Track Awesome Devsecops Updates Weekly
Curating the best DevSecOps resources and tooling.
🏠 Home · 🔍 Search · 🔥 Feed · 📮 Subscribe · ❤️ Sponsor · 😺 TaptuIT/awesome-devsecops · ⭐ 1.1K · 🏷️ Security
Jan 08 - Jan 14, 2024
Infrastructure as Code Analysis / Kubernetes
- Kubescape - Cloud Native Computing Foundation - An open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters.
Aug 29 - Sep 04, 2022
Newsletters
- Shift Security Left - Cossack Labs - A free biweekly newsletter for security-aware developers covering application security, secure architecture, DevSecOps, cryptography, incidents, etc. that can be useful for builders and (to a lesser extent) for breakers.
Jul 25 - Jul 31, 2022
Supply Chain Security / Ruby
- Harden Runner GitHub Action (⭐426) - StepSecurity - installs a security agent on the GitHub-hosted runner (Ubuntu VM) to prevent exfiltration of credentials, detect compromised dependencies and build tools, and detect tampering of source code during the build.
Feb 07 - Feb 13, 2022
Infrastructure as Code Analysis / Multi-Platform
- Terrascan (⭐4.3k) - Accurics - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
Jan 03 - Jan 09, 2022
Secrets Management / Ansible
- Keyscope (⭐369) - Spectral - Keyscope is an open source key and secret workflow tool (validation, invalidation, etc.) built in Rust.
Oct 18 - Oct 24, 2021
Dependency Management
- Deepfence ThreatMapper (⭐4.5k) - Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless.
Oct 04 - Oct 10, 2021
Infrastructure as Code Analysis / Multi-Platform
- Spectral DeepConfig - Spectral - Find misconfiguration both in infrastructure as well as apps as early as commit time.
Supply Chain Security / Ruby
- Sigstore - sigstore is a set of free to use and open source tools, including fulcio (⭐581), cosign (⭐3.8k) and rekor (⭐802), handling digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software.
Sep 27 - Oct 03, 2021
Secure Development Guidelines
- Fundamental Practices for Secure Software Development - SAFECode - Guidelines for implementing key secure development practices throughout the SDLC.
Secure Development Lifecycle Framework
- Building Security In Maturity Model (BSIMM) - Synopsys - A framework for software security created by observing and analysing data from leading software security initiatives.
Wikis
- SecureFlag Knowledge Base - OWASP - A repository of information about software vulnerabilities and how to prevent them.
Sep 06 - Sep 12, 2021
Toolchains
- Cloud Security and DevSecOps Best Practices and Securing Web Application Technologies (SWAT) Checklist - SANS - A poster containing the Securing Web Application Technologies (SWAT) Checklist, SANS Cloud Security Curriculum, Cloud Security Top 10, Top 12 Kubernetes Threats, and Secure DevOps Toolchain.
Jun 14 - Jun 20, 2021
Secrets Scanning / Ansible
- Detect Secrets (⭐3.3k) - Yelp - An aptly named module for (surprise, surprise) detecting secrets within a code base.
May 24 - May 30, 2021
Dynamic Analysis
- Netz (⭐360) - Spectral - Discover internet-wide misconfigurations, using zgrab2 and others.
Infrastructure as Code Analysis / Containers
- Docker-Bench-Security (⭐8.7k) - Docker - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
Infrastructure as Code Analysis / Ansible
- Ansible-Lint (⭐3.2k) - Ansible Community - Checks playbooks for practices and behaviour that could potentially be improved. As a community backed project ansible-lint supports only the last two major versions of Ansible.
Secrets Management / Ansible
- Teller (⭐1.9k) - Spectral - A secrets management tool for developers - never leave your command line for secrets.
Secrets Scanning / Ansible
- SpectralOps - Spectral - Automated code security, secrets, tokens and sensitive data scanning.
Supply Chain Security / Ruby
- Preflight (⭐141) - Spectral - helps you verify scripts and executables to mitigate supply chain attacks in your CI and other systems, such as in the recent Codecov hack.
May 10 - May 16, 2021
Books
- Alice and Bob Learn Application Security - Tanya Janca - An accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development.
Training
- Application Security Education (⭐67) - Duo Security - Training materials created by the Duo application security team, including introductory and advanced training presentations and hands-on labs.
Secrets Scanning / Ansible
- CredScan - Microsoft - A credential scanning tool that can be run as a task in Azure DevOps pipelines.
- GitGuardian - GitGuardian - A web-based solution that scans and monitors public and private git repositories for secrets.
- Gitleaks (⭐14k) - Zachary Rice - Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repositories.
- git-secrets (⭐12k) - AWS Labs - Scans commits, commit messages and merges for secrets. Native support for AWS secret patterns, but can be configured to support other patterns.
- Nightfall - Nightfall - A web-based platform that monitors for sensitive data disclosure across several SDLC tools, including GitHub repositories.
- Repo-supervisor (⭐631) - Auth0 - Secrets scanning tool that can run as a CLI, as a Docker container or in AWS Lambda.
- truffleHog (⭐13k) - Truffle Security - Searches through git repositories for secrets, digging deep into commit history and branches.
Static Analysis / Multi-Language Support
- SemGrep - r2c - Semgrep is a fast, open-source, static analysis tool that finds bugs and enforces code standards at editor, commit, and CI time.
Apr 19 - Apr 25, 2021
Training
- SafeStack - SafeStack - Security training for software development teams, designed to be accessible to individuals and small teams as well as larger organisations.
- WeHackPuple - WeHackPurple - Online courses that teach application security theory and hands-on technical lessons.
Secrets Management / Ansible
- AWS Key Management Service (KMS) - Amazon AWS - Create and manage cryptographic keys in AWS.
- AWS Secrets Manager - Amazon AWS - Securely store retrievable application secrets in AWS.
Apr 05 - Apr 11, 2021
Infrastructure as Code Analysis / Multi-Platform
- Checkov (⭐6.2k) - Bridgecrew - Scan Terraform, AWS CloudFormation and Kubernetes templates for insecure configuration.
- KICS (⭐1.8k) - Checkmarx - Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle.
Mar 29 - Apr 04, 2021
Infrastructure as Code Analysis / Terraform
- Terraform Compliance - terraform-compliance - A lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.
Feb 15 - Feb 21, 2021
Toolchains
- Periodic Table of DevOps Tools - XebiaLabs - A collection of DevSecOps tooling categorised by tool functionality.
Feb 01 - Feb 07, 2021
Training
- Secure Code Warrior - Secure Code Warrior - Gamified and hands-on secure development training with support for courses, assessments and tournaments.
- SecureFlag - OWASP - Hands-on secure coding training for Developers and Build/Release Engineers.
Static Analysis / Multi-Language Support
- DevSkim (⭐857) - Microsoft - A set of IDE plugins, CLIs and other tools that provide security analysis for a number of programming languages.
- SonarLint - SonarSource - An IDE plugin that highlights potential security security issues, code quality issues and bugs.
Jan 18 - Jan 24, 2021
Infrastructure as Code Analysis / Containers
- Hadolint (⭐9.3k) - Hadolint - Checks a Dockerfile against known rules and validates inline bash code in RUN statements.
Infrastructure as Code Analysis / Terraform
- Regula (⭐908) - Fugue - Evaluate Terraform infrastructure-as-code for potential security misconfigurations and compliance violations prior to deployment.
Jan 04 - Jan 10, 2021
Training
- Practical DevSecOps - Practical DevSecOps - Learn DevSecOps concepts, tools, and techniques from industry experts with practical DevSecOps using state of the art browser-based labs.
Oct 12 - Oct 18, 2020
Infrastructure as Code Analysis / Containers
- Trivy (⭐20k) - Aqua Security - Simple and comprehensive vulnerability scanner for containers.
Oct 05 - Oct 11, 2020
Wikis
- DevSecOps Hub - Snyk - Introduction to key DevSecOps concepts, processes and technologies.
Infrastructure as Code Analysis / Containers
- Anchore Engine - Anchore, Inc - Deep inspection of Docker images for CVEs and checking against custom policies. Engine behind their enterprise products that integrate against registries, orchestrators and CI/CD products.
Secrets Management / Ansible
- Gopass (⭐5.5k) - Gopass - Password manager for teams relying on Git and gpg. Manages secrets in encrypted files and repositories.
Static Analysis / Multi-Language Support
- Hawkeye (⭐358) - Hawkeyesec - Modularised CLI tool for project security, vulnerability and general risk highlighting.
Sep 07 - Sep 13, 2020
Intentionally Vulnerable Applications / Ansible
- Cfngoat (⭐88) - Bridgecrew - Cloud Formation templates for creating stacks of intentionally insecure services in AWS. Ideal for testing the Cloud Formation Infrastructure as Code Analysis tools above.
- Terragoat (⭐1.1k) - Bridgecrew - Terraform templates for creating stacks of intentionally insecure services in AWS, Azure and GCP. Ideal for testing the Terraform Infrastructure as Code Analysis tools above.
Jul 13 - Jul 19, 2020
Static Analysis / PHP
- Phan (⭐5.5k) - Phan - Broad static analysis for PHP applications with some support for security scanning features.
Jun 29 - Jul 05, 2020
Articles
- Our Approach to Employee Security Training - Pager Duty - Guidelines to running security training within an organisation.
Communities
- MyDevSecOps - Snyk - A community that runs conferences, a blog, a podcast and a Slack workspace dedicated to DevSecOps.
Conferences
- AppSec Day - OWASP - An Australian application security conference run by OWASP.
- DevSecCon - Snyk - A network of DevSecOps conferences run by Snyk.
Podcasts
- Absolute AppSec - Seth Law & Ken Johnson - Discussions about current events and specific topics related to application security.
- Application Security Podcast - Security Journey - Interviews with industry experts about specific application security concepts.
- BeerSecOps - Aqua Security - Breaking down the silos of Dev, Sec and Ops, discussing topics that span these subject areas.
- DevSecOps Podcast Series - OWASP - Discussions with thought leaders and practitioners to integrate security into the development lifecycle.
- The Secure Developer - Snyk - Discussion about security tools and best practices for software developers.
Secure Development Guidelines
- Application Security Verification Standard - OWASP - A framework of security requirements and controls to help developers design and develop secure web applications.
- Coding Standards - CERT - A collection of secure development standards for C, C++, Java and Android development.
- Proactive Controls - OWASP - OWASP's list of top ten controls that should be implemented in every software development project.
- Secure Coding Guidelines - Mozilla - A guideline containing specific secure development standards for secure web application development.
- Secure Coding Practices Quick Reference Guide - OWASP - A checklist to verify that secure development standards have been followed.
Secure Development Lifecycle Framework
- Secure Development Lifecycle - Microsoft - A collection of tools and practices that serve as a framework for the secure development lifecycle.
- Secure Software Development Framework - NIST - A framework consisting of practices, tasks and implementation examples for a secure development lifecycle.
- Software Assurance Maturity Model (⭐394) - OWASP - A framework to measure and improve the maturity of the secure development lifecycle.
Training
- Cybrary - Cybrary - Subscription based online courses with dedicated categories for cybersecurity and DevSecOps.
- PentesterLab - PentesterLab - Hands on labs to understand and exploit simple and advanced web vulnerabilities.
- Security Training for Engineers - Pager Duty - A presentation created and open-sourced by PagerDuty to provide security training to software engineers.
- Security Training for Everyone - Pager Duty - A presentation created and open-sourced by PagerDuty to provide security training employees.
- Web Security Academy - PortSwigger - A set of materials and labs to learn and exploit common web vulnerabilities.
Dependency Management
- Dependabot - GitHub - Automatically scan GitHub repositories for vulnerabilities and create pull requests to merge in patched dependencies.
- Dependency-Check - OWASP - Scans dependencies for publicly disclosed vulnerabilities using CLI or build server plugins.
- Dependency-Track - OWASP - Monitor the volume and severity of vulnerable dependencies across multiple projects over time.
- JFrog XRay - JFrog - Security and compliance analysis for artifacts stored in JFrog Artifactory.
- NPM Audit - NPM - Vulnerable package auditing for node packages built into the npm CLI.
- Renovate - WhiteSource - Automatically monitor and update software dependencies for multiple frameworks and languages using a CLI or git repository apps.
- Requires.io - Olivier Mansion & Alexis Tabary - Automated vulnerable dependency monitoring and upgrades for Python projects.
- Snyk Open Source - Snyk - Automated vulnerable dependency monitoring and upgrades using Snyk's dedicated vulnerability database.
Dynamic Analysis
- Automatic API Attack Tool (⭐414) - Imperva - Perform automated security scanning against an API based on an API specification.
- BurpSuite Enterprise Edition - PortSwigger - BurpSuite's web application vulnerability scanner used widely by penetration testers, modified with CI/CD integration and continuous monitoring over multiple web applications.
- Gauntlt (⭐967) - Gauntlt - A Behaviour Driven Development framework to run security scans using common security tools and test output, defined using Gherkin syntax.
- SSL Labs Scan (⭐1.7k) - SSL Labs - Automated scanning for SSL / TLS configuration issues.
- Zed Attack Proxy (ZAP) (⭐12k) - OWASP - An open-source web application vulnerability scanner, including an API for CI/CD integration.
Infrastructure as Code Analysis / Cloud Formation
- Cfn Nag (⭐1.2k) - Stelligent - Scan AWS CloudFormation templates for insecure configuration.
Infrastructure as Code Analysis / Containers
- Clair (⭐9.9k) - Quay - Scan App Container and Docker containers for publicly disclosed vulnerabilities.
- Dagda (⭐1.1k) - Elías Grande - Compares OS and software dependency versions installed in Docker containers with public vulnerability databases, and also performs virus scanning.
- Snyk Container - Snyk - Scan Docker and Kubernetes applications for security vulnerabilities during CI/CD or via continuous monitoring.
Infrastructure as Code Analysis / Terraform
- Tfsec (⭐6.4k) - Liam Galvin - Scan Terraform templates for security misconfiguration and noncompliance with AWS, Azure and GCP security best practice.
Infrastructure as Code Analysis / Kubernetes
- Kube-Score (⭐2.4k) - Gustav Westling - Scan Kubernetes object definitions for security and performance misconfiguration.
- Kubectrl Kubesec (⭐495) - ControlPlane - Plugin for kubesec.io to perform security risk analysis for Kubernetes resources.
Intentionally Vulnerable Applications / Ansible
- Bad SSL (⭐2.7k) - The Chromium Project - A container running a number of webservers with poor SSL / TLS configuration. Useful for testing tooling.
- Damn Vulnerable Web App - Ryan Dewhurst - A web application that provides a safe environment to understand and exploit common web vulnerabilities.
- Juice Shop (⭐9k) - OWASP - A web application containing the OWASP Top 10 security vulnerabilities and more.
- NodeGoat (⭐1.8k) - OWASP - A Node.js web application that demonstrates and provides ways to address common security vulnerabilities.
Related Lists / Ruby
- Vulnerable Web Apps Directory - OWASP - A collection of vulnerable web applications for learning purposes.
- Awesome Threat Modelling (⭐1.1k) - Practical DevSecOps - A curated list of threat modeling resources.
- Awesome Dynamic Analysis (⭐816) - Matthias Endler - A collection of dynamic analysis tools and code quality checkers.
- Awesome Static Analysis (⭐12k) - Matthias Endler - A collection of static analysis tools and code quality checkers.
Monitoring / Ansible
- Csper - Csper - A set of Content Security Policy tools that can test policies, monitor CSP reports and provide metrics and alerts.
Secrets Management / Ansible
- Ansible Vault - Ansible - Securely store secrets within Ansible pipelines.
- Azure Key Vault - Microsoft Azure - Securely store secrets within Azure.
- BlackBox (⭐6.6k) - StackExchange - Encrypt credentials within your code repository.
- Chef Vault (⭐407) - Chef - Securely store secrets within Chef.
- CredStash (⭐2.1k) - Fugue - Securely store secrets within AWS using KMS and DynamoDB.
- CyberArk Application Access Manager - CyberArk - Secrets management for applications including secret rotation and auditing.
- Docker Secrets - Docker - Store and manage access to secrets within a Docker swarm.
- Git Secrets (⭐12k) - Amazon AWS - Scan git repositories for secrets committed within code or commit messages.
- Google Cloud Key Management Service (KMS) - Google Cloud Platform - Securely store secrets within GCP.
- HashiCorp Vault - HashiCorp - Securely store secrets via UI, CLI or HTTP API.
- Pinterest Knox (⭐1.2k) - Pinterest - Securely store, rotate and audit secrets.
- Secrets Operations (SOPS) (⭐14k) - Mozilla - Encrypt keys stored within YAML, JSON, ENV, INI and BINARY files.
Static Analysis / Multi-Language Support
- Graudit (⭐1.3k) - Eldar Marcussen - Grep source code for potential security flaws with custom or pre-configured regex signatures.
- LGTM - Semmle - Scan and monitor code for security vulnerabilities using custom or built-in CodeQL queries.
- RIPS - RIPS Technologies - Automated static analysis for PHP, Java and Node.js projects.
- SonarQube - SonarSource - Scan code for security and quality issues with support for a wide variety of languages.
Static Analysis / C / C++
- FlawFinder (⭐421) - David Wheeler - Scan C / C++ code for potential security weaknesses.
Static Analysis / C#
- Puma Scan (⭐430) - Puma Security - A Visual Studio plugin to scan .NET projects for potential security flaws.
Static Analysis / Configuration Files
- Conftest (⭐2.7k) - Instrumenta - Create custom tests to scan any configuration file for security flaws.
Static Analysis / Java
- Deep Dive - Discotek.ca - Static analysis for JVM deployment units including Ear, War, Jar and APK.
- Find Security Bugs (⭐2.2k) - OWASP - SpotBugs plugin for security audits of Java web applications. Supports Eclipse, IntelliJ, Android Studio and SonarQube.
- SpotBugs (⭐3.3k) - SpotBugs - Static code analysis for Java applications.
Static Analysis / JavaScript
- ESLint - JS Foundation - Linting tool for JavaScript with multiple security linting rules available.
Static Analysis / Go
- Golang Security Checker (⭐7.3k) - securego - CLI tool to scan Go code for potential security flaws.
Static Analysis / .NET
- Security Code Scan (⭐893) - Security Code Scan - Static code analysis for C# and VB.NET applications.
Static Analysis / PHP
- PHPCS Security Audit (⭐689) - Floe - PHP static analysis with rules for PHP, Drupal 7 and PHP related CVEs.
- Progpilot (⭐305) - Design Security - Static analysis for PHP source code.
Static Analysis / Python
- Bandit (⭐5.7k) - Python Code Quality Authority - Find common security vulnerabilities in Python code.
Static Analysis / Ruby
- Brakeman (⭐6.8k) - Justin Collins - Static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
- DawnScanner (⭐723) - Paolo Perego - Security scanning for Ruby scripts and web application. Supports Ruby on Rails, Sinatra and Padrino frameworks.
Threat Modelling / Ruby
- SecuriCAD - Forseeti - Treat modelling and attack simulations for IT infrastructure.
- IriusRisk - IriusRisk - Draw threat models and capture threats and countermeasures and manage risk.
- Raindance Project (⭐42) - DevSecOps - Use attack maps to identify attack surface and adversary strategies that may lead to compromise.
- SD Elements - Security Compass - Identify and rank threats, generate actionable tasks and track related tickets.
- Threat Dragon - OWASP - Threat model diagramming tool.
- Threat Modelling Tool - Microsoft - Threat model diagramming tool.
- Threatspec - Threatspec - Define threat modelling as code.