User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome DevSecOps

Curating the best DevSecOps resources and tooling.

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: May 19, 2022, 10:05 p.m.

Thank you TaptuIT & contributors
View Topic on GitHub:
TaptuIT/awesome-devsecops

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

Articles

Books

Communities

Conferences

Podcasts

Secure Development Guidelines

Secure Development Lifecycle Framework

Toolchains

Training

Wikis

Dependency Management

Dynamic Analysis

Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.

272
66
1y 64d
MIT

a ruggedization framework that embodies the principle "be mean to your code"

897
183
7m
MIT

Discover internet-wide misconfigurations while drinking coffee

302
33
1y 9d
MIT

A command-line reference-implementation client for SSL Labs APIs, designed for automated and/or bulk testing.

1.54K
230
1y 10m
Apache-2.0

The OWASP ZAP core project

8.96K
1.77K
6m
Apache-2.0

Multi-Platform

Prevent cloud misconfigurations during build-time for Terraform, CloudFormation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.

3.77K
555
96d
Apache-2.0

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.

742
88
6m
Apache-2.0

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

2.86K
328
59d
Apache-2.0

Cloud Formation

Linting tool for CloudFormation templates

980
175
4m
MIT

Containers

Vulnerability Static Analysis for Containers

8.26K
1.01K
6m
Apache-2.0

a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities

895
135
8m
Apache-2.0

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.

7.76K
887
20d
Apache-2.0

Dockerfile linter, validate inline bash, written in Haskell

6.1K
269
6m
GPL-3.0

Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues

8.94K
823
6m
Apache-2.0

Terraform

Regula checks infrastructure as code templates (Terraform, CloudFormation, k8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy Agent/Rego

553
62
6m
Apache-2.0

Security scanner for your Terraform code

3.46K
288
6m
MIT

Kubernetes

Kubernetes object analysis with recommendations for improved reliability and security

1.41K
100
6m
MIT

Security risk analysis for Kubernetes resources

358
28
6m
Apache-2.0

Ansible

Best practices checker for Ansible

2.61K
423
6m
MIT

Intentionally Vulnerable Applications

Memorable site for testing clients against bad SSL configs.

2.2K
173
6m
Apache-2.0

Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository. Cfngoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

53
166
6m
n/a

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

6.15K
3.84K
6m
MIT

The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.

1.5K
924
9m
Apache-2.0

TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

608
454
6m
Apache-2.0

Monitoring

Secrets Management

Safely store secrets in Git/Mercurial/Subversion

5.99K
342
1y 5d
MIT

Securely manage passwords, certs, and other secrets in Chef

411
154
8m
Apache-2.0

A little utility for managing credentials in the cloud

1.99K
211
9m
Apache-2.0

Prevents you from committing secrets and credentials into git repositories

9.54K
902
6m
Apache-2.0

The slightly more awesome standard unix password manager for teams

4.28K
389
6m
MIT

Keyscope is a key and secret workflow (validation, invalidation, etc.) tool built in Rust

308
99
6m
Apache-2.0

Knox is a secret management service

958
92
6m
Apache-2.0

Simple and flexible tool for managing secrets

8.52K
494
6m
MPL-2.0

A secrets management tool for developers built in Go - never leave your command line for secrets.

486
95
6m
Apache-2.0

Secrets Scanning

An enterprise friendly way of detecting and preventing secrets in code.

2.04K
251
7m
Apache-2.0

Scan git repos (or files) for secrets using regex and entropy ๐Ÿ”‘

8.56K
772
6m
MIT

Prevents you from committing secrets and credentials into git repositories

9.54K
902
6m
Apache-2.0

Scan your code for security misconfiguration, search for passwords and secrets.

531
88
9m
MIT

Searches through git repositories for high entropy strings and secrets, digging deep into commit history

6.09K
865
6m
GPL-2.0

Multi-Language Support

DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities.

638
88
6m
MIT

grep rough audit - source code auditing tool

906
185
6m
GPL-3.0

A project security/vulnerability/risk scanning tool

356
91
8m
n/a

C / C++

a static analysis tool for finding vulnerabilities in C/C++ source code

218
45
8m
GPL-2.0

C

Puma Scan is a software security Visual Studio extension that provides real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.

379
81
1y 97d
MPL-2.0

Configuration Files

Write tests against structured configuration data using the Open Policy Agent Rego query language

1.98K
205
6m
n/a

Java

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)

1.73K
399
6m
LGPL-3.0

SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

2.63K
454
103d
LGPL-2.1

JavaScript

Go

Golang security checker

5.53K
408
6m
Apache-2.0

.NET

Vulnerability Patterns Detector for C# and VB.NET

645
111
9m
LGPL-3.0

PHP

Phan is a static analyzer for PHP. Phan prefers to avoid false-positives and attempts to prove incorrectness rather than correctness.

5.23K
360
96d
n/a

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code

590
77
1y 60d
GPL-3.0

A static analysis tool for security

251
52
1y 96d
MIT

Python

Bandit is a tool designed to find common security issues in Python code.

3.64K
375
6m
Apache-2.0

Ruby

A static analysis security vulnerability scanner for Ruby on Rails applications

6.31K
687
95d
n/a

Dawn is a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.

652
88
1y 44d
MIT

Supply Chain Security

preflight helps you verify scripts and executables to mitigate chain of supply attacks such as the recent Codecov hack.

115
31
9m
Apache-2.0

fulcio, cosign and rekor, handling digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software.

Threat Modelling

A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.

450
94
7m
CC0-1.0

Project intended to make Attack Maps part of software development by reducing the time it takes to complete them.

35
19
5y 5m
Apache-2.0

Related Lists

โš™๏ธ A curated list of dynamic analysis tools for all programming languages, binaries, and more.

428
64
6m
MIT

โš™๏ธ A curated list of static analysis (SAST) tools for all programming languages, config files, build tools, and more.

9.03K
1.04K
6m
MIT

A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.

450
94
7m
CC0-1.0