DevSecOps

Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless.

Perform automated security scanning against an API based on an API specification.

A Behaviour Driven Development framework to run security scans using common security tools and test output, defined using Gherkin syntax.

Discover internet-wide misconfigurations, using zgrab2 and others.

A stateful RESTful API scanner based on peer-reviewed research papers.

Automated scanning for SSL / TLS configuration issues.

An open-source web application vulnerability scanner, including an API for CI/CD integration.

Bridgecrew - Scan Terraform, AWS CloudFormation and Kubernetes templates for insecure configuration.

Checkmarx - Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle.

Accurics - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

Stelligent - Scan AWS CloudFormation templates for insecure configuration.

Red Hat - Scan App Container and Docker containers for publicly disclosed vulnerabilities.

Elías Grande - Compares OS and software dependency versions installed in Docker containers with public vulnerability databases, and also performs virus scanning.

Docker - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.

Anchore - An easy-to-integrate open source vulnerability scanning tool for container images and filesystems.

Hadolint - Checks a Dockerfile against known rules and validates inline bash code in RUN statements.

Liam Galvin - Scan Terraform templates for security misconfiguration and noncompliance with AWS, Azure and GCP security best practice.

Gustav Westling - Scan Kubernetes object definitions for security and performance misconfiguration.

ControlPlane - Plugin for kubesec.io to perform security risk analysis for Kubernetes resources.

Ansible Community - Checks playbooks for practices and behaviour that could potentially be improved. As a community backed project ansible-lint supports only the last two major versions of Ansible.

The Chromium Project - A container running a number of webservers with poor SSL / TLS configuration. Useful for testing tooling.

Bridgecrew - Cloud Formation templates for creating stacks of intentionally insecure services in AWS. Ideal for testing the Cloud Formation Infrastructure as Code Analysis tools above.

Cider Security - A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.

OWASP - A web application containing the OWASP Top 10 security vulnerabilities and more.

Madhu Akula - Intentionally vulnerable cluster environment to learn and practice Kubernetes security.

OWASP - A Node.js web application that demonstrates and provides ways to address common security vulnerabilities.

Bridgecrew - Terraform templates for creating stacks of intentionally insecure services in AWS, Azure and GCP. Ideal for testing the Terraform Infrastructure as Code Analysis tools above.

OWASP - Vulnerable app with examples showing how to not use secrets

Encrypt credentials within your code repository.

Securely store secrets within Chef.

Securely store secrets within AWS using KMS and DynamoDB.

Password manager for teams relying on Git and gpg. Manages secrets in encrypted files and repositories.

Keyscope is an open source key and secret workflow tool (validation, invalidation, etc.) built in Rust.

Securely store, rotate and audit secrets.

Encrypt keys stored within YAML, JSON, ENV, INI and BINARY files.

A secrets management tool for developers - never leave your command line for secrets.

Scans commits, commit messages and merges for secrets. Native support for AWS secret patterns, but can be configured to support other patterns.

An aptly named module for (surprise, surprise) detecting secrets within a code base.

Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repositories.

Secrets scanning tool that can run as a CLI, as a Docker container or in AWS Lambda.

Searches through git repositories for secrets, digging deep into commit history and branches.

Microsoft - A set of IDE plugins, CLIs and other tools that provide security analysis for a number of programming languages.

Eldar Marcussen - Grep source code for potential security flaws with custom or pre-configured regex signatures.

Hawkeyesec - Modularised CLI tool for project security, vulnerability and general risk highlighting.

David Wheeler - Scan C / C++ code for potential security weaknesses.

Puma Security - A Visual Studio plugin to scan .NET projects for potential security flaws.

Instrumenta - Create custom tests to scan any configuration file for security flaws.

Selefra - An open-source policy-as-code software that provides analytics for multi-cloud and SaaS.

OWASP - SpotBugs plugin for security audits of Java web applications. Supports Eclipse, IntelliJ, Android Studio and SonarQube.

SpotBugs - Static code analysis for Java applications.

securego - CLI tool to scan Go code for potential security flaws.

Security Code Scan - Static code analysis for C# and VB.NET applications.

Phan - Broad static analysis for PHP applications with some support for security scanning features.

Floe - PHP static analysis with rules for PHP, Drupal 7 and PHP related CVEs.

Design Security - Static analysis for PHP source code.

Python Code Quality Authority - Find common security vulnerabilities in Python code.

Justin Collins - Static analysis tool which checks Ruby on Rails applications for security vulnerabilities.

Paolo Perego - Security scanning for Ruby scripts and web application. Supports Ruby on Rails, Sinatra and Padrino frameworks.

StepSecurity - installs a security agent on the GitHub-hosted runner (Ubuntu VM) to prevent exfiltration of credentials, detect compromised dependencies and build tools, and detect tampering of source code during the build.

SCAR - a browser extension helping developers evaluate open source packages before picking them.

Spectral - helps you verify scripts and executables to mitigate supply chain attacks in your CI and other systems, such as in the recent Codecov hack.

sigstore is a set of free to use and open source tools, including fulcio, cosign and rekor, handling digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software.

Anchore - A CLI tool for generating a Software Bill of Materials (SBOM) from container images and filesystems.

DevSecOps - Use attack maps to identify attack surface and adversary strategies that may lead to compromise.