.
A free open source tool that enables continuous software delivery on systems that are disconnected from the internet. Zarf is a free and open source tool that enables declarative creation & distribution of software into air-gapped/constrained/standalone environments. Zarf provides a way to package and deploy software in a way that is repeatable, secure, and reliable.
A modern open-source Kubernetes auditing and investigation tool.
Replik8s is a modern open-source Kubernetes auditing and investigation tool. It is designed to address the common limitations of traditional security tools, which rely on narrow data collection and predefined logic. RepliK8s allows cloning Kubernetes clusters and serving back exact replicas of the original data, as well as conducting analysis through a tool-agnostic query language.
Linting tool for CloudFormation templates. The cfn-nag tool looks for patterns in CloudFormation templates that may indicate insecure infrastructure.
Related contents:
Open Source Cloud Security Tool.
Prowler is the Open Cloud Security platform for AWS, Azure, GCP, Kubernetes, M365 and more. It helps for continuous monitoring, security assessments & audits, incident response, compliance, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, ENS and more.
Related contents:
AI-assisted SAST, SCA and Secrets Detection. Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
Semgrep is a fast, open-source, static analysis tool that searches code, finds bugs, and enforces secure guardrails and coding standards. Semgrep supports 30+ languages and can run in an IDE, as a pre-commit check, and as part of CI/CD workflows.
Related contents:
ChopChop is a command-line tool for dynamic application security testing on web applications, initially written by the Michelin CERT.
Its goal is to scan several endpoints and identify exposition of services/files/folders through the webroot. Checks/Signatures are declared in a config file (by default: chopchop.yml), fully configurable, and especially by developers.
Codefather protects your codebase by controlling who can change what. Set authorization levels, lock down files, and enforce your rules—offline via CLI or online with GitHub Actions.
Declarative secrets, every environment, any provider.
SecretSpec separates the declaration of what secrets an application needs from where they are stored, enabling portable applications that work across different secret storage backends without code changes.
Related contents:
🔎 Static code analysis engine to find security issues in code. Opengrep, a fork of Semgrep, under the LGPL 2.1 license.
Opengrep is an ultra-fast static analysis tool for searching code patterns with the power of semantic grep. Analyze large code bases at the speed of thought with intuitive pattern matching and customizable rules. Find and fix security vulnerabilities, fast – ship more secure code.
Opengrep supports 30+ languages, including:
Apex · Bash · C · C++ · C# · Clojure · Dart · Dockerfile · Elixir · HTML · Go · Java · JavaScript · JSX · JSON · Julia · Jsonnet · Kotlin · Lisp · Lua · OCaml · PHP · Python · R · Ruby · Rust · Scala · Scheme · Solidity · Swift · Terraform · TypeScript · TSX · YAML · XML · Generic (ERB, Jinja, etc.)
Use @decorator comments in your .env file(s) to create a declarative schema for your config and a new function call syntax to securely load secrets from external sources.
Varlock is our tool that uses this parser to actually load your .env files, and then applies the schema that you have defined. It is a CLI, library, and will communicate with a native Mac application that enables using biometric auth to securely encrypt your local secrets.
SOPS is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP
Scan for secrets in dangling commits on GitHub using GH Archive data.
This tool scans for secrets in dangling (dereferenced) commits on GitHub created by force push events. A force push occurs when developers overwrite commit history, which often contains mistakes, like hard-coded credentials. This project relies on archived force push event data in the GHArchive to identify the relevant commits.
Related contents:
Fearless Kubernetes App Updates. Check your Kubernetes manifests before it hits the cluster.
kubechecks allows users of Github and Gitlab to see exactly what their changes will affect on their current ArgoCD deployments, as well as automatically run various conformance test suites prior to merge.
Kingfisher is a blazingly fast secret‑scanning and validation tool built in Rust. It combines Intel’s hardware‑accelerated Hyperscan regex engine with language‑aware parsing via Tree‑Sitter, and ships with hundreds of built‑in rules to detect, validate, and triage secrets before they ever reach production.
Related contents:
zizmor is a static analysis tool for GitHub Actions. It can find many common security issues in typical GitHub Actions CI/CD setups.
Related contents:
Safer python package installs with audit and consent 𝘣𝘦𝘧𝘰𝘳𝘦 install.
Pipask is a drop-in replacement for pip that performs security checks before installing a package. Unlike pip, which needs to download and execute code from source distribution first to get dependency metadata, pipask relies on metadata from PyPI whenever possible. If 3rd party code execution is necessary, pipask asks for consent first. The actual installation is handed over to pip if installation is approved.
Cloud native secrets management for developers - never leave your command line for secrets.
Never leave your terminal to use secrets while developing, testing, and building your apps.
Instead of custom scripts, tokens in your .zshrc files, visible EXPORTs in your bash history, misplaced .env.production files and more around your workstation -- just use teller and connect it to any vault, key store, or cloud service you like (Teller support Hashicorp Vault, AWS Secrets Manager, Google Secret Manager, and many more).
Fix Inventory is an open-source cloud asset inventory tool for infrastructure and security engineers.
Fix Inventory helps you identify and remove the most critical risks in AWS, GCP, Azure and Kubernetes.
Fix Inventory enables a broad set of exploration and automation scenarios. Its foundation is a graph-based data model, which exposes resource metadata and dependency relationships between your service's assets.
A powerful CLI allows you to search, explore, and manage your cloud resources.
Related contents:
A framework for securing software update systems.
The Update Framework (TUF) maintains the security of software update systems, providing protection even against attackers that compromise the repository or signing keys. TUF provides a flexible framework and specification that developers can adopt into any software update system.
Related contents:
🐍 🔍 GuardDog is a CLI tool to Identify malicious PyPI and npm packages.
GuardDog is a CLI tool that allows to identify malicious PyPI and npm packages or Go modules. It runs a set of heuristics on the package source code (through Semgrep rules) and on the package metadata. GuardDog can be used to scan local or remote PyPI and npm packages or Go modules using any of the available heuristics.
Related contents:
External Secrets Operator reads information from a third-party service like AWS Secrets Manager and automatically injects the values as Kubernetes Secrets.
Related contents:
NGINX configuration static analyzer.
Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
Cross-platform secret & config manager for development and CI environments
Novops, the universal secret and configuration manager for development, applications and CI.
Related contents:
🔍 LFIer is a powerful and efficient tool for detecting Local File Inclusion (LFI) vulnerabilities in web applications.
🔍 LFIer is a tool engineered to detect Local File Inclusion (LFI) vulnerabilities in web applications. It scans URLs with parameters, injects various payloads, and checks for indicators in the responses to identify potential LFI vulnerabilities. Leveraging asynchronous programming, LFIer ensures efficient and accurate scanning, even in environments protected by WAFs or cloud-based defenses.
Related contents:
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. MobSF can be used for a variety of use cases such as mobile application security, penetration testing, malware analysis, and privacy analysis. The Static Analyzer supports popular mobile app binaries like APK, IPA, APPX and source code. Meanwhile, the Dynamic Analyzer supports both Android and iOS applications and offers a platform for interactive instrumented testing, runtime data and network traffic analysis. MobSF seamlessly integrates with your DevSecOps or CI/CD pipeline, facilitated by REST APIs and CLI tools, enhancing your security workflow with ease.
Security scanner detecting Python Pickle files performing suspicious actions
Validate the isolation posture of your container environment.
Am I Isolated is a security posture benchmarking tool.
It evaluates a given runtime environment and attempts to look for things which may be a security problem, as well as providing suggestions for solving the security problem.
Open Source DevSecOps. CI/CD and DevSecOps Automation
The leading application vulnerability management tool. Built for both DevSecOps and traditional application security. DevSecOps, ASPM, Vulnerability Management. All on one platform.
DefectDojo is a DevSecOps, ASPM (application security posture management), and vulnerability management tool. DefectDojo orchestrates end-to-end security testing, vulnerability tracking, deduplication, remediation, and reporting.
Source: Savez-vous ce qui est un OpenVOC ? @ Florian Dudaev's LinkedIn :fr:.
Universal Artifact Repository Manager.
Definitive artifact management for flexible development and trusted delivery at any scale.
JFrog Artifactory is the single solution for housing and managing all the artifacts, binaries, packages, files, containers, and components for use throughout your software supply chain. JFrog Artifactory serves as your central hub for DevOps, integrating with your tools and processes to improve automation, increase integrity, and incorporate best practices along the way.
Docker Scout is a solution for proactively enhancing your software supply chain security. By analyzing your images, Docker Scout compiles an inventory of components, also known as a Software Bill of Materials (SBOM). The SBOM is matched against a continuously updated vulnerability database to pinpoint security weaknesses.
Telling tales on you for leaking secrets!.
Squealer scans a git repository or filesystem for secrets that are being leaked deep within the commit history.
Using a pre-commit hook, Talisman validates the outgoing changeset for things that look suspicious — such as tokens, passwords, and private keys.
Talisman is a tool that scans git changesets to ensure that potential secrets or sensitive information do not leave the developer's workstation. It validates the outgoing changeset for things that look suspicious - such as potential SSH keys, authorization tokens, private keys etc.
An authoritative list of awesome devsecops tools with the help from community experiments and contributions.
Inspired by the awesome-* trend on GitHub. This is a collection of documents, presentations, videos, training materials, tools, services and general leadership that support the DevSecOps mission. These are the essential building blocks and tidbits that can help you to arrange for a DevSecOps experiment or to help you build out your own DevSecOps program.
IAM Least Privilege Policy Generator.
Policy Sentry is an AWS IAM Least Privilege Policy Generator, auditor, and analysis database. It compiles database tables based on the AWS IAM Documentation on Actions, Resources, and Condition Keys and leverages that data to create least-privilege IAM policies.
Automatically detect potential vulnerabilities and analyze repository metrics to prioritize open source security research targets .
sastsweep is a tool designed for identifying vulnerabilities in open source codebases at scale. It can gather and filter on key repository metrics such as popularity and project size, enabling targeted vulnerability research. It automatically detects potential vulnerabilities using semgrep and provides a streamlined HTML report, allowing researchers to quickly drill down to the affected portion of the codebase.
A command-line tool to get valuable information out of AWS CloudTrail and a general purpose toolbox for working with IAM policies
Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources.
Cloud Custodian enables you to manage your cloud resources by filtering, tagging, and then applying actions to them. The YAML DSL allows defininition of rules to enable well-managed cloud infrastructure that's both secure and cost optimized.
Cloud Custodian, also known as c7n, is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed cloud infrastructure, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.
An enterprise friendly way of detecting and preventing secrets in code.
detect-secrets is an aptly named module for (surprise, surprise) detecting secrets within a code base.
Centralized Cloud-Based Secrets Management Platform.
Securely manage, orchestrate, and govern secrets at scale with Doppler’s developer-first cloud hosted platform.
Related contents:
🧪 Correlate Semgrep scans with Python test coverage to prioritize SAST findings and get bug fix suggestions via a self-hosted LLM.
vulncov correlates Semgrep scans with Python test code coverage to identify which vulnerable code has been executed by unit tests, helping prioritize SAST findings and reduce false positives. It also leverages a self-hosted LLM to suggest bug fixes!
Node Version Audit is a convenience tool to easily check a given Node.js version against a regularly updated list of CVE exploits, new releases, and end of life dates.
Node Version Audit is not: exploit detection/mitigation, vendor-specific version tracking, a replacement for staying informed on Node.js releases and security exploits.
Sample Go app repo with test and release pipelines optimized for software supply chain security (S3C).
Template Go app repo with local test/lint/build/vulnerability check workflow, and on tag image test/build/release pipelines, with ko generative SBOM, cosign attestation, and SLSA build provenance
Code signing and transparency for containers and binaries. Signing OCI containers (and other artifacts) using Sigstore! Cosign aims to make signatures invisible infrastructure.
Related contents:
Gato, or GitHub Attack Toolkit, is an enumeration and attack tool that allows both blue teamers and offensive security practitioners to identify and exploit pipeline vulnerabilities within a GitHub organization's public and private repositories.
SBOM quality score - Quality metrics for your sboms. sbomqs is your primary tool to assess an SBOM's quality and compliance. The higher the score the more consumable & compliant your SBOMs are.
Octoscan is a static vulnerability scanner for GitHub action workflows.
A flexible detection platform that simplifies rule management and deployment with K8s CronJob and Helm. Venator is flexible enough to run standalone or with other job schedulers like Nomad.
Venator is optimized for Kubernetes deployment but is flexible enough to run standalone or with other job schedulers like Nomad. It provides a highly adaptable detection engine that prioritizes simplicity, extensibility, and ease of maintenance. Supporting multiple query engines and publishers, Venator allows you to easily switch between different data lakes or services with minimal changes, avoiding vendor lock-in and dependence on specific SIEM solutions for signal generation.
Comprehensive Open Source Security and SBOM Management. Secure Your Products From Repo to Release.
Stop vulnerabilities, automate compliance, and mitigate third-party risk in your applications.
OPEN SOURCE ORCHESTRATION AND CORRELATION TOOL. ASOC, ASPM, DevSecOps, Vulnerability Management Using ArcherySec.
Automate Your Application Security Orchestration And Correlation (ASOC) Using ArcherySec.
ArcherySec allow to interact with continuous integration/continuous delivery (CI/CD) toolchains to specify testing, and control the release of a given build based on results. Its include prioritization functions, enabling you to focus on the most critical vulnerabilities. ArcherySec uses popular open source tools to perform comprehensive scanning for web application and network. The developers can also utilize the tool for implementation of their DevOps CI/CD environment.
Sigstore is an open source project for improving software supply chain security. The Sigstore framework and tooling empowers software developers and consumers to securely sign and verify software artifacts such as release files, container images, binaries, software bills of materials (SBOMs), and more. Signatures are generated with ephemeral signing keys so there’s no need to manage keys. Signing events are recorded in a tamper-resistant public log so software developers can audit signing events.
Related contents:
Find and verify secrets. Find leaked credentials.
TruffleHog is the most powerful secrets Discovery, Classification, Validation, and Analysis tool. In this context secret refers to a credential a machine uses to authenticate itself to another machine. This includes API keys, database passwords, private encryption keys, and more...
Related contents:
This Ansible collection provides battle tested hardening for Linux, SSH, nginx, MySQL
Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
Gitleaks is a fast, light-weight, portable, and open-source secret scanner for git repositories, files, and directories.
Related contents:
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration with ASPM/VM platforms and in CI environments.
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys.
Related contents:
Simple and flexible tool for managing secrets.
SOPS is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.