Professional Documents
Culture Documents
Ultimate DevSecOps Library 1706607714
Ultimate DevSecOps Library 1706607714
This library contains list of tools and methodologies accompanied with resources. The main goal is to
provide to the engineers a guide through opensource DevSecOps tooling. This repository covers only
cyber security in the cloud and the DevSecOps scope.
Table of Contents
Definition
Tooling
Precommit and threat modeling
SAST
DAST
Orchestration
Supply chain and dependencies
Infrastructure as code
Containers security
Kubernetes
Cloud
Chaos engineering
Policy as code
Methodologies
Other
License
https://md2pdf.netlify.app 1/27
1/30/24, 8:24 AM Ultimate DevSecOps library
What is DevSecOps
DevSecOps focuses on security automation, testing and enforcement during DevOps - Release - SDLC
cycles. The whole meaning behind this methodology is connecting together Development, Security
and Operations. DevSecOps is methodology providing different methods, techniques and processes
backed mainly with tooling focusing on developer / security experience.
DevSecOps takes care that security is part of every stage of DevOps loop - Plan, Code, Build, Test,
Release, Deploy, Operate, Monitor.
Various definitions:
https://www.redhat.com/en/topics/devops/what-is-devsecops
https://www.ibm.com/cloud/learn/devsecops
https://snyk.io/series/devsecops/
https://www.synopsys.com/glossary/what-is-devsecops.html
https://spacelift.io/blog/what-is-devsecops
Tooling
Modern DevSecOps tools allow using Threat modeling as code or generation of threat models based
on the existing code annotations.
secrets to a git
repository
Searchers secrets in
git-hound https://github.com/tillson/git-hound S TA R S 1.1K
git
Security
goSDL https://github.com/slackhq/goSDL Development S TA R S 513
Lifecycle checklist
https://md2pdf.netlify.app 2/27
1/30/24, 8:24 AM Ultimate DevSecOps library
Threat modeling as
ThreatPlaybook https://github.com/we45/ThreatPlaybook S TA R S 265
code
OWASP Threat
Threat Dragon https://github.com/OWASP/threat-dragon S TA R S 745
modeling tool
Threat modeling as
threatspec https://github.com/threatspec/threatspec S TA R S 297
code
A Pythonic
pytm https://github.com/izar/pytm framework for S TA R S 808
threat modeling
A Go framework for
Threagile https://github.com/Threagile/threagile S TA R S 530
threat modeling
A language to
create cyber threat
MAL-lang https://mal-lang.org/#what modeling systems S TA R S 22
for specific
domains
Microsoft https://docs.microsoft.com/en-
Microsoft threat
Threat us/azure/security/develop/threat- S TA R S 163
modeling tool
modeling tool modeling-tool
A tool to detect
and prevent secrets
Talisman https://github.com/thoughtworks/talisman S TA R S 1.8K
from getting
checked in
The SEDATED®
Project (Sensitive
Enterprise Data
Analyzer To
Eliminate
Disclosure) focuses
SEDATED https://github.com/OWASP/SEDATED S TA R S 108
on preventing
sensitive data such
as user credentials
and tokens from
being pushed to
Git.
https://md2pdf.netlify.app 3/27
1/30/24, 8:24 AM Ultimate DevSecOps library
DevSkim is a
framework of IDE
extensions and
DevSkim https://github.com/microsoft/DevSkim S TA R S 863
language analyzers
that provide inline
security analysis
Detects secrets in
detect-secrets https://github.com/Yelp/detect-secrets S TA R S 3.3K
your codebase
A Pluggable
tflint https://github.com/terraform-linters/tflint S TA R S 4.4K
Terraform Linter
Secrets management
Secrets management includes managing, versioning, encryption, discovery, rotating, provisioning of
passwords, certificates, configuration values and other types of secrets.
Gitleaks is a scanning
GitLeaks https://github.com/zricethezav/gitleaks tool for detecting S TA R S 15K
hardcoded secrets
GitGuardian shield
(ggshield) is a CLI
application that runs in
your local environment
ggshield https://github.com/gitguardian/ggshield or in a CI environment S TA R S 1.5K
https://md2pdf.netlify.app 4/27
1/30/24, 8:24 AM Ultimate DevSecOps library
Vault management
SOPS Operations
AWS
secrets https://github.com/marketplace/actions/aws- AWS secrets manager S TA R S 62
public repositories on
Github
hunt
GitHub
in a development
environment
passwords used by
other services
Encryption/decryption
Ansible
Ansible vault docs utility for Ansible data S TA R S 328
vault
files
https://md2pdf.netlify.app 5/27
1/30/24, 8:24 AM Ultimate DevSecOps library
Dependency security testing and analysis is very important part of discovering supply chain attacks.
SBOM creation and following dependency scanning (Software composition analysis) is critical part of
continuous integration (CI). Data series and data trends tracking should be part of CI tooling. You
need to know what you produce and what you consume in context of libraries and packages.
CycloneDX
CycloneDX https://github.com/orgs/CycloneDX/repositories format for S TA R S 2
SBOM
Generates
CycloneDX
SBOM,
supports
cdxgen https://github.com/AppThreat/cdxgen S TA R S 3
many
languages
and package
managers.
SPDX format
for SBOM -
SPDX https://github.com/spdx/spdx-spec Software S TA R S 2
Package Data
Exchange
Snyk scans
and monitors
Snyk https://github.com/snyk/snyk your projects S TA R S 4
for security
vulnerabilities
Security
vulncost https://github.com/snyk/vulncost Scanner for S TA R S 1
VS Code
Combobulator related
attacks
detection and
prevention
through
heuristics and
insight engine
(support
multiple
https://md2pdf.netlify.app 6/27
1/30/24, 8:24 AM Ultimate DevSecOps library
Dependency
https://github.com/DependencyTrack/dependency- security
DependencyTrack S TA R S 2
track tracking
platform
Simple
dependency
DependencyCheck https://github.com/jeremylong/DependencyCheck security S TA R S 5
scanner good
for CI
Helps
developers to
detect the use
Retire.js https://github.com/retirejs/retire.js/ of JS-library S TA R S 3
versions with
known
vulnerabilities
Check
PHP security https://github.com/fabpot/local-php-security- vulnerabilities
S TA R S 1
Patch-level
bundler-audit https://github.com/rubysec/bundler-audit verification S TA R S 2
for bundler
Dependency
Scanning
https://gitlab.com/gitlab-org/security-
gemnasium Analyzer
products/analyzers/gemnasium
based on
Gemnasium
Automated
dependency
updates built
Dependabot https://github.com/dependabot/dependabot-core S TA R S 3
into GitHub
providing
security alerts
https://md2pdf.netlify.app 7/27
1/30/24, 8:24 AM Ultimate DevSecOps library
Automated
dependency
updates,
Renovatebot https://github.com/renovatebot/renovate patches multi- S TA R S 1
platform and
multi-
language
Check for
outdated,
npm-check https://www.npmjs.com/package/npm-check incorrect, and S TA R S 6
unused
dependencies.
Checks for
several
security
health metrics
on open
source
libraries and
Security
https://securityscorecards.dev provides a S TA R S 3
Scorecards
score (0-10)
to be
considered in
the decision
making of
what libraries
to use.
container
images (and
filesystems)
https://md2pdf.netlify.app 8/27
1/30/24, 8:24 AM Ultimate DevSecOps library
and jobs in pipeline steps. Integrity checks must be stored out of the system and in ideal case several
validation runs with comparison of integrity hashes / or attestation must be performed.
An in-toto attestation is
https://github.com/in-
in-toto authenticated metadata about S TA R S 174
toto/attestation/tree/v0.1.0/spec
one or more software artifacts
Software Artifacts
Kubernetes apps
SAST
Static code review tools working with source code and looking for known patterns and relationships
of methods, variables, classes and libraries. SAST works with the raw code and usually not with build
packages.
Brakeman is a
static analysis tool
which checks
Brakeman https://github.com/presidentbeef/brakeman Ruby on Rails S TA R S 6.8K
applications for
security
vulnerabilities
Hi-Quality Open
Semgrep https://semgrep.dev/ source, works on S TA R S 9.3K
17+ languages
Python specific
Bandit https://github.com/PyCQA/bandit S TA R S 5.8K
SAST tool
https://md2pdf.netlify.app 9/27
1/30/24, 8:24 AM Ultimate DevSecOps library
based pattern
matcher and
semantic aware
semgrep
NodeJs SAST
nodejsscan https://github.com/ajinabraham/nodejsscan S TA R S 2.3K
The SpotBugs
plugin for security
FindSecurityBugs https://find-sec-bugs.github.io/ S TA R S 2.2K
Detect security
issues in code
SonarQube review with Static
https://github.com/SonarSource/sonarqube S TA R S 8.4K
community Application
Security Testing
(SAST)
Inspects source
code for security
gosec https://github.com/securego/gosec problems by S TA R S 7.3K
scanning the Go
AST.
Checks Python
dependencies for
Safety https://github.com/pyupio/safety S TA R S 1.6K
known security
vulnerabilities .
Note: Semgrep is free CLI tool, however some rulesets (https://semgrep.dev/r) are having various
licences, some can be free to use and can be commercial.
https://md2pdf.netlify.app 10/27
1/30/24, 8:24 AM Ultimate DevSecOps library
DAST
Dynamic application security testing (DAST) is a type of application testing (in most cases web) that
checks your application from the outside by active communication and analysis of the responses
based on injected inputs. DAST tools rely on inputs and outputs to operate. A DAST tool uses these to
check for security problems while the software is actually running and is actively deployed on the
server (or serverless function).
scanning tool
Template based
Nuclei https://github.com/projectdiscovery/nuclei S TA R S 16K
OSS-Fuzz: Continuous
oss-fuzz https://github.com/google/oss-fuzz Fuzzing for Open S TA R S 9.4K
Source Software
scanner
Skipfish is an active
web application
skipfish https://code.google.com/archive/p/skipfish/ S TA R S 639
security
reconnaissance tool
Toolchain for
continuous
scanning of
SecureCodeBox https://github.com/secureCodeBox/secureCodeBox S TA R S 668
applications
and
infrastructure
https://md2pdf.netlify.app 11/27
1/30/24, 8:24 AM Ultimate DevSecOps library
Open Source
Security
OpenSCAP https://github.com/OpenSCAP/openscap S TA R S 1.2K
Compliance
Solution
ThreatMapper
hunts for
vulnerabilities
in your
production
platforms,
ThreatMapper https://github.com/deepfence/ThreatMapper S TA R S 4.5K
and ranks
these
vulnerabilities
based on
their risk-of-
exploit
Kubernetes
A tool for
scanning
KubiScan https://github.com/cyberark/KubiScan Kubernetes S TA R S 1.2K
Audit Kubernetes
clusters for
Kubeaudit https://github.com/Shopify/kubeaudit S TA R S 1.8K
various different
security concerns
according to the
NSA-CISA and
the MITRE
ATT&CK®.
https://md2pdf.netlify.app 12/27
1/30/24, 8:24 AM Ultimate DevSecOps library
Security risk
analysis for
kubesec https://github.com/controlplaneio/kubesec S TA R S 1.1K
Kubernetes
resources
Kubernetes
kube-bench https://github.com/aquasecurity/kube-bench benchmarking S TA R S 6.5K
tool
Static code
analysis of your
kube-score https://github.com/zegl/kube-score S TA R S 2.5K
Kubernetes
object definitions
Active scanner
kube-hunter https://github.com/aquasecurity/kube-hunter S TA R S 4.5K
Calico is an open
source
networking and
Calico https://github.com/projectcalico/calico S TA R S 5.3K
network security
solution for
containers
Simple
Kubernetes RBAC
Krane https://github.com/appvia/krane S TA R S 648
static analysis
tool
Starboard
inegrates security
Starboard https://github.com/aquasecurity/starboard tools by outputs S TA R S 1.3K
into Kubernetes
CRDs
Open policy
https://github.com/open-policy-
Gatekeeper agent gatekeeper S TA R S 3.4K
agent/gatekeeper
for k8s
Collection of
Inspektor- tools (or gadgets)
https://github.com/kinvolk/inspektor-gadget S TA R S 1.7K
https://md2pdf.netlify.app 13/27
1/30/24, 8:24 AM Ultimate DevSecOps library
Kubernetes
A simple-yet-
powerful API
traffic viewer for
Kubernetes
enabling you to
mizu-api-
view all API
traffic- https://github.com/up9inc/mizu Stars 10k
communication
viewer
between
microservices to
help your debug
and troubleshoot
regressions.
SUSE.
A multi-tenancy
and policy-based
Capsule https://github.com/clastix/capsule Stars 1.4k
framework for
Kubernetes
Badrobot is a
Kubernetes
Badrobot https://github.com/controlplaneio/badrobot Stars 208
Operator audit
tool
assessment tool
mesh based on
Envoy. Engage
https://md2pdf.netlify.app 14/27
1/30/24, 8:24 AM Ultimate DevSecOps library
Visualize
Kubernetes
inventory and
Kubernetes https://github.com/turbot/steampipe-mod-
permissions Stars 24
Insights kubernetes-insights
through
relationship
graphs.
Check
compliance of
Kubernetes https://github.com/turbot/steampipe-mod- Kubernetes
Stars 30
Containers
Trusted cloud
Harbor https://github.com/goharbor/harbor native registry S TA R S 22K
project
Centralized service
for inspection,
Anchore https://github.com/anchore/anchore-engine analysis, and S TA R S 1.6K
certification of
container images
Docker vulnerability
Clair https://github.com/quay/clair S TA R S 22K
scanner
https://md2pdf.netlify.app 15/27
1/30/24, 8:24 AM Ultimate DevSecOps library
Docker
https://github.com/docker/docker-bench-
Docker bench benchmarking S TA R S 22K
security
against CIS
Container runtime
Falco https://github.com/falcosecurity/falco S TA R S 6.6K
protection
Comprehensive
scanner for
Trivy https://github.com/aquasecurity/trivy S TA R S 20K
vulnerabilities in
container images
Updates the
running version of
watchtower https://github.com/containrrr/watchtower S TA R S 16K
your containerized
app
Vulnerability
scanner for
Grype https://github.com/anchore/grype container images S TA R S 7.1K
(and also
filesystems).
Multi-Cloud
Detection of
Cloudsploit https://github.com/aquasecurity/cloudsploit security risks in S TA R S 3K
cloud infrastructure
NCCgroup
ScoutSuite https://github.com/nccgroup/ScoutSuite mutlicloud S TA R S 6K
scanning tool
https://md2pdf.netlify.app 16/27
1/30/24, 8:24 AM Ultimate DevSecOps library
GraphQL API +
Security for AWS,
CloudGraph https://github.com/cloudgraphdev/cli S TA R S 861
Instantly query
your cloud, code,
logs & more with
SQL. Build on
Steampipe https://github.com/turbot/steampipe thousands of Stars 6.1k
open-source
benchmarks &
dashboards for
security & insights.
AWS
AWS specific DevSecOps tooling. Tools here cover different areas like inventory management,
misconfiguration scanning or IAM roles and policies review.
Dragoneye Indeni
Dragoneye https://github.com/indeni/dragoneye
AWS scanner
S TA R S REPO NOT FOUND
Prowler is a
command line tool
that helps with
AWS security
Prowler https://github.com/toniblyx/prowler S TA R S 9.1K
assessment,
auditing,
hardening and
incident response.
Helps to discover
all AWS resources
aws-inventory https://github.com/nccgroup/aws-inventory S TA R S 689
created in an
account
(PacBot)
dashboard for
https://md2pdf.netlify.app 17/27
1/30/24, 8:24 AM Ultimate DevSecOps library
IAM analysis
Cloudsplaining https://github.com/salesforce/cloudsplaining S TA R S 1.9K
framework
Continuously
monitor your AWS
ElectricEye https://github.com/jonrau1/ElectricEye S TA R S 830
services for
configurations
CloudMapper
helps you analyze
Cloudmapper https://github.com/duo-labs/cloudmapper your Amazon Web S TA R S 5.8K
Services (AWS)
environments
Consolidates AWS
infrastructure
assets and the
cartography https://github.com/lyft/cartography S TA R S 2.8K
relationships
between them in
an intuitive graph
Policy Generator
Terraformer
AirBnB serverless,
real-time data
analysis framework
StreamAlert https://github.com/airbnb/streamalert S TA R S 2.8K
which empowers
you to ingest,
analyze, and alert
AirBnB serverless,
real-time data
analysis framework
CloudQuery https://github.com/cloudquery/cloudquery/ S TA R S 5.4K
which empowers
you to ingest,
analyze, and alert
S3 buckets and
https://md2pdf.netlify.app 18/27
1/30/24, 8:24 AM Ultimate DevSecOps library
authenticate to a
Kubernetes cluster
Deploy, update,
and stage your
AWS Firewall
Globaldatanet FMS automation WAFs while S TA R S 205
factory
managing them
centrally via FMS
Parliament is an
Parliment Parliment AWS IAM linting S TA R S 972
library
Adds informative
and consistent tags
across
infrastructure-as-
Yor Yor S TA R S 748
code frameworks
such as Terraform,
CloudFormation,
and Serverless
Visualize AWS
inventory and
https://github.com/turbot/steampipe-mod- permissions
AWS Insights Stars 84
aws-insights through
relationship
graphs.
https://md2pdf.netlify.app 19/27
1/30/24, 8:24 AM Ultimate DevSecOps library
Complex security
https://github.com/forseti-
Forseti orchestration and S TA R S 1.3K
security/forseti-security
scanning platform
Check compliance of
GCP https://github.com/turbot/steampipe-
GCP configurations to Stars 28
Compliance mod-gcp-compliance
security best practices.
Microsoft Azure
Azure specific DevSecOps tooling. Tools here cover different areas like inventory management,
misconfiguration scanning or IAM roles and policies review.
Visualize Azure
Azure https://github.com/turbot/steampipe- inventory and
Stars 8
Check compliance of
Azure https://github.com/turbot/steampipe-
Azure configurations to Stars 49
Compliance mod-azure-compliance
security best practices.
Policy as code
https://md2pdf.netlify.app 20/27
1/30/24, 8:24 AM Ultimate DevSecOps library
Policy as code is the idea of writing code in a high-level language to manage and automate policies.
By representing policies as code in text files, proven software development best practices can be
adopted such as version control, automated testing, and automated deployment. (Source:
https://docs.hashicorp.com/sentinel/concepts/policy-as-code)
General-purpose policy
Open engine that enables unified,
https://github.com/open-policy-
Policy context-aware policy S TA R S 8.9K
agent/opa
agent enforcement across the entire
stack
Cloud
https://github.com/aws- Cloud Formation policy as
Formation S TA R S 1.2K
cloudformation/cloudformation-guard code
guard
https://md2pdf.netlify.app 21/27
1/30/24, 8:24 AM Ultimate DevSecOps library
Chaos engineering
Chaos Engineering is the discipline of experimenting on a system in order to build confidence in the
system’s capability to withstand turbulent conditions in production.
It is a cloud-native Chaos
chaos- https://github.com/chaos-mesh/chaos- Engineering platform that
S TA R S 6.2K
Chaos Monkey is
responsible for randomly
terminating instances in
Chaos
https://netflix.github.io/chaosmonkey/ production to ensure that S TA R S 14K
monkey
engineers implement their
services to be resilient to
instance failures.
failures.
https://md2pdf.netlify.app 22/27
1/30/24, 8:24 AM Ultimate DevSecOps library
Litmus is an end-to-end
chaos engineering platform
for cloud native
Litmus infrastructure and
https://litmuschaos.io/ S TA R S 4.1K
python
some open source libraries
nuke
account
Checkmarx security
KICS https://github.com/Checkmarx/kics testing opensource for S TA R S 1.8K
IaC
Checkov is a static
Checkov https://github.com/bridgecrewio/checkov code analysis tool for S TA R S 6.3K
infrastructure-as-code
https://md2pdf.netlify.app 23/27
1/30/24, 8:24 AM Ultimate DevSecOps library
cfsec scans
CloudFormation
cfsec https://github.com/aquasecurity/cfsec S TA R S 59
CloudFormation
Check compliance of
Terraform
https://github.com/turbot/steampipe-mod- Terraform
Compliance Stars 23
Check compliance of
Terraform Terraform
https://github.com/turbot/steampipe-mod-
Compliance configurations to Stars 6
terraform-azure-compliance
for Azure Azure security best
practices.
Check compliance of
Terraform
https://github.com/turbot/steampipe-mod- Terraform
Compliance Stars 2
Check compliance of
Terraform
https://github.com/turbot/steampipe-mod- Terraform
Compliance Stars 2
Orchestration
Event driven security help to drive, automate and execute tasks for security processes. The tools here
and not dedicated security tools but are helping to automate and orchestrate security tasks or are
part of most modern security automation frameworks or tools.
https://md2pdf.netlify.app 24/27
1/30/24, 8:24 AM Ultimate DevSecOps library
bpm-platform automation
Security orchestration
https://github.com/DefectDojo/django-
DefectDojo and vulnerability S TA R S 3.3K
DefectDojo
management platform
and centralized
information
https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Referenc
e%20Design%20v1.0_Public%20Release.pdf
https://dodcio.defense.gov/Portals/0/Documents/Library/DoDEnterpriseDevSecOpsStrategyGuid
e.pdf
https://csrc.nist.gov/publications/detail/sp/800-204c/draft
https://owasp.org/www-project-devsecops-maturity-model/
https://www.sans.org/posters/cloud-security-devsecops-best-practices/
https://d1.awsstatic.com/whitepapers/aws-development-test-environments.pdf
https://d1.awsstatic.com/whitepapers/AWS_DevOps.pdf
https://d1.awsstatic.com/whitepapers/AWS_Blue_Green_Deployments.pdf
https://d1.awsstatic.com/whitepapers/DevOps/import-windows-server-to-amazon-ec2.pdf
https://d1.awsstatic.com/whitepapers/DevOps/Jenkins_on_AWS.pdf
https://d1.awsstatic.com/whitepapers/DevOps/practicing-continuous-integration-continuous-
delivery-on-AWS.pdf
https://d1.awsstatic.com/whitepapers/DevOps/infrastructure-as-code.pdf
https://md2pdf.netlify.app 25/27
1/30/24, 8:24 AM Ultimate DevSecOps library
https://d1.awsstatic.com/whitepapers/microservices-on-aws.pdf
https://d1.awsstatic.com/whitepapers/DevOps/running-containerized-microservices-on-aws.pdf
https://d1.awsstatic.com/Marketplace/solutions-center/downloads/AppSec-DevSecOps-AWS-
SANS-eBook.pdf (AWS + SANS whitepaper)
AWS blog:
https://aws.amazon.com/blogs/devops/building-end-to-end-aws-devsecops-ci-cd-pipeline-with-
open-source-sca-sast-and-dast-tools/
https://aws.amazon.com/blogs/devops/building-an-end-to-end-kubernetes-based-devsecops-
software-factory-on-aws/
Microsoft whitepapers:
https://azure.microsoft.com/mediahandler/files/resourcefiles/6-tips-to-integrate-security-into-
your-devops-practices/DevSecOps_Report_Tips_D6_fm.pdf
https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-in-azure
https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-in-github
GCP whitepapers:
https://cloud.google.com/architecture/devops/devops-tech-shifting-left-on-security
https://cloud.google.com/security/overview/whitepaper
https://services.google.com/fh/files/misc/security_whitepapers_march2018.pdf
https://cloud.google.com/security/encryption-in-transit/application-layer-transport-security
https://services.google.com/fh/files/misc/google-cloud-security-foundations-guide.pdf
Other
Here are the other links and resources that do not fit in any previous category. They can meet
multiple categories in time or help you in your learning.
https://md2pdf.netlify.app 26/27
1/30/24, 8:24 AM Ultimate DevSecOps library
Mobile
https://github.com/MobSF/Mobile- SAST, DAST and pentesting tool
security S TA R S 16K
Training - https://www.practical-devsecops.com/devsecops-university/
License
MIT license
https://md2pdf.netlify.app 27/27