Ultimate DevSecOps library

Contribution rules

If you want to contribute to this library of knowledge please create proper PR (Pull Request) with description what you are adding following these set of rules:

• Clear description of PR (which tool, why, number of stars, maturity and topic)
• Keep it simple - Fill the description properly
• Fact over feelings or personal opinions
• Add source and follow the library style
• Avoid duplicits - one tool, one topic
• Try to make bigger updates then on tool link
• Currently open-source only
• Add only active projects
• Add only security tools
• Report typos as issue not via PR.

Note: Currently this is an early version of the library. I recommend PR after first official release.

DevSecOps library info:

This library contains list of tools and methodologies accompanied with resources. The main goal is to provide to the engineers a guide through opensource DevSecOps tooling. This repository covers only cyber security in the cloud and the DevSecOps scope.

Table of Contents

• Ultimate DevSecOps library
  • Contribution rules
• Table of Contents
• What is DevSecOps
• Tooling
  • Pre-commit time tools
  • Secrets management
  • OSS and Dependency management
  • Supply chain specific tools
  • SAST
  • DAST
  • Continuous deployment security
  • Kubernetes
  • Containers
  • Multi-Cloud
  • AWS
  • Google cloud platform
  • Microsoft Azure
  • Policy as code
  • Chaos engineering
  • Infrastructure as code security
  • Orchestration
• Methodologies, whitepapers and architecture
• Other
• License

What is DevSecOps

DevSecOps focuses on security automation, testing and enforcement during DevOps - Release - SDLC cycles. The whole meaning behind this methodology is connecting together Development, Security and Operations. DevSecOps is methodology providing different methods, techniques and processes backed mainly with tooling focusing on developer / security experience.

DevSecOps takes care that security is part of every stage of DevOps loop - Plan, Code, Build, Test, Release, Deploy, Operate, Monitor.

Various definitions:

• https://www.redhat.com/en/topics/devops/what-is-devsecops
• https://www.ibm.com/cloud/learn/devsecops
• https://snyk.io/series/devsecops/
• https://www.synopsys.com/glossary/what-is-devsecops.html
• https://spacelift.io/blog/what-is-devsecops

Tooling

Pre-commit time tools

In this section you can find lifecycle helpers, precommit hook tools and threat modeling tools. Threat modeling tools are specific category by themselves allowing you to simulate and discover potential gaps before you start to develop the software or during the process.

Modern DevSecOps tools allow using Threat modeling as code or generation of threat models based on the existing code annotations.

Name	URL	Description	Meta
git-secrets	https://github.com/awslabs/git-secrets	AWS labs tool preventing you from committing secrets to a git repository
git-hound	https://github.com/tillson/git-hound	Searchers secrets in git
goSDL	https://github.com/slackhq/goSDL	Security Development Lifecycle checklist
ThreatPlaybook	https://github.com/we45/ThreatPlaybook	Threat modeling as code
Threat Dragon	https://github.com/OWASP/threat-dragon	OWASP Threat modeling tool
threatspec	https://github.com/threatspec/threatspec	Threat modeling as code
pytm	https://github.com/izar/pytm	A Pythonic framework for threat modeling
Threagile	https://github.com/Threagile/threagile	A Go framework for threat modeling
MAL-lang	https://mal-lang.org/#what	A language to create cyber threat modeling systems for specific domains
Microsoft Threat modeling tool	https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool	Microsoft threat modeling tool
Talisman	https://github.com/thoughtworks/talisman	A tool to detect and prevent secrets from getting checked in
SEDATED	https://github.com/OWASP/SEDATED	The SEDATED® Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure) focuses on preventing sensitive data such as user credentials and tokens from being pushed to Git.
Sonarlint	https://github.com/SonarSource/sonarlint-core	Sonar linting utility for IDE
DevSkim	https://github.com/microsoft/DevSkim	DevSkim is a framework of IDE extensions and language analyzers that provide inline security analysis
detect-secrets	https://github.com/Yelp/detect-secrets	Detects secrets in your codebase
tflint	https://github.com/terraform-linters/tflint	A Pluggable Terraform Linter
Steampipe Code Plugin	https://github.com/turbot/steampipe-plugin-code	Use SQL to detect secrets from source code and data sources.

Secrets management

Secrets management includes managing, versioning, encryption, discovery, rotating, provisioning of passwords, certificates, configuration values and other types of secrets.

Name	URL	Description	Meta
GitLeaks	https://github.com/zricethezav/gitleaks	Gitleaks is a scanning tool for detecting hardcoded secrets
ggshield	https://github.com/gitguardian/ggshield	GitGuardian shield (ggshield) is a CLI application that runs in your local environment or in a CI environment and helps you detect more than 350+ types of secrets and sensitive files.
TruffleHog	https://github.com/trufflesecurity/truffleHog	TruffleHog is a scanning tool for detecting hardcoded secrets
Hashicorp Vault	https://github.com/hashicorp/vault	Hashicorp Vault secrets management
Mozilla SOPS	https://github.com/mozilla/sops	Mozilla Secrets Operations
AWS secrets manager GH action	https://github.com/marketplace/actions/aws-secrets-manager-actions	AWS secrets manager docs
GitRob	https://github.com/michenriksen/gitrob	Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github
git-wild-hunt	https://github.com/d1vious/git-wild-hunt	A tool to hunt for credentials in the GitHub
aws-vault	https://github.com/99designs/aws-vault	AWS Vault is a tool to securely store and access AWS credentials in a development environment
Knox	https://github.com/pinterest/knox	Knox is a service for storing and rotation of secrets, keys, and passwords used by other services
Chef vault	https://github.com/chef/chef-vault	allows you to encrypt a Chef Data Bag Item
Ansible vault	Ansible vault docs	Encryption/decryption utility for Ansible data files

OSS and Dependency management

Dependency security testing and analysis is very important part of discovering supply chain attacks. SBOM creation and following dependency scanning (Software composition analysis) is critical part of continuous integration (CI). Data series and data trends tracking should be part of CI tooling. You need to know what you produce and what you consume in context of libraries and packages.

Name	URL	Description	Meta
CycloneDX	https://github.com/orgs/CycloneDX/repositories	CycloneDX format for SBOM
cdxgen	https://github.com/AppThreat/cdxgen	Generates CycloneDX SBOM, supports many languages and package managers.
SPDX	https://github.com/spdx/spdx-spec	SPDX format for SBOM - Software Package Data Exchange
Snyk	https://github.com/snyk/snyk	Snyk scans and monitors your projects for security vulnerabilities
vulncost	https://github.com/snyk/vulncost	Security Scanner for VS Code
Dependency Combobulator	https://github.com/apiiro/combobulator	Dependency-related attacks detection and prevention through heuristics and insight engine (support multiple dependency schemes)
DependencyTrack	https://github.com/DependencyTrack/dependency-track	Dependency security tracking platform
DependencyCheck	https://github.com/jeremylong/DependencyCheck	Simple dependency security scanner good for CI
Retire.js	https://github.com/retirejs/retire.js/	Helps developers to detect the use of JS-library versions with known vulnerabilities
PHP security checker	https://github.com/fabpot/local-php-security-checker	Check vulnerabilities in PHP dependencies
bundler-audit	https://github.com/rubysec/bundler-audit	Patch-level verification for bundler	![Bundler