User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome DevSecOps

Curating the best DevSecOps resources and tooling.

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: None

Thank you TaptuIT & contributors
View Topic on GitHub:
TaptuIT/awesome-devsecops

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

Articles

Pager Duty - Guidelines to running security training within an organisation.

Communities

Snyk - A community that runs conferences, a blog, a podcast and a Slack workspace dedicated to DevSecOps.

Conferences

OWASP - An Australian application security conference run by OWASP.

Snyk - A network of DevSecOps conferences run by Snyk.

Podcasts

Seth Law & Ken Johnson - Discussions about current events and specific topics related to application security.

Security Journey - Interviews with industry experts about specific application security concepts.

Aqua Security - Breaking down the silos of Dev, Sec and Ops, discussing topics that span these subject areas.

OWASP - Discussions with thought leaders and practitioners to integrate security into the development lifecycle.

Snyk - Discussion about security tools and best practices for software developers.

Secure Development Guidelines

OWASP - A framework of security requirements and controls to help developers design and develop secure web applications.

CERT - A collection of secure development standards for C, C++, Java and Android development.

OWASP - OWASP's list of top ten controls that should be implemented in every software development project.

Mozilla - A guideline containing specific secure development standards for secure web application development.

OWASP - A checklist to verify that secure development standards have been followed.

Secure Development Lifecycle Framework

274
102
8m
n/a

Microsoft - A collection of tools and practices that serve as a framework for the secure development lifecycle.

NIST - A framework consisting of practices, tasks and implementation examples for a secure development lifecycle.

Toolchains

XebiaLabs - A collection of DevSDevOps and security ecOps tooling categorised by tool functionality.

SANS - A list of security specific practices and tooling categorised into pipeline phases and tool functionality.

Training

Cybrary - Subscription based online courses with dedicated categories for cybersecurity and DevSecOps.

Variety of VM and online challenges (paid).

Pager Duty - A presentation created and open-sourced by PagerDuty to provide security training to software engineers.

Pager Duty - A presentation created and open-sourced by PagerDuty to provide security training employees.

Wikis

Dependency Management

Dependabot is a dependency update service. It monitors and updates your dependencies by sending a pull-request. The service is free for public repos and personal account repos.

OWASP - Scans dependencies for publicly disclosed vulnerabilities using CLI or build server plugins.

OWASP - Monitor the volume and severity of vulnerable dependencies across multiple projects over time.

JFrog - Security and compliance analysis for artifacts stored in JFrog Artifactory.

NPM - Vulnerable package auditing for node packages built into the npm CLI.

WhiteSource - Automatically monitor and update software dependencies for multiple frameworks and languages using a CLI or git repository apps.

Olivier Mansion & Alexis Tabary - Automated vulnerable dependency monitoring and upgrades for Python projects.

copyright: - Vulnerability scanner for dependencies of node.js apps (free for Open Source Projects).

Dynamic Analysis

Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.

243
52
1y 4m
MIT

a ruggedization framework that embodies the principle "be mean to your code"

870
173
1y 11m
MIT

A command-line reference-implementation client for SSL Labs APIs, designed for automated and/or bulk testing.

1.48K
222
10m
Apache-2.0

The OWASP ZAP core project

8.24K
1.59K
85d
Apache-2.0

PortSwigger - BurpSuite's web application vulnerability scanner used widely by penetration testers, modified with CI/CD integration and continuous monitoring over multiple web applications.

Cloud Formation

Linting tool for CloudFormation templates

795
150
85d
MIT

Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.

2.07K
225
76d
Apache-2.0

Containers

Vulnerability Static Analysis for Containers

7.53K
930
85d
Apache-2.0

a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities

814
123
1y 77d
Apache-2.0

Dockerfile linter, validate inline bash, written in Haskell

4.81K
210
83d
GPL-3.0

A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI

6.45K
567
82d
Apache-2.0

Snyk - Scan Docker and Kubernetes applications for security vulnerabilities during CI/CD or via continuous monitoring.

Terraform

Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.

2.07K
225
76d
Apache-2.0

Regula checks Terraform for AWS, Azure and GCP security and CIS compliance using Open Policy Agent/Rego

308
38
4m
Apache-2.0

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

1.27K
140
82d
Apache-2.0

๐Ÿ”’๐ŸŒ Security scanner for your Terraform code

2.3K
176
84d
MIT

Kubernetes

Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.

2.07K
225
76d
Apache-2.0

Kubernetes object analysis with recommendations for improved reliability and security

1.09K
68
82d
MIT

Security risk analysis for Kubernetes resources

269
21
82d
Apache-2.0

Intentionally Vulnerable Applications

Memorable site for testing clients against bad SSL configs.

2.02K
156
91d
Apache-2.0

Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository. Cfngoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

6
2
8m
n/a

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

4.28K
2.95K
90d
MIT

The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.

1.37K
753
94d
Apache-2.0

TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

296
57
8m
Apache-2.0

PHP/MySQL web application that is damn vulnerable.

OWASP - A collection of vulnerable web applications for learning purposes.

Monitoring

Csper - A set of Content Security Policy tools that can test policies, monitor CSP reports and provide metrics and alerts.

Secrets Management

Safely store secrets in Git/Mercurial/Subversion

5.67K
313
4m
MIT

Securely manage passwords, certs, and other secrets in Chef

412
150
6m
Apache-2.0

A little utility for managing credentials in the cloud

1.93K
201
1y 31d
Apache-2.0

Prevents you from committing secrets and credentials into git repositories

8.69K
735
11m
Apache-2.0

The slightly more awesome standard unix password manager for teams

3.59K
309
7m
MIT

Knox is a secret management service

904
81
99d
Apache-2.0

Simple and flexible tool for managing secrets

6.86K
402
8m
MPL-2.0

Ansible - Securely store secrets within Ansible pipelines.

A managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.

Microsoft Azure - Securely store secrets within Azure.

CyberArk - Secrets management for applications including secret rotation and auditing.

Docker - Store and manage access to secrets within a Docker swarm.

Google Cloud Platform - Securely store secrets within GCP.

An encrypted datastore secure enough to hold environment and application secrets.

Multi-Language Support

DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities.

566
72
89d
MIT

grep rough audit - source code auditing tool

630
131
8m
GPL-3.0

A project security/vulnerability/risk scanning tool

321
83
8m
n/a

copyright: - Deep code analysis for GitHub and Bitbucket to find security vulnerabilities and critical code quality issues (using Semmle QL). Automatic code review for pull requests; free for public repositories.

copyright: - A static source code analyser for vulnerabilities in PHP scripts.

SonarSource - Scan code for security and quality issues with support for a wide variety of languages.

C / C++

a static analysis tool for finding vulnerabilities in C/C++ source code

142
30
119d
GPL-2.0

C

Puma Scan is a software security Visual Studio extension that provides real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.

363
74
10m
MPL-2.0

Configuration Files

Write tests against structured configuration data using the Open Policy Agent Rego query language

1.6K
166
87d
n/a

Java

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)

1.46K
343
8m
LGPL-3.0

SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

2.2K
351
81d
LGPL-2.1

Discotek.ca - Static analysis for JVM deployment units including Ear, War, Jar and APK.

JavaScript

JS Foundation - Linting tool for JavaScript with multiple security linting rules available.

Go

Golang security checker

3.96K
307
90d
Apache-2.0

.NET

Vulnerability Patterns Detector for C# and VB.NET

531
94
86d
LGPL-3.0

PHP

Phan is a static analyzer for PHP. Phan prefers to avoid false-positives and attempts to prove incorrectness rather than correctness.

5.02K
332
102d
n/a

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code

519
66
1y 57d
GPL-3.0

A static analysis tool for security

223
51
88d
MIT

Python

Bandit is a tool designed to find common security issues in Python code.

3K
312
90d
Apache-2.0

Ruby

A static analysis security vulnerability scanner for Ruby on Rails applications

6.01K
630
83d
n/a

Dawn is a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.

642
85
2y 5m
MIT

Threat Modelling

A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.

298
55
6m
CC0-1.0

Project intended to make Attack Maps part of software development by reducing the time it takes to complete them.

29
17
4y 5m
Apache-2.0

Forseeti - Treat modelling and attack simulations for IT infrastructure.

IriusRisk - Draw threat models and capture threats and countermeasures and manage risk.

Security Compass - Identify and rank threats, generate actionable tasks and track related tickets.

OWASP - Threat model diagramming tool.

Threatspec - Define threat modelling as code.

Related Lists

Dynamic analysis tools for all programming languages, build tools, config files and more.

251
42
8m
n/a

A curated list of static analysis (SAST) tools for all programming languages, config files, build tools, and more.

8.23K
960
86d
n/a

A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.

298
55
6m
CC0-1.0

OWASP - A collection of vulnerable web applications for learning purposes.