{"slug": "TaptuIT--awesome-devsecops", "title": "Devsecops", "description": "Curating the best DevSecOps resources and tooling.", "github_url": "https://github.com/TaptuIT/awesome-devsecops", "stars": "1.3K", "tag": "Security", "entry_count": 158, "subcategory_count": 22, "subcategories": [{"name": "General", "parent": "", "entries": [{"name": "Resources", "url": "#resources", "description": ""}, {"name": "Tools", "url": "#tools", "description": ""}, {"name": "Related Lists", "url": "#related-lists", "description": ""}]}, {"name": "Articles", "parent": "Resources", "entries": [{"name": "Our Approach to Employee Security Training", "url": "https://www.pagerduty.com/blog/security-training-at-pagerduty/", "description": "*Pager Duty* - Guidelines to running security training within an organisation."}, {"name": "DevSecOps: Making Security Central To Your DevOps Pipeline", "url": "https://spacelift.io/blog/what-is-devsecops", "description": "*Spacelift* - An article explains what DevSecOps aims to achieve, why it\u2019s advantageous, and how the DevSecOps lifecycle looks."}]}, {"name": "Books", "parent": "Resources", "entries": [{"name": "Alice and Bob Learn Application Security", "url": "https://www.wiley.com/en-gb/Alice+and+Bob+Learn+Application+Security-p-9781119687405", "description": "*Tanya Janca* - An accessible and thorough resource for anyone seeking to incorporate, from the beginning of the System Development Life Cycle, best security practices in software development."}]}, {"name": "Communities", "parent": "Resources", "entries": [{"name": "DevSecCon", "url": "https://www.devseccon.com/", "description": "*Snyk* - A community that runs conferences, a blog, a podcast and a Discord dedicated to DevSecOps."}, {"name": "TAG Security", "url": "https://tag-security.cncf.io/", "description": "*Cloud Native Computing Foundation* - TAG Security facilitates collaboration to discover and produce resources that enable secure access, policy control, and safety for operators, administrators, developers, and end-users across the cloud native ecosystem."}]}, {"name": "Conferences", "parent": "Resources", "entries": [{"name": "AppSec Day", "url": "https://appsecday.io/", "description": "*OWASP* - An Australian application security conference run by OWASP."}, {"name": "DevSecCon", "url": "https://www.devseccon.com/", "description": "*Snyk* - A network of DevSecOps conferences run by Snyk."}]}, {"name": "Newsletters", "parent": "Resources", "entries": [{"name": "Shift Security Left", "url": "https://shift-security-left.curated.co/", "description": "*Cossack Labs* - A free biweekly newsletter for security-aware developers covering application security, secure architecture, DevSecOps, cryptography, incidents, etc. that can be useful for builders and (to a lesser extent) for breakers."}]}, {"name": "Podcasts", "parent": "Resources", "entries": [{"name": "Absolute AppSec", "url": "https://absoluteappsec.com/", "description": "*Seth Law & Ken Johnson* - Discussions about current events and specific topics related to application security."}, {"name": "Application Security Podcast", "url": "https://podcast.securityjourney.com/", "description": "*Security Journey* - Interviews with industry experts about specific application security concepts."}, {"name": "BeerSecOps", "url": "https://blog.aquasec.com/devsecops-podcasts", "description": "*Aqua Security* - Breaking down the silos of Dev, Sec and Ops, discussing topics that span these subject areas."}, {"name": "DevSecOps Podcast Series", "url": "https://soundcloud.com/owasp-podcast", "description": "*OWASP* - Discussions with thought leaders and practitioners to integrate security into the development lifecycle."}, {"name": "The Secure Developer", "url": "https://www.mydevsecops.io/the-secure-developer-podcast", "description": "*Snyk* - Discussion about security tools and best practices for software developers."}]}, {"name": "Secure Development Guidelines", "parent": "Resources", "entries": [{"name": "Application Security Verification Standard", "url": "https://owasp.org/www-project-application-security-verification-standard/", "description": "*OWASP* - A framework of security requirements and controls to help developers design and develop secure web applications."}, {"name": "Coding Standards", "url": "https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards", "description": "*CERT* - A collection of secure development standards for C, C++, Java and Android development."}, {"name": "Fundamental Practices for Secure Software Development", "url": "https://safecode.org/wp-content/uploads/2018/03/SAFECode_Fundamental_Practices_for_Secure_Software_Development_March_2018.pdf", "description": "*SAFECode* - Guidelines for implementing key secure development practices throughout the SDLC."}, {"name": "Proactive Controls", "url": "https://owasp.org/www-project-proactive-controls/", "description": "*OWASP* - OWASP's list of top ten controls that should be implemented in every software development project."}, {"name": "Secure Coding Guidelines", "url": "https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines", "description": "*Mozilla* - A guideline containing specific secure development standards for secure web application development."}, {"name": "Secure Coding Practices Quick Reference Guide", "url": "https://owasp.org/www-pdf-archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf", "description": "*OWASP* - A checklist to verify that secure development standards have been followed."}]}, {"name": "Secure Development Lifecycle Framework", "parent": "Resources", "entries": [{"name": "Building Security In Maturity Model (BSIMM)", "url": "https://www.bsimm.com/framework.html", "description": "*Synopsys* - A framework for software security created by observing and analysing data from leading software security initiatives."}, {"name": "Secure Development Lifecycle", "url": "https://www.microsoft.com/en-us/securityengineering/sdl/practices", "description": "*Microsoft* - A collection of tools and practices that serve as a framework for the secure development lifecycle."}, {"name": "Secure Software Development Framework", "url": "https://csrc.nist.gov/CSRC/media/Publications/white-paper/2019/06/07/mitigating-risk-of-software-vulnerabilities-with-ssdf/draft/documents/ssdf-for-mitigating-risk-of-software-vulns-draft.pdf", "description": "*NIST* - A framework consisting of practices, tasks and implementation examples for a secure development lifecycle."}, {"name": "Software Assurance Maturity Model", "url": "https://github.com/OWASP/samm", "description": "*OWASP* - A framework to measure and improve the maturity of the secure development lifecycle.", "stars": "396"}]}, {"name": "Toolchains", "parent": "Resources", "entries": [{"name": "Cloud Security and DevSecOps Best Practices *and* Securing Web Application Technologies (SWAT) Checklist", "url": "https://www.sans.org/posters/cloud-security-devsecops-best-practices/", "description": "*SANS* - A poster containing the Securing Web Application Technologies (SWAT) Checklist, SANS Cloud Security Curriculum, Cloud Security Top 10, Top 12 Kubernetes Threats, and Secure DevOps Toolchain."}, {"name": "Periodic Table of DevOps Tools", "url": "https://xebialabs.com/periodic-table-of-devops-tools/", "description": "*XebiaLabs* - A collection of DevSecOps tooling categorised by tool functionality."}]}, {"name": "Training", "parent": "Resources", "entries": [{"name": "Application Security Education", "url": "https://github.com/duo-labs/appsec-education", "description": "*Duo Security* - Training materials created by the Duo application security team, including introductory and advanced training presentations and hands-on labs.", "stars": "68"}, {"name": "Cybrary", "url": "https://www.cybrary.it/", "description": "*Cybrary* - Subscription based online courses with dedicated categories for cybersecurity and DevSecOps."}, {"name": "PentesterLab", "url": "https://pentesterlab.com/", "description": "*PentesterLab* - Hands on labs to understand and exploit simple and advanced web vulnerabilities."}, {"name": "Practical DevSecOps", "url": "https://www.practical-devsecops.com", "description": "*Practical DevSecOps* - Learn DevSecOps concepts, tools, and techniques from industry experts with practical DevSecOps using state of the art browser-based labs."}, {"name": "SafeStack", "url": "https://academy.safestack.io/", "description": "*SafeStack* - Security training for software development teams, designed to be accessible to individuals and small teams as well as larger organisations."}, {"name": "Secure Code Warrior", "url": "https://www.securecodewarrior.com/", "description": "*Secure Code Warrior* - Gamified and hands-on secure development training with support for courses, assessments and tournaments."}, {"name": "SecureFlag", "url": "https://www.secureflag.com/platform.html", "description": "*OWASP* - Hands-on secure coding training for Developers and Build/Release Engineers."}, {"name": "Security Training for Engineers", "url": "https://sudo.pagerduty.com/for_engineers/", "description": "*Pager Duty* - A presentation created and open-sourced by PagerDuty to provide security training to software engineers."}, {"name": "Security Training for Everyone", "url": "https://sudo.pagerduty.com/for_everyone/", "description": "*Pager Duty* - A presentation created and open-sourced by PagerDuty to provide security training employees."}, {"name": "Semgrep Academy", "url": "https://academy.semgrep.dev/", "description": "*Semgrep* - Free, on-demand courses covering topics including API security, secure coding and application security."}, {"name": "Web Security Academy", "url": "https://portswigger.net/web-security", "description": "*PortSwigger* - A set of materials and labs to learn and exploit common web vulnerabilities."}, {"name": "WeHackPuple", "url": "https://wehackpurple.com/", "description": "*WeHackPurple* - Online courses that teach application security theory and hands-on technical lessons."}]}, {"name": "Wikis", "parent": "Resources", "entries": [{"name": "DevSecOps Hub", "url": "https://snyk.io/devsecops/", "description": "*Snyk* - Introduction to key DevSecOps concepts, processes and technologies."}, {"name": "SecureFlag Knowledge Base", "url": "https://knowledge-base.secureflag.com/", "description": "*OWASP* - A repository of information about software vulnerabilities and how to prevent them."}]}, {"name": "Dependency Management", "parent": "Tools", "entries": [{"name": "Deepfence ThreatMapper", "url": "https://github.com/deepfence/ThreatMapper", "description": "Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless.", "stars": "4.7k"}, {"name": "Dependabot", "url": "https://dependabot.com/", "description": "*GitHub* - Automatically scan GitHub repositories for vulnerabilities and create pull requests to merge in patched dependencies."}, {"name": "Dependency-Check", "url": "https://owasp.org/www-project-dependency-check/", "description": "*OWASP* - Scans dependencies for publicly disclosed vulnerabilities using CLI or build server plugins."}, {"name": "Dependency-Track", "url": "https://dependencytrack.org/", "description": "*OWASP* - Monitor the volume and severity of vulnerable dependencies across multiple projects over time."}, {"name": "JFrog XRay", "url": "https://jfrog.com/xray/", "description": "*JFrog* - Security and compliance analysis for artifacts stored in JFrog Artifactory."}, {"name": "NPM Audit", "url": "https://docs.npmjs.com/cli/audit", "description": "*NPM* - Vulnerable package auditing for node packages built into the npm CLI."}, {"name": "Renovate", "url": "https://renovate.whitesourcesoftware.com/", "description": "*WhiteSource* - Automatically monitor and update software dependencies for multiple frameworks and languages using a CLI or git repository apps."}, {"name": "Requires.io", "url": "https://requires.io/", "description": "*Olivier Mansion & Alexis Tabary* - Automated vulnerable dependency monitoring and upgrades for Python projects."}, {"name": "Snyk Open Source", "url": "https://snyk.io/product/open-source-security-management/", "description": "*Snyk* - Automated vulnerable dependency monitoring and upgrades using Snyk's dedicated vulnerability database."}]}, {"name": "Dynamic Analysis", "parent": "Tools", "entries": [{"name": "Automatic API Attack Tool", "url": "https://github.com/imperva/automatic-api-attack-tool", "description": "*Imperva* - Perform automated security scanning against an API based on an API specification.", "stars": "443"}, {"name": "BurpSuite Enterprise Edition", "url": "https://portswigger.net/burp/enterprise", "description": "*PortSwigger* - BurpSuite's web application vulnerability scanner used widely by penetration testers, modified with CI/CD integration and continuous monitoring over multiple web applications."}, {"name": "Gauntlt", "url": "https://github.com/gauntlt/gauntlt", "description": "*Gauntlt* - A Behaviour Driven Development framework to run security scans using common security tools and test output, defined using Gherkin syntax.", "stars": "977"}, {"name": "Netz", "url": "https://github.com/spectralops/netz", "description": "*Spectral* - Discover internet-wide misconfigurations, using zgrab2 and others.", "stars": "380"}, {"name": "RESTler", "url": "https://github.com/microsoft/restler-fuzzer", "description": "*Microsoft* - A stateful RESTful API scanner based on peer-reviewed research papers.", "stars": "2.5k"}, {"name": "SSL Labs Scan", "url": "https://github.com/ssllabs/ssllabs-scan", "description": "*SSL Labs* - Automated scanning for SSL / TLS configuration issues.", "stars": "1.7k"}, {"name": "Zed Attack Proxy (ZAP)", "url": "https://github.com/zaproxy/zaproxy", "description": "*OWASP* - An open-source web application vulnerability scanner, including an API for CI/CD integration.", "stars": "12k"}]}, {"name": "Infrastructure as Code Analysis", "parent": "Tools", "entries": [{"name": "Checkov", "url": "https://github.com/bridgecrewio/checkov", "description": "*Bridgecrew* - Scan Terraform, AWS CloudFormation and Kubernetes templates for insecure configuration.", "stars": "6.7k"}, {"name": "KICS", "url": "https://github.com/Checkmarx/kics", "description": "*Checkmarx* - Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle.", "stars": "2k"}, {"name": "Spectral DeepConfig", "url": "https://spectralops.io/blog/spectral-launches-deepconfig-to-ensure-no-misconfiguration-at-all-layers-of-software/", "description": "*Spectral* - Find misconfiguration both in infrastructure as well as apps as early as commit time."}, {"name": "Terrascan", "url": "https://github.com/accurics/terrascan", "description": "*Accurics* - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.", "stars": "4.6k"}, {"name": "Cfn Nag", "url": "https://github.com/stelligent/cfn_nag", "description": "*Stelligent* - Scan AWS CloudFormation templates for insecure configuration.", "stars": "1.2k"}, {"name": "Clair", "url": "https://github.com/quay/clair", "description": "*Red Hat* - Scan App Container and Docker containers for publicly disclosed vulnerabilities.", "stars": "10k"}, {"name": "Dagda", "url": "https://github.com/eliasgranderubio/dagda/", "description": "*El\u00edas Grande* - Compares OS and software dependency versions installed in Docker containers with public vulnerability databases, and also performs virus scanning.", "stars": "1.1k"}, {"name": "Docker-Bench-Security", "url": "https://github.com/docker/docker-bench-security", "description": "*Docker* - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.", "stars": "9k"}, {"name": "Grype", "url": "https://github.com/anchore/grype/", "description": "*Anchore* - An easy-to-integrate open source vulnerability scanning tool for container images and filesystems.", "stars": "8.2k"}, {"name": "Hadolint", "url": "https://github.com/hadolint/hadolint", "description": "*Hadolint* - Checks a Dockerfile against known rules and validates inline bash code in RUN statements.", "stars": "10k"}, {"name": "Snyk Container", "url": "https://snyk.io/product/container-vulnerability-management/", "description": "*Snyk* - Scan Docker and Kubernetes applications for security vulnerabilities during CI/CD or via continuous monitoring."}, {"name": "Trivy", "url": "https://github.com/aquasecurity/trivy", "description": "*Aqua Security* - Simple and comprehensive vulnerability scanner for containers.", "stars": "22k"}, {"name": "Regula", "url": "https://github.com/fugue/regula", "description": "*Fugue* - Evaluate Terraform infrastructure-as-code for potential security misconfigurations and compliance violations prior to deployment.", "stars": "942"}, {"name": "Terraform Compliance", "url": "https://terraform-compliance.com/", "description": "*terraform-compliance* - A lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code."}, {"name": "Tfsec", "url": "https://github.com/liamg/tfsec", "description": "*Liam Galvin* - Scan Terraform templates for security misconfiguration and noncompliance with AWS, Azure and GCP security best practice.", "stars": "6.6k"}, {"name": "Kubescape", "url": "https://kubescape.io/", "description": "*Cloud Native Computing Foundation* - An open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters."}, {"name": "Kube-Score", "url": "https://github.com/zegl/kube-score", "description": "*Gustav Westling* - Scan Kubernetes object definitions for security and performance misconfiguration.", "stars": "2.7k"}, {"name": "Kubectrl Kubesec", "url": "https://github.com/controlplaneio/kubectl-kubesec", "description": "*ControlPlane* - Plugin for kubesec.io to perform security risk analysis for Kubernetes resources.", "stars": "505"}, {"name": "Ansible-Lint", "url": "https://github.com/ansible-community/ansible-lint", "description": "*Ansible Community* - Checks playbooks for practices and behaviour that could potentially be improved. As a community backed project ansible-lint supports only the last two major versions of Ansible.", "stars": "3.4k"}]}, {"name": "Intentionally Vulnerable Applications", "parent": "Tools", "entries": [{"name": "Bad SSL", "url": "https://github.com/chromium/badssl.com", "description": "*The Chromium Project* - A container running a number of webservers with poor SSL / TLS configuration. Useful for testing tooling.", "stars": "2.8k"}, {"name": "Cfngoat", "url": "https://github.com/bridgecrewio/cfngoat", "description": "*Bridgecrew* - Cloud Formation templates for creating stacks of intentionally insecure services in AWS. Ideal for testing the Cloud Formation Infrastructure as Code Analysis tools above.", "stars": "92"}, {"name": "CI/CD Goat", "url": "https://github.com/cider-security-research/cicd-goat", "description": "*Cider Security* - A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.", "stars": "1.9k"}, {"name": "Damn Vulnerable Web App", "url": "http://www.dvwa.co.uk/", "description": "*Ryan Dewhurst* - A web application that provides a safe environment to understand and exploit common web vulnerabilities."}, {"name": "Juice Shop", "url": "https://github.com/bkimminich/juice-shop", "description": "*OWASP* - A web application containing the OWASP Top 10 security vulnerabilities and more.", "stars": "9.8k"}, {"name": "Kubernetes Goat", "url": "https://github.com/madhuakula/kubernetes-goat", "description": "*Madhu Akula* - Intentionally vulnerable cluster environment to learn and practice Kubernetes security.", "stars": "4.1k"}, {"name": "NodeGoat", "url": "https://github.com/OWASP/NodeGoat", "description": "*OWASP* - A Node.js web application that demonstrates and provides ways to address common security vulnerabilities.", "stars": "1.8k"}, {"name": "Pentest-Ground", "url": "https://pentest-ground.com/", "description": "*Pentest-Tools.com* - Pentest-Ground is a free playground with deliberately vulnerable web applications and network services."}, {"name": "Terragoat", "url": "https://github.com/bridgecrewio/terragoat", "description": "*Bridgecrew* - Terraform templates for creating stacks of intentionally insecure services in AWS, Azure and GCP. Ideal for testing the Terraform Infrastructure as Code Analysis tools above.", "stars": "1.1k"}, {"name": "Vulnerable Web Apps Directory", "url": "https://owasp.org/www-project-vulnerable-web-applications-directory", "description": "*OWASP* - A collection of vulnerable web applications for learning purposes."}, {"name": "WrongSecrets", "url": "https://github.com/OWASP/wrongsecrets", "description": "*OWASP* - Vulnerable app with examples showing how to not use secrets", "stars": "1.2k"}]}, {"name": "Monitoring", "parent": "Tools", "entries": [{"name": "Csper", "url": "https://csper.io/report-uri", "description": "*Csper* - A set of Content Security Policy tools that can test policies, monitor CSP reports and provide metrics and alerts."}, {"name": "Streamdal", "url": "https://streamdal.com", "description": "*Streamdal* - Embed privacy controls in your application code to detect and monitor PII as it enters and leaves your systems, preventing it from reaching unintended databases, data streams, or pipelines."}]}, {"name": "Secrets Management", "parent": "Tools", "entries": [{"name": "Ansible Vault", "url": "https://docs.ansible.com/ansible/latest/user_guide/vault.html", "description": "*Ansible* - Securely store secrets within Ansible pipelines."}, {"name": "AWS Key Management Service (KMS)", "url": "https://aws.amazon.com/kms/", "description": "*Amazon AWS* - Create and manage cryptographic keys in AWS."}, {"name": "AWS Secrets Manager", "url": "https://aws.amazon.com/secrets-manager/", "description": "*Amazon AWS* - Securely store retrievable application secrets in AWS."}, {"name": "Azure Key Vault", "url": "https://azure.microsoft.com/en-au/services/key-vault/", "description": "*Microsoft Azure* - Securely store secrets within Azure."}, {"name": "BlackBox", "url": "https://github.com/StackExchange/blackbox", "description": "*StackExchange* - Encrypt credentials within your code repository.", "stars": "6.6k"}, {"name": "Chef Vault", "url": "https://github.com/chef/chef-vault", "description": "*Chef* - Securely store secrets within Chef.", "stars": "407"}, {"name": "CredStash", "url": "https://github.com/fugue/credstash", "description": "*Fugue* - Securely store secrets within AWS using KMS and DynamoDB.", "stars": "2.1k"}, {"name": "CyberArk Application Access Manager", "url": "https://www.cyberark.com/products/privileged-account-security-solution/application-access-manager/", "description": "*CyberArk* - Secrets management for applications including secret rotation and auditing."}, {"name": "Docker Secrets", "url": "https://docs.docker.com/engine/swarm/secrets/", "description": "*Docker* - Store and manage access to secrets within a Docker swarm."}, {"name": "Git Secrets", "url": "https://github.com/awslabs/git-secrets", "description": "*Amazon AWS* - Scan git repositories for secrets committed within code or commit messages.", "stars": "12k"}, {"name": "Gopass", "url": "https://github.com/gopasspw/gopass", "description": "*Gopass* - Password manager for teams relying on Git and gpg. Manages secrets in encrypted files and repositories.", "stars": "5.7k"}, {"name": "Google Cloud Key Management Service (KMS)", "url": "https://cloud.google.com/kms", "description": "*Google Cloud Platform* - Securely store secrets within GCP."}, {"name": "HashiCorp Vault", "url": "https://www.vaultproject.io/", "description": "*HashiCorp* - Securely store secrets via UI, CLI or HTTP API."}, {"name": "Keyscope", "url": "https://github.com/SpectralOps/keyscope", "description": "*Spectral* - Keyscope is an open source key and secret workflow tool (validation, invalidation, etc.) built in Rust.", "stars": "381"}, {"name": "Pinterest Knox", "url": "https://github.com/pinterest/knox", "description": "*Pinterest* - Securely store, rotate and audit secrets.", "stars": "1.2k"}, {"name": "Secrets Operations (SOPS)", "url": "https://github.com/mozilla/sops", "description": "*Mozilla* - Encrypt keys stored within YAML, JSON, ENV, INI and BINARY files.", "stars": "16k"}, {"name": "Teller", "url": "https://github.com/spectralops/teller", "description": "*Spectral* - A secrets management tool for developers - never leave your command line for secrets.", "stars": "2.6k"}]}, {"name": "Secrets Scanning", "parent": "Tools", "entries": [{"name": "CredScan", "url": "https://secdevtools.azurewebsites.net/helpcredscan.html", "description": "*Microsoft* - A credential scanning tool that can be run as a task in Azure DevOps pipelines."}, {"name": "Detect Secrets", "url": "https://github.com/Yelp/detect-secrets", "description": "*Yelp* - An aptly named module for (surprise, surprise) detecting secrets within a code base.", "stars": "3.6k"}, {"name": "GitGuardian", "url": "https://www.gitguardian.com/", "description": "*GitGuardian* - A web-based solution that scans and monitors public and private git repositories for secrets."}, {"name": "Gitleaks", "url": "https://github.com/zricethezav/gitleaks", "description": "*Zachary Rice* - Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repositories.", "stars": "17k"}, {"name": "git-secrets", "url": "https://github.com/awslabs/git-secrets", "description": "*AWS Labs* - Scans commits, commit messages and merges for secrets. Native support for AWS secret patterns, but can be configured to support other patterns.", "stars": "12k"}, {"name": "Nightfall", "url": "https://nightfall.ai/solutions/product/github", "description": "*Nightfall* - A web-based platform that monitors for sensitive data disclosure across several SDLC tools, including GitHub repositories."}, {"name": "Repo-supervisor", "url": "https://github.com/auth0/repo-supervisor", "description": "*Auth0* - Secrets scanning tool that can run as a CLI, as a Docker container or in AWS Lambda.", "stars": "632"}, {"name": "SpectralOps", "url": "https://spectralops.io", "description": "*Spectral* - Automated code security, secrets, tokens and sensitive data scanning."}, {"name": "truffleHog", "url": "https://github.com/trufflesecurity/truffleHog", "description": "*Truffle Security* - Searches through git repositories for secrets, digging deep into commit history and branches.", "stars": "14k"}]}, {"name": "Static Analysis", "parent": "Tools", "entries": [{"name": "DevSkim", "url": "https://github.com/microsoft/DevSkim", "description": "*Microsoft* - A set of IDE plugins, CLIs and other tools that provide security analysis for a number of programming languages.", "stars": "893"}, {"name": "Graudit", "url": "https://github.com/wireghoul/graudit/", "description": "*Eldar Marcussen* - Grep source code for potential security flaws with custom or pre-configured regex signatures.", "stars": "1.4k"}, {"name": "Hawkeye", "url": "https://github.com/hawkeyesec/scanner-cli", "description": "*Hawkeyesec* - Modularised CLI tool for project security, vulnerability and general risk highlighting.", "stars": "358"}, {"name": "LGTM", "url": "https://lgtm.com/", "description": "*Semmle* - Scan and monitor code for security vulnerabilities using custom or built-in CodeQL queries."}, {"name": "RIPS", "url": "https://www.ripstech.com/", "description": "*RIPS Technologies* - Automated static analysis for PHP, Java and Node.js projects."}, {"name": "SemGrep", "url": "https://semgrep.dev/", "description": "*r2c* - Semgrep is a fast, open-source, static analysis tool that finds bugs and enforces code standards at editor, commit, and CI time."}, {"name": "SonarLint", "url": "https://www.sonarlint.org/", "description": "*SonarSource* - An IDE plugin that highlights potential security security issues, code quality issues and bugs."}, {"name": "SonarQube", "url": "https://www.sonarqube.org/", "description": "*SonarSource* - Scan code for security and quality issues with support for a wide variety of languages."}, {"name": "FlawFinder", "url": "https://github.com/david-a-wheeler/flawfinder", "description": "*David Wheeler* - Scan C / C++ code for potential security weaknesses.", "stars": "463"}, {"name": "Puma Scan", "url": "https://github.com/pumasecurity/puma-scan", "description": "*Puma Security* - A Visual Studio plugin to scan .NET projects for potential security flaws.", "stars": "443"}, {"name": "Conftest", "url": "https://github.com/instrumenta/conftest", "description": "*Instrumenta* - Create custom tests to scan any configuration file for security flaws.", "stars": "2.8k"}, {"name": "Selefra", "url": "https://github.com/selefra/selefra", "description": "*Selefra* - An open-source policy-as-code software that provides analytics for multi-cloud and SaaS.", "stars": "513"}, {"name": "Deep Dive", "url": "https://discotek.ca/deepdive.xhtml", "description": "*Discotek.ca* - Static analysis for JVM deployment units including Ear, War, Jar and APK."}, {"name": "Find Security Bugs", "url": "https://github.com/find-sec-bugs/find-sec-bugs/", "description": "*OWASP* - SpotBugs plugin for security audits of Java web applications. Supports Eclipse, IntelliJ, Android Studio and SonarQube.", "stars": "2.2k"}, {"name": "SpotBugs", "url": "https://github.com/spotbugs/spotbugs", "description": "*SpotBugs* - Static code analysis for Java applications.", "stars": "3.4k"}, {"name": "ESLint", "url": "https://eslint.org/", "description": "*JS Foundation* - Linting tool for JavaScript with multiple security linting rules available."}, {"name": "Golang Security Checker", "url": "https://github.com/securego/gosec", "description": "*securego* - CLI tool to scan Go code for potential security flaws.", "stars": "7.6k"}, {"name": "Security Code Scan", "url": "https://github.com/security-code-scan/security-code-scan", "description": "*Security Code Scan* - Static code analysis for C# and VB.NET applications.", "stars": "929"}, {"name": "Phan", "url": "https://github.com/phan/phan", "description": "*Phan* - Broad static analysis for PHP applications with some support for security scanning features.", "stars": "5.5k"}, {"name": "PHPCS Security Audit", "url": "https://github.com/FloeDesignTechnologies/phpcs-security-audit", "description": "*Floe* - PHP static analysis with rules for PHP, Drupal 7 and PHP related CVEs.", "stars": "703"}, {"name": "Progpilot", "url": "https://github.com/designsecurity/progpilot", "description": "*Design Security* - Static analysis for PHP source code.", "stars": "319"}, {"name": "Bandit", "url": "https://github.com/PyCQA/bandit", "description": "*Python Code Quality Authority* - Find common security vulnerabilities in Python code.", "stars": "6.1k"}, {"name": "Brakeman", "url": "https://github.com/presidentbeef/brakeman", "description": "*Justin Collins* - Static analysis tool which checks Ruby on Rails applications for security vulnerabilities.", "stars": "6.9k"}, {"name": "DawnScanner", "url": "https://github.com/thesp0nge/dawnscanner", "description": "*Paolo Perego* - Security scanning for Ruby scripts and web application. Supports Ruby on Rails, Sinatra and Padrino frameworks.", "stars": "733"}]}, {"name": "Supply Chain Security", "parent": "Tools", "entries": [{"name": "Harden Runner GitHub Action", "url": "https://github.com/step-security/harden-runner", "description": "*StepSecurity* - installs a security agent on the GitHub-hosted runner (Ubuntu VM) to prevent exfiltration of credentials, detect compromised dependencies and build tools, and detect tampering of source code during the build.", "stars": "550"}, {"name": "Overlay", "url": "https://github.com/os-scar/overlay", "description": "*SCAR* - a browser extension helping developers evaluate open source packages before picking them.", "stars": "213"}, {"name": "Preflight", "url": "https://github.com/spectralops/preflight", "description": "*Spectral* - helps you verify scripts and executables to mitigate supply chain attacks in your CI and other systems, such as in the recent [Codecov hack](https://spectralops.io/blog/credentials-risk-supply-chain-lessons-from-the-codecov-breach/).", "stars": "152"}, {"name": "Sigstore", "url": "https://www.sigstore.dev/", "description": "sigstore is a set of free to use and open source tools, including [fulcio (\u2b50622)](https://github.com/sigstore/fulcio), [cosign (\u2b504.2k)](https://github.com/sigstore/cosign) and [rekor (\u2b50853)](https://github.com/sigstore/rekor), handling digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software."}, {"name": "Syft", "url": "https://github.com/anchore/syft/", "description": "*Anchore* - A CLI tool for generating a Software Bill of Materials (SBOM) from container images and filesystems.", "stars": "5.8k"}]}, {"name": "Threat Modelling", "parent": "Tools", "entries": [{"name": "Awesome Threat Modelling", "url": "https://github.com/hysnsec/awesome-threat-modelling", "description": "*Practical DevSecOps* - A curated list of threat modelling resources.", "stars": "1.3k"}, {"name": "SecuriCAD", "url": "https://www.foreseeti.com/", "description": "*Forseeti* - Treat modelling and attack simulations for IT infrastructure."}, {"name": "IriusRisk", "url": "https://iriusrisk.com/", "description": "*IriusRisk* - Draw threat models and capture threats and countermeasures and manage risk."}, {"name": "Raindance Project", "url": "https://github.com/devsecops/raindance", "description": "*DevSecOps* - Use attack maps to identify attack surface and adversary strategies that may lead to compromise.", "stars": "44"}, {"name": "SD Elements", "url": "https://www.securitycompass.com/sdelements/threat-modeling/", "description": "*Security Compass* - Identify and rank threats, generate actionable tasks and track related tickets."}, {"name": "Threat Dragon", "url": "https://owasp.org/www-project-threat-dragon/", "description": "*OWASP* - Threat model diagramming tool."}, {"name": "Threat Modelling Tool", "url": "https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling", "description": "*Microsoft* - Threat model diagramming tool."}, {"name": "Threatspec", "url": "https://threatspec.org/", "description": "*Threatspec* - Define threat modelling as code."}, {"name": "Awesome Dynamic Analysis", "url": "https://github.com/analysis-tools-dev/dynamic-analysis/", "description": "*Matthias Endler* - A collection of dynamic analysis tools and code quality checkers.", "stars": "899"}, {"name": "Awesome Platform Engineering", "url": "https://github.com/shospodarets/awesome-platform-engineering/", "description": "A curated list of solutions, tools and resources for *Platform Engineering*", "stars": "305"}, {"name": "Awesome Static Analysis", "url": "https://github.com/analysis-tools-dev/static-analysis/", "description": "*Matthias Endler* - A collection of static analysis tools and code quality checkers.", "stars": "13k"}, {"name": "Awesome Threat Modelling", "url": "https://github.com/hysnsec/awesome-threat-modelling", "description": "*Practical DevSecOps* - A curated list of threat modeling resources.", "stars": "1.3k"}, {"name": "Vulnerable Web Apps Directory", "url": "https://owasp.org/www-project-vulnerable-web-applications-directory", "description": "*OWASP* - A collection of vulnerable web applications for learning purposes."}]}], "name": ""}