User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome DevSecOps

Curating the best DevSecOps resources and tooling.

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: Oct. 20, 2021, 12:04 p.m.

Thank you TaptuIT & contributors
View Topic on GitHub:
TaptuIT/awesome-devsecops

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

Articles

Pager Duty - Guidelines to running security training within an organisation.

Books

Communities

Snyk - A community that runs conferences, a blog, a podcast and a Slack workspace dedicated to DevSecOps.

Conferences

OWASP - An Australian application security conference run by OWASP.

Snyk - A network of DevSecOps conferences run by Snyk.

Podcasts

Seth Law & Ken Johnson - Discussions about current events and specific topics related to application security.

Security Journey - Interviews with industry experts about specific application security concepts.

Aqua Security - Breaking down the silos of Dev, Sec and Ops, discussing topics that span these subject areas.

OWASP - Discussions with thought leaders and practitioners to integrate security into the development lifecycle.

Snyk - Discussion about security tools and best practices for software developers.

Secure Development Guidelines

OWASP - A framework of security requirements and controls to help developers design and develop secure web applications.

CERT - A collection of secure development standards for C, C++, Java and Android development.

OWASP - OWASP's list of top ten controls that should be implemented in every software development project.

Mozilla - A guideline containing specific secure development standards for secure web application development.

OWASP - A checklist to verify that secure development standards have been followed.

Secure Development Lifecycle Framework

274
102
1y 48d
n/a

Microsoft - A collection of tools and practices that serve as a framework for the secure development lifecycle.

NIST - A framework consisting of practices, tasks and implementation examples for a secure development lifecycle.

Toolchains

Training

Presentations, training modules, and other education materials from Duo Security's Application Security team.

44
13
1y 12m
BSD-3-Clause

Cybrary - Subscription based online courses with dedicated categories for cybersecurity and DevSecOps.

Variety of VM and online challenges (paid).

Pager Duty - A presentation created and open-sourced by PagerDuty to provide security training to software engineers.

Pager Duty - A presentation created and open-sourced by PagerDuty to provide security training employees.

Wikis

Dependency Management

Dependabot is a dependency update service. It monitors and updates your dependencies by sending a pull-request. The service is free for public repos and personal account repos.

OWASP - Scans dependencies for publicly disclosed vulnerabilities using CLI or build server plugins.

OWASP - Monitor the volume and severity of vulnerable dependencies across multiple projects over time.

JFrog - Security and compliance analysis for artifacts stored in JFrog Artifactory.

NPM - Vulnerable package auditing for node packages built into the npm CLI.

WhiteSource - Automatically monitor and update software dependencies for multiple frameworks and languages using a CLI or git repository apps.

Olivier Mansion & Alexis Tabary - Automated vulnerable dependency monitoring and upgrades for Python projects.

copyright: - Vulnerability scanner for dependencies of node.js apps (free for Open Source Projects).

Dynamic Analysis

Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.

243
52
1y 9m
MIT

a ruggedization framework that embodies the principle "be mean to your code"

870
173
2y 4m
MIT

Discover internet-wide misconfigurations while drinking coffee

257
26
5m
MIT

A command-line reference-implementation client for SSL Labs APIs, designed for automated and/or bulk testing.

1.48K
222
1y 117d
Apache-2.0

The OWASP ZAP core project

8.24K
1.59K
8m
Apache-2.0

PortSwigger - BurpSuite's web application vulnerability scanner used widely by penetration testers, modified with CI/CD integration and continuous monitoring over multiple web applications.

Multi-Platform

Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.

2.07K
225
7m
Apache-2.0

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.

477
58
4m
n/a

Cloud Formation

Linting tool for CloudFormation templates

795
150
8m
MIT

Containers

Vulnerability Static Analysis for Containers

7.53K
930
8m
Apache-2.0

a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities

814
123
1y 7m
Apache-2.0

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.

6.57K
717
7m
Apache-2.0

Dockerfile linter, validate inline bash, written in Haskell

4.81K
210
8m
GPL-3.0

A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI

6.45K
567
8m
Apache-2.0

Snyk - Scan Docker and Kubernetes applications for security vulnerabilities during CI/CD or via continuous monitoring.

Terraform

Regula checks Terraform for AWS, Azure and GCP security and CIS compliance using Open Policy Agent/Rego

308
38
10m
Apache-2.0

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

1.27K
140
8m
Apache-2.0

๐Ÿ”’๐ŸŒ Security scanner for your Terraform code

2.3K
176
8m
MIT

Kubernetes

Kubernetes object analysis with recommendations for improved reliability and security

1.09K
68
8m
MIT

Security risk analysis for Kubernetes resources

269
21
8m
Apache-2.0

Ansible

Best practices checker for Ansible

2.51K
399
4m
MIT

Intentionally Vulnerable Applications

Memorable site for testing clients against bad SSL configs.

2.02K
156
8m
Apache-2.0

Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository. Cfngoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

6
2
1y 48d
n/a

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

4.28K
2.95K
8m
MIT

The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.

1.37K
753
8m
Apache-2.0

TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

296
57
1y 48d
Apache-2.0

PHP/MySQL web application that is damn vulnerable.

OWASP - A collection of vulnerable web applications for learning purposes.

Monitoring

Csper - A set of Content Security Policy tools that can test policies, monitor CSP reports and provide metrics and alerts.

Secrets Management

Safely store secrets in Git/Mercurial/Subversion

5.67K
313
9m
MIT

Securely manage passwords, certs, and other secrets in Chef

412
150
11m
Apache-2.0

A little utility for managing credentials in the cloud

1.93K
201
1y 6m
Apache-2.0

Prevents you from committing secrets and credentials into git repositories

8.69K
735
1y 4m
Apache-2.0

The slightly more awesome standard unix password manager for teams

3.59K
309
1y 19d
MIT

Knox is a secret management service

904
81
8m
Apache-2.0

Simple and flexible tool for managing secrets

6.86K
402
1y 36d
MPL-2.0

A secrets management tool for developers built in Go - never leave your command line for secrets.

379
15
4m
Apache-2.0

Ansible - Securely store secrets within Ansible pipelines.

A managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.

Microsoft Azure - Securely store secrets within Azure.

CyberArk - Secrets management for applications including secret rotation and auditing.

Docker - Store and manage access to secrets within a Docker swarm.

Google Cloud Platform - Securely store secrets within GCP.

An encrypted datastore secure enough to hold environment and application secrets.

Secrets Scanning

An enterprise friendly way of detecting and preventing secrets in code.

1.86K
216
4m
Apache-2.0

Scan git repos (or files) for secrets using regex and entropy ๐Ÿ”‘

7.19K
624
8m
MIT

Prevents you from committing secrets and credentials into git repositories

8.69K
735
1y 4m
Apache-2.0

Scan your code for security misconfiguration, search for passwords and secrets.

469
81
8m
MIT

Searches through git repositories for high entropy strings and secrets, digging deep into commit history

5.74K
797
4m
GPL-2.0

Multi-Language Support

DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities.

566
72
8m
MIT

grep rough audit - source code auditing tool

630
131
1y 49d
GPL-3.0

A project security/vulnerability/risk scanning tool

321
83
1y 42d
n/a

copyright: - Deep code analysis for GitHub and Bitbucket to find security vulnerabilities and critical code quality issues (using Semmle QL). Automatic code review for pull requests; free for public repositories.

copyright: - A static source code analyser for vulnerabilities in PHP scripts.

SonarSource - Scan code for security and quality issues with support for a wide variety of languages.

C / C++

a static analysis tool for finding vulnerabilities in C/C++ source code

142
30
9m
GPL-2.0

C

Puma Scan is a software security Visual Studio extension that provides real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.

363
74
1y 101d
MPL-2.0

Configuration Files

Write tests against structured configuration data using the Open Policy Agent Rego query language

1.6K
166
8m
n/a

Java

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)

1.46K
343
1y 50d
LGPL-3.0

SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

2.2K
351
8m
LGPL-2.1

Discotek.ca - Static analysis for JVM deployment units including Ear, War, Jar and APK.

JavaScript

JS Foundation - Linting tool for JavaScript with multiple security linting rules available.

Go

Golang security checker

3.96K
307
8m
Apache-2.0

.NET

Vulnerability Patterns Detector for C# and VB.NET

531
94
8m
LGPL-3.0

PHP

Phan is a static analyzer for PHP. Phan prefers to avoid false-positives and attempts to prove incorrectness rather than correctness.

5.02K
332
8m
n/a

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code

519
66
1y 7m
GPL-3.0

A static analysis tool for security

223
51
8m
MIT

Python

Bandit is a tool designed to find common security issues in Python code.

3K
312
8m
Apache-2.0

Ruby

A static analysis security vulnerability scanner for Ruby on Rails applications

6.01K
630
8m
n/a

Dawn is a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.

642
85
2y 10m
MIT

Supply Chain Security

preflight helps you verify scripts and executables to mitigate chain of supply attacks such as the recent Codecov hack.

36
7
4m
Apache-2.0

Threat Modelling

A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.

298
55
11m
CC0-1.0

Project intended to make Attack Maps part of software development by reducing the time it takes to complete them.

29
17
4y 11m
Apache-2.0

Forseeti - Treat modelling and attack simulations for IT infrastructure.

IriusRisk - Draw threat models and capture threats and countermeasures and manage risk.

Security Compass - Identify and rank threats, generate actionable tasks and track related tickets.

OWASP - Threat model diagramming tool.

Threatspec - Define threat modelling as code.

Related Lists

Dynamic analysis tools for all programming languages, build tools, config files and more.

251
42
1y 54d
n/a

A curated list of static analysis (SAST) tools for all programming languages, config files, build tools, and more.

8.23K
960
8m
n/a

A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.

298
55
11m
CC0-1.0

OWASP - A collection of vulnerable web applications for learning purposes.