User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome DevSecOps

Curating the best DevSecOps resources and tooling.

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: Dec. 4, 2021, 3:06 p.m.

Thank you TaptuIT & contributors
View Topic on GitHub:
TaptuIT/awesome-devsecops

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

Articles

Books

Communities

Conferences

Podcasts

Secure Development Guidelines

Secure Development Lifecycle Framework

Toolchains

Training

Wikis

Dependency Management

Dynamic Analysis

Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.

272
66
8m
MIT

a ruggedization framework that embodies the principle "be mean to your code"

897
183
54d
MIT

Discover internet-wide misconfigurations while drinking coffee

302
33
6m
MIT

A command-line reference-implementation client for SSL Labs APIs, designed for automated and/or bulk testing.

1.54K
230
1y 5m
Apache-2.0

The OWASP ZAP core project

8.96K
1.77K
30d
Apache-2.0

Multi-Platform

Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.

3.5K
492
1d
Apache-2.0

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.

742
88
31d
Apache-2.0

Cloud Formation

Linting tool for CloudFormation templates

944
169
30d
MIT

Containers

Vulnerability Static Analysis for Containers

8.26K
1.01K
31d
Apache-2.0

a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities

895
135
81d
Apache-2.0

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.

7.46K
840
3d
Apache-2.0

Dockerfile linter, validate inline bash, written in Haskell

6.1K
269
38d
GPL-3.0

Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues

8.94K
823
33d
Apache-2.0

Terraform

Regula checks infrastructure as code templates (Terraform, CloudFormation, k8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy Agent/Rego

553
62
32d
Apache-2.0

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

2.58K
291
33d
Apache-2.0

Security scanner for your Terraform code

3.46K
288
30d
MIT

Kubernetes

Kubernetes object analysis with recommendations for improved reliability and security

1.41K
100
36d
MIT

Security risk analysis for Kubernetes resources

358
28
36d
Apache-2.0

Ansible

Best practices checker for Ansible

2.61K
423
32d
MIT

Intentionally Vulnerable Applications

Memorable site for testing clients against bad SSL configs.

2.2K
173
32d
Apache-2.0

Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository. Cfngoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

53
166
30d
n/a

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

6.15K
3.84K
32d
MIT

The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.

1.5K
924
108d
Apache-2.0

TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

608
454
31d
Apache-2.0

Monitoring

Secrets Management

Safely store secrets in Git/Mercurial/Subversion

5.99K
342
6m
MIT

Securely manage passwords, certs, and other secrets in Chef

411
154
74d
Apache-2.0

A little utility for managing credentials in the cloud

1.99K
211
4m
Apache-2.0

Prevents you from committing secrets and credentials into git repositories

9.54K
902
31d
Apache-2.0

The slightly more awesome standard unix password manager for teams

4.28K
389
31d
MIT

Knox is a secret management service

958
92
37d
Apache-2.0

Simple and flexible tool for managing secrets

8.52K
494
38d
MPL-2.0

A secrets management tool for developers built in Go - never leave your command line for secrets.

486
95
42d
Apache-2.0

Secrets Scanning

An enterprise friendly way of detecting and preventing secrets in code.

2.04K
251
43d
Apache-2.0

Scan git repos (or files) for secrets using regex and entropy ๐Ÿ”‘

8.56K
772
30d
MIT

Prevents you from committing secrets and credentials into git repositories

9.54K
902
31d
Apache-2.0

Scan your code for security misconfiguration, search for passwords and secrets.

531
88
114d
MIT

Searches through git repositories for high entropy strings and secrets, digging deep into commit history

6.09K
865
31d
GPL-2.0

Multi-Language Support

DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities.

638
88
31d
MIT

grep rough audit - source code auditing tool

906
185
31d
GPL-3.0

A project security/vulnerability/risk scanning tool

356
91
95d
n/a

C / C++

a static analysis tool for finding vulnerabilities in C/C++ source code

218
45
74d
GPL-2.0

C

Puma Scan is a software security Visual Studio extension that provides real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.

379
81
9m
MPL-2.0

Configuration Files

Write tests against structured configuration data using the Open Policy Agent Rego query language

1.98K
205
30d
n/a

Java

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)

1.73K
399
33d
LGPL-3.0

SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

2.54K
427
10d
LGPL-2.1

JavaScript

Go

Golang security checker

5.53K
408
31d
Apache-2.0

.NET

Vulnerability Patterns Detector for C# and VB.NET

645
111
113d
LGPL-3.0

PHP

Phan is a static analyzer for PHP. Phan prefers to avoid false-positives and attempts to prove incorrectness rather than correctness.

5.19K
352
13d
n/a

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code

590
77
8m
GPL-3.0

A static analysis tool for security

251
52
9m
MIT

Python

Bandit is a tool designed to find common security issues in Python code.

3.64K
375
40d
Apache-2.0

Ruby

A static analysis security vulnerability scanner for Ruby on Rails applications

6.26K
679
37d
n/a

Dawn is a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.

652
88
8m
MIT

Supply Chain Security

preflight helps you verify scripts and executables to mitigate chain of supply attacks such as the recent Codecov hack.

115
31
4m
Apache-2.0

Threat Modelling

A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.

450
94
67d
CC0-1.0

Project intended to make Attack Maps part of software development by reducing the time it takes to complete them.

35
19
5y 11d
Apache-2.0

Related Lists

โš™๏ธ A curated list of dynamic analysis tools for all programming languages, binaries, and more.

428
64
30d
MIT

โš™๏ธ A curated list of static analysis (SAST) tools for all programming languages, config files, build tools, and more.

9.03K
1.04K
31d
MIT

A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.

450
94
67d
CC0-1.0