Scribd
Upload
234 views

Dev Sec Ops

Uploaded by

louise ferreira
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
234 views

Dev Sec Ops

Uploaded by

louise ferreira
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 33

Ultimate DevSecOps library 21/09/2023, 08:02

Ultimate DevSecOps library

SEC
DEPLOY
GOOF

OPERATE
AS
DEV LE
RE OPS
BU
ILD

T
TES MONITOR

DevSecOps library info:

STARS 4.8K WATCHERS 148 FORKS 848

This library contains list of tools and methodologies accompanied with resources. The main goal
is to provide to the engineers a guide through opensource DevSecOps tooling. This repository
covers only cyber security in the cloud and the DevSecOps scope.

Table of Contents
Definition
Tooling
Precommit and threat modeling
SAST
DAST

https://md2pdf.netlify.app/ Page 1 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

Orchestration
Supply chain and dependencies
Infrastructure as code
Containers security
Kubernetes
Cloud
Chaos engineering
Policy as code
Methodologies
Other
License

What is DevSecOps
DevSecOps focuses on security automation, testing and enforcement during DevOps - Release
- SDLC cycles. The whole meaning behind this methodology is connecting together
Development, Security and Operations. DevSecOps is methodology providing different
methods, techniques and processes backed mainly with tooling focusing on developer / security
experience.

DevSecOps takes care that security is part of every stage of DevOps loop - Plan, Code, Build,
Test, Release, Deploy, Operate, Monitor.

Various definitions:

https://www.redhat.com/en/topics/devops/what-is-devsecops
https://www.ibm.com/cloud/learn/devsecops
https://snyk.io/series/devsecops/
https://www.synopsys.com/glossary/what-is-devsecops.html
https://spacelift.io/blog/what-is-devsecops

Tooling

Pre-commit time tools

https://md2pdf.netlify.app/ Page 2 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

In this section you can find lifecycle helpers, precommit hook tools and threat modeling tools.
Threat modeling tools are specific category by themselves allowing you to simulate and discover
potential gaps before you start to develop the software or during the process.

Modern DevSecOps tools allow using Threat modeling as code or generation of threat models
based on the existing code annotations.

Name URL Description Meta

AWS labs tool


preventing you
git-secrets https://github.com/awslabs/git-secrets from committing STARS 12K

secrets to a git
repository

Searchers
git-hound https://github.com/tillson/git-hound STARS 1K

secrets in git

Security
Development
goSDL https://github.com/slackhq/goSDL STARS 510

Lifecycle
checklist

Threat modeling
ThreatPlaybook https://github.com/we45/ThreatPlaybook STARS 256

as code

OWASP Threat
Threat Dragon https://github.com/OWASP/threat-dragon STARS 625

modeling tool

Threat modeling
threatspec https://github.com/threatspec/threatspec STARS 282

as code

A Pythonic
pytm https://github.com/izar/pytm framework for STARS 758

threat modeling

A Go framework
Threagile https://github.com/Threagile/threagile for threat STARS 493

modeling

A language to
create cyber

https://md2pdf.netlify.app/ Page 3 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

MAL-lang https://mal-lang.org/#what threat modeling STARS 22

systems for
specific domains

Microsoft https://docs.microsoft.com/en-
Microsoft threat
Threat us/azure/security/develop/threat- STARS 154

modeling tool
modeling tool modeling-tool

A tool to detect
and prevent
Talisman https://github.com/thoughtworks/talisman secrets from STARS 1.8K

getting checked
in

The SEDATED®
Project
(Sensitive
Enterprise Data
Analyzer To
Eliminate
Disclosure)
SEDATED https://github.com/OWASP/SEDATED focuses on STARS 109

preventing
sensitive data
such as user
credentials and
tokens from
being pushed to
Git.

https://github.com/SonarSource/sonarlint- Sonar linting


Sonarlint STARS 210

core utility for IDE

DevSkim is a
framework of IDE
extensions and
DevSkim https://github.com/microsoft/DevSkim language STARS 821

analyzers that
provide inline
security analysis

https://md2pdf.netlify.app/ Page 4 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

Detects secrets
detect-secrets https://github.com/Yelp/detect-secrets STARS 3.2K

in your codebase

A Pluggable
tflint https://github.com/terraform-linters/tflint STARS 4.2K

Terraform Linter

Use SQL to
detect secrets
Steampipe https://github.com/turbot/steampipe-
from source stars 14

Code Plugin plugin-code


code and data
sources.

Secrets management
Secrets management includes managing, versioning, encryption, discovery, rotating,
provisioning of passwords, certificates, configuration values and other types of secrets.

Name URL Description Meta

Gitleaks is a scanning
GitLeaks https://github.com/zricethezav/gitleaks tool for detecting STARS 14K

hardcoded secrets

GitGuardian shield
(ggshield) is a CLI
application that runs
in your local
environment or in a CI
ggshield https://github.com/gitguardian/ggshield STARS 1.4K

environment and
helps you detect
more than 350+
types of secrets and
sensitive files.

TruffleHog is a
scanning tool for
TruffleHog https://github.com/trufflesecurity/truffleHog STARS 12K

detecting hardcoded
secrets

Hashicorp Hashicorp Vault

https://md2pdf.netlify.app/ Page 5 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

Vault https://github.com/hashicorp/vault secrets management STARS 28K

Mozilla Mozilla Secrets


https://github.com/mozilla/sops STARS 14K

SOPS Operations

AWS
secrets https://github.com/marketplace/actions/aws- AWS secrets manager
STARS 60

manager secrets-manager-actions docs


GH action

Gitrob is a tool to help


find potentially
GitRob https://github.com/michenriksen/gitrob sensitive files pushed STARS 5.7K

to public repositories
on Github

A tool to hunt for


git-wild-
https://github.com/d1vious/git-wild-hunt credentials in the STARS 284

hunt
GitHub

AWS Vault is a tool to


securely store and
access AWS
aws-vault https://github.com/99designs/aws-vault STARS 7.8K

credentials in a
development
environment

Knox is a service for


storing and rotation
Knox https://github.com/pinterest/knox of secrets, keys, and STARS 1.2K

passwords used by
other services

allows you to encrypt


Chef vault https://github.com/chef/chef-vault STARS 409

a Chef Data Bag Item

Encryption/decryption
Ansible
Ansible vault docs utility for Ansible data STARS 317

vault
files

https://md2pdf.netlify.app/ Page 6 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

OSS and Dependency management

Dependency security testing and analysis is very important part of discovering supply chain
attacks. SBOM creation and following dependency scanning (Software composition analysis) is
critical part of continuous integration (CI). Data series and data trends tracking should be part of
CI tooling. You need to know what you produce and what you consume in context of libraries
and packages.

Name URL Description

CycloneDX
CycloneDX https://github.com/orgs/CycloneDX/repositories format for
SBOM

Generates
CycloneDX
SBOM,
supports
cdxgen https://github.com/AppThreat/cdxgen
many
languages and
package
managers.

SPDX format
for SBOM -
SPDX https://github.com/spdx/spdx-spec Software
Package Data
Exchange

Snyk scans
and monitors
Snyk https://github.com/snyk/snyk your projects
for security
vulnerabilities

Security
vulncost https://github.com/snyk/vulncost Scanner for
VS Code

Dependency-

https://md2pdf.netlify.app/ Page 7 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

related
attacks
detection and
prevention
Dependency
https://github.com/apiiro/combobulator through
Combobulator
heuristics and
insight engine
(support
multiple
dependency
schemes)

Dependency
https://github.com/DependencyTrack/dependency- security
DependencyTrack
track tracking
platform

Simple
dependency
DependencyCheck https://github.com/jeremylong/DependencyCheck security
scanner good
for CI

Helps
developers to
detect the use
Retire.js https://github.com/retirejs/retire.js/ of JS-library
versions with
known
vulnerabilities

Check
PHP security https://github.com/fabpot/local-php-security- vulnerabilities
checker checker in PHP
dependencies

Patch-level
bundler-audit https://github.com/rubysec/bundler-audit verification for
bundler

https://md2pdf.netlify.app/ Page 8 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

Dependency
https://gitlab.com/gitlab-org/security- Scanning
gemnasium
products/analyzers/gemnasium Analyzer
based on
Gemnasium

Automated
dependency
updates built
Dependabot https://github.com/dependabot/dependabot-core
into GitHub
providing
security alerts

Automated
dependency
updates,
Renovatebot https://github.com/renovatebot/renovate patches multi-
platform and
multi-
language

Check for
outdated,
npm-check https://www.npmjs.com/package/npm-check incorrect, and
unused
dependencies.

Checks for
several
security
health metrics
on open
source
libraries and
Security
https://securityscorecards.dev provides a
Scorecards score (0-10)
to be
considered in
the decision
making of

https://md2pdf.netlify.app/ Page 9 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

what libraries
to use.

CLI tool and


library for
generating an
Syft https://github.com/anchore/syft SBOM from
container
images (and
filesystems).

Supply chain specific tools

Supply chain is often the target of attacks. Which libraries you use can have a massive impact
on security of the final product (artifacts). CI (continuous integration) must be monitored inside
the tasks and jobs in pipeline steps. Integrity checks must be stored out of the system and in
ideal case several validation runs with comparison of integrity hashes / or attestation must be
performed.

Name URL Description Meta

Kubernetes Custom Resource


Tekton Definition (CRD) controller that
https://github.com/tektoncd/chains STARS 222

chains allows you to manage your supply


chain security in Tekton.

An in-toto attestation is
in- https://github.com/in-
authenticated metadata about STARS 149

toto toto/attestation/tree/v0.1.0/spec
one or more software artifacts

Supply-chain Levels for Software


SLSA Official GitHub link STARS 1.3K

Artifacts

Solution for securing your


kritis https://github.com/grafeas/kritis software supply chain for STARS 674

Kubernetes apps

ratify https://github.com/deislabs/ratify Artifact Ratification Framework STARS 140

https://md2pdf.netlify.app/ Page 10 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

SAST

Static code review tools working with source code and looking for known patterns and
relationships of methods, variables, classes and libraries. SAST works with the raw code and
usually not with build packages.

Name URL Description Meta

Brakeman is a
static analysis
tool which
checks Ruby
Brakeman https://github.com/presidentbeef/brakeman STARS 6.7K

on Rails
applications
for security
vulnerabilities

Hi-Quality
Open source,
Semgrep https://semgrep.dev/ STARS 8.8K

works on 17+
languages

Python
Bandit https://github.com/PyCQA/bandit specific SAST STARS 5.5K

tool

Generic SAST
for Security
Engineers.
Powered by
regex based
libsast https://github.com/ajinabraham/libsast STARS 106

pattern
matcher and
semantic
aware
semgrep

Find and fix


problems in
ESLint https://eslint.org/ your

https://md2pdf.netlify.app/ Page 11 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

JavaScript
code

NodeJs SAST
nodejsscan https://github.com/ajinabraham/nodejsscan scanner with STARS 2.2K

GUI

The
SpotBugs
plugin for
FindSecurityBugs https://find-sec-bugs.github.io/ security STARS 2.1K

audits of Java
web
applications

Detect
security
issues in
code review
SonarQube
https://github.com/SonarSource/sonarqube with Static STARS 8.1K

community
Application
Security
Testing
(SAST)

Inspects
source code
for security
gosec https://github.com/securego/gosec STARS 7.1K

problems by
scanning the
Go AST.

Checks
Python
dependencies
Safety https://github.com/pyupio/safety for known STARS 1.5K

security
vulnerabilities
.

https://md2pdf.netlify.app/ Page 12 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

Note: Semgrep is free CLI tool, however some rulesets (https://semgrep.dev/r) are having
various licences, some can be free to use and can be commercial.

OWASP curated list of SAST tools : https://owasp.org/www-


community/Source_Code_Analysis_Tools

DAST

Dynamic application security testing (DAST) is a type of application testing (in most cases web)
that checks your application from the outside by active communication and analysis of the
responses based on injected inputs. DAST tools rely on inputs and outputs to operate. A DAST
tool uses these to check for security problems while the software is actually running and is
actively deployed on the server (or serverless function).

Name URL Description Meta

Zap proxy providing


various docker
Zap proxy https://owasp.org/www-project-zap/ STARS 11K

containers for CI/CD


pipeline

Light pipeline ready


Wapiti https://github.com/wapiti-scanner/wapiti STARS 767

scanning tool

Template based
Nuclei https://github.com/projectdiscovery/nuclei security scanning STARS 15K

tool

https://github.com/purpleteam- CLI DAST tool


purpleteam STARS 104

labs/purpleteam incubator project

OSS-Fuzz:
Continuous Fuzzing
oss-fuzz https://github.com/google/oss-fuzz STARS 9K

for Open Source


Software

Nikto web server


nikto https://github.com/sullo/nikto STARS 7.1K

scanner

Skipfish is an active
web application

https://md2pdf.netlify.app/ Page 13 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

skipfish https://code.google.com/archive/p/skipfish/ security STARS 615

reconnaissance tool

Continuous deployment security

Name URL Description Meta

Toolchain for
continuous
scanning of
SecureCodeBox https://github.com/secureCodeBox/secureCodeBox STARS

applications
and
infrastructure

Open Source
Security
OpenSCAP https://github.com/OpenSCAP/openscap STARS

Compliance
Solution

ThreatMapper
hunts for
vulnerabilities
in your
production
platforms,
ThreatMapper https://github.com/deepfence/ThreatMapper STARS

and ranks
these
vulnerabilities
based on
their risk-of-
exploit.

Kubernetes

Name URL Description Meta

A tool for

https://md2pdf.netlify.app/ Page 14 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

scanning
KubiScan https://github.com/cyberark/KubiScan Kubernetes STARS 1.2K

cluster for
risky
permissions

Audit
Kubernetes
clusters for
Kubeaudit https://github.com/Shopify/kubeaudit various STARS 1.7K

different
security
concerns

The first open-


source tool for
testing if
Kubernetes is
Kubescape https://github.com/armosec/kubescape deployed STARS 8.9K

according to
the NSA-CISA
and the MITRE
ATT&CK®.

Security risk
analysis for
kubesec https://github.com/controlplaneio/kubesec STARS 1K

Kubernetes
resources

Kubernetes
kube-bench https://github.com/aquasecurity/kube-bench benchmarking STARS 6.1K

tool

Static code
analysis of
your
kube-score https://github.com/zegl/kube-score STARS 2.4K

Kubernetes
object
definitions

https://md2pdf.netlify.app/ Page 15 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

kube- Active scanner


https://github.com/aquasecurity/kube-hunter STARS 4.4K

hunter for k8s


(purple)

Calico is an
open source
networking
Calico https://github.com/projectcalico/calico and network STARS 5K

security
solution for
containers

Simple
Kubernetes
Krane https://github.com/appvia/krane STARS 618

RBAC static
analysis tool

Starboard
inegrates
security tools
Starboard https://github.com/aquasecurity/starboard STARS 1.3K

by outputs into
Kubernetes
CRDs

Open policy
https://github.com/open-policy- agent
Gatekeeper STARS 3.2K

agent/gatekeeper gatekeeper for


k8s

Collection of
tools (or
Inspektor-
https://github.com/kinvolk/inspektor-gadget gadgets) to STARS 1.6K

gadget
debug and
inspect k8s

Static analysis
kube-linter https://github.com/stackrox/kube-linter STARS 2.4K

for Kubernetes

A simple-yet-
powerful API
traffic viewer

https://md2pdf.netlify.app/ Page 16 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

for Kubernetes
enabling you to
mizu-api- view all API
traffic- https://github.com/up9inc/mizu communication stars 9.6k

viewer between
microservices
to help your
debug and
troubleshoot
regressions.

The Helm
plugin for Snyk
provides a
HelmSnyk https://github.com/snyk-labs/helm-snyk stars 40

subcommand
for testing the
images.

Policy as code
Kubewarden https://github.com/orgs/kubewarden/repositories for kubernetes stars 61

from SUSE.

Kubernetes- Kubernetes
https://github.com/kubernetes-sigs/bom stars 257

sigs BOM BOM generator

A multi-
tenancy and
Capsule https://github.com/clastix/capsule policy-based stars 1.3k

framework for
Kubernetes

Badrobot is a
Kubernetes
Badrobot https://github.com/controlplaneio/badrobot stars 207

Operator audit
tool

k8s cluster risk


kube-scan https://github.com/octarinesec/kube-scan assessment STARS 770

tool

Istio is a

https://md2pdf.netlify.app/ Page 17 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

service mesh
based on
Envoy. Engage
encryption,
Istio https://istio.io stars 34k

role-based
access, and
authentication
across
services.

Visualize
Kubernetes
inventory and
Kubernetes https://github.com/turbot/steampipe-mod-
permissions stars 21

Insights kubernetes-insights
through
relationship
graphs.

Check
compliance of
Kubernetes https://github.com/turbot/steampipe-mod- Kubernetes
stars 28

Compliance kubernetes-compliance configurations


to security
best practices.

Containers

Name URL Description Meta

Trusted cloud
Harbor https://github.com/goharbor/harbor native registry STARS 21K

project

Centralized
service for
inspection,
Anchore https://github.com/anchore/anchore-engine analysis, and STARS 1.6K

certification of
container

https://md2pdf.netlify.app/ Page 18 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

images

Docker
Clair https://github.com/quay/clair vulnerability STARS 21K

scanner

Apache v2,
powerful
runtime
Deepfence vulnerability
https://github.com/deepfence/ThreatMapper STARS 4.4K

ThreatMapper scanner for


kubernetes,
virtual machines
and serverless.

Docker
https://github.com/docker/docker-bench-
Docker bench benchmarking STARS 21K

security
against CIS

Container
Falco https://github.com/falcosecurity/falco runtime STARS 6.3K

protection

Comprehensive
scanner for
Trivy https://github.com/aquasecurity/trivy vulnerabilities in STARS 19K

container
images

Notary https://github.com/notaryproject/notary Docker signing STARS 3.1K

Container
Cosign https://github.com/sigstore/cosign STARS 3.6K

signing

Updates the
running version
watchtower https://github.com/containrrr/watchtower of your STARS 15K

containerized
app

Vulnerability
scanner for

https://md2pdf.netlify.app/ Page 19 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

container
Grype https://github.com/anchore/grype STARS 6.5K

images (and
also
filesystems).

Multi-Cloud

Name URL Description Meta

Detection of
security risks in
Cloudsploit https://github.com/aquasecurity/cloudsploit STARS 2.9K

cloud
infrastructure

NCCgroup
ScoutSuite https://github.com/nccgroup/ScoutSuite mutlicloud STARS 5.6K

scanning tool

Multicloud
https://github.com/cloud-custodian/cloud- security
CloudCustodian STARS 4.9K

custodian/ analysis
framework

GraphQL API +
Security for
CloudGraph https://github.com/cloudgraphdev/cli STARS 849

AWS, Azure,
GCP, and K8s

Instantly query
your cloud,
code, logs &
more with SQL.
Build on
Steampipe https://github.com/turbot/steampipe thousands of stars 5.6k

open-source
benchmarks &
dashboards for
security &
insights.

https://md2pdf.netlify.app/ Page 20 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

AWS

AWS specific DevSecOps tooling. Tools here cover different areas like inventory management,
misconfiguration scanning or IAM roles and policies review.

Name URL Description Meta

Dragoneye
Dragoneye https://github.com/indeni/dragoneye Indeni AWS STARS REPO NOT FOUND

scanner

Prowler is a
command line
tool that helps
with AWS
security
Prowler https://github.com/toniblyx/prowler STARS 8.6K

assessment,
auditing,
hardening and
incident
response.

Helps to
discover all
aws-inventory https://github.com/nccgroup/aws-inventory AWS resources STARS 682

created in an
account

Policy as Code
PacBot https://github.com/tmobile/pacbot STARS 1.2K

Bot (PacBot)

Monitoring
dashboard for
Komiser https://github.com/mlabouardy/komiser STARS 3.5K

costs and
security

IAM analysis
Cloudsplaining https://github.com/salesforce/cloudsplaining STARS 1.8K

framework

Continuously
monitor your

https://md2pdf.netlify.app/ Page 21 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

ElectricEye https://github.com/jonrau1/ElectricEye AWS services STARS 796

for
configurations

CloudMapper
helps you
analyze your
Cloudmapper https://github.com/duo-labs/cloudmapper STARS 5.7K

Amazon Web
Services (AWS)
environments

Consolidates
AWS
infrastructure
assets and the
cartography https://github.com/lyft/cartography STARS 2.7K

relationships
between them
in an intuitive
graph

IAM Least
policy_sentry https://github.com/salesforce/policy_sentry Privilege Policy STARS 1.9K

Generator

IAM Least
Privilege
AirIAM https://github.com/bridgecrewio/AirIAM STARS 732

anmalyzer and
Terraformer

AirBnB
serverless, real-
time data
analysis
framework
StreamAlert https://github.com/airbnb/streamalert STARS 2.8K

which
empowers you
to ingest,
analyze, and
alert

https://md2pdf.netlify.app/ Page 22 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

AirBnB
serverless, real-
time data
analysis
CloudQuery https://github.com/cloudquery/cloudquery/ framework STARS 5.1K

which
empowers you
to ingest,
analyze, and
alert

A tool to find
open S3
S3Scanner https://github.com/sa7mon/S3Scanner/ buckets and STARS 2.2K

dump their
contents

A tool to use
AWS IAM
aws-iam- https://github.com/kubernetes-sigs/aws- credentials to
STARS 2K

authenticator iam-authenticator/ authenticate to


a Kubernetes
cluster

A tool to use
AWS IAM
credentials to
kube2iam https://github.com/jtblin/kube2iam/ STARS 1.9K

authenticate to
a Kubernetes
cluster

AWS open Collection of


source official AWS
Official AWS opensource repo AMAZON AWS

security open-source
samples resources

Deploy, update,
and stage your
AWS Firewall WAFs while
Globaldatanet FMS automation STARS 155

factory managing them

https://md2pdf.netlify.app/ Page 23 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

centrally via
FMS

Parliament is an
Parliment Parliment AWS IAM linting STARS 954

library

Adds
informative and
consistent tags
across
infrastructure-
Yor Yor as-code STARS 705

frameworks
such as
Terraform,
CloudFormation,
and Serverless

Visualize AWS
inventory and
https://github.com/turbot/steampipe-mod- permissions
AWS Insights stars 76

aws-insights through
relationship
graphs.

Check
compliance of
AWS https://github.com/turbot/steampipe-mod- AWS
stars 317

Compliance aws-compliance configurations


to security best
practices.

Google cloud platform

GCP specific DevSecOps tooling. Tools here cover different areas like inventory management,
misconfiguration scanning or IAM roles and policies review.

Name URL Description Meta

https://md2pdf.netlify.app/ Page 24 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

Complex security
https://github.com/forseti-
Forseti orchestration and STARS 1.3K

security/forseti-security
scanning platform

Visualize GCP inventory


GCP https://github.com/turbot/steampipe-
and permissions through stars 7
Insights mod-gcp-insights
relationship graphs.

Check compliance of GCP


GCP https://github.com/turbot/steampipe-
configurations to security stars 29

Compliance mod-gcp-compliance
best practices.

Microsoft Azure

Azure specific DevSecOps tooling. Tools here cover different areas like inventory management,
misconfiguration scanning or IAM roles and policies review.

Name URL Description Meta

Visualize Azure inventory


Azure https://github.com/turbot/steampipe-
and permissions through stars 8

Insights mod-azure-insights
relationship graphs.

Check compliance of
Azure https://github.com/turbot/steampipe-
Azure configurations to stars 46

Compliance mod-azure-compliance
security best practices.

Policy as code
Policy as code is the idea of writing code in a high-level language to manage and automate
policies. By representing policies as code in text files, proven software development best
practices can be adopted such as version control, automated testing, and automated
deployment. (Source: https://docs.hashicorp.com/sentinel/concepts/policy-as-code)

Name URL Description Meta

General-purpose policy
Open engine that enables unified,
Policy https://github.com/open-policy- context-aware policy STARS 8.5K

https://md2pdf.netlify.app/ Page 25 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

agent agent/opa enforcement across the


entire stack

Kyverno is a policy engine


Kyverno https://github.com/kyverno/kyverno STARS 4.4K

designed for Kubernetes

Chef InSpec is an open-


source testing framework
for infrastructure with a
human- and machine-
Inspec https://github.com/inspec/inspec STARS 2.7K

readable language for


specifying compliance,
security and policy
requirements.

Cloud https://github.com/aws-
Cloud Formation policy as
Formation cloudformation/cloudformation- STARS 1.2K

code
guard guard

cnspec is a cloud-native
and powerful Policy as
Code engine to assess the
security and compliance of
your business-critical
infrastructure. cnspec finds
vulnerabilities and
misconfigurations on all
systems in your
cnspec https://github.com/mondoohq/cnspec STARS 196

infrastructure including:
public and private cloud
environments, Kubernetes
clusters, containers,
container registries,
servers and endpoints,
SaaS products,
infrastructure as code,
APIs, and more.

https://md2pdf.netlify.app/ Page 26 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

Chaos engineering

Chaos Engineering is the discipline of experimenting on a system in order to build confidence in


the system’s capability to withstand turbulent conditions in production.

Reading and manifestos: https://principlesofchaos.org/

Name URL Description Meta

It is a cloud-native Chaos
chaos- https://github.com/chaos- Engineering platform that
STARS 5.9K

mesh mesh/chaos-mesh orchestrates chaos on


Kubernetes environments

Chaos Monkey is
responsible for randomly
terminating instances in
Chaos
https://netflix.github.io/chaosmonkey/ production to ensure that STARS 14K

monkey
engineers implement their
services to be resilient to
instance failures.

The Chaos Engine is a tool


that is designed to
intermittently destroy or
degrade application
resources running in cloud
Chaos https://thalesgroup.github.io/chaos- based infrastructure.
STARS 66

Engine engine/ These events are designed


to occur while the
appropriate resources are
available to resolve the
issue if the platform fails to
do so on it's own.

Test how your system


chaoskube https://github.com/linki/chaoskube behaves under arbitrary STARS 1.7K

pod failures.

Gamified chaos

https://md2pdf.netlify.app/ Page 27 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

Kube- https://github.com/lucky- engineering tool for STARS 917

Invaders sideburn/KubeInvaders Kubernetes

Gamified chaos
kube- https://github.com/asobti/kube-
engineering tool for STARS 2.8K

monkey monkey
Kubernetes

Litmus is an end-to-end
chaos engineering
platform for cloud native
Litmus infrastructure and
https://litmuschaos.io/ STARS 3.8K

Chaos applications. Litmus is


designed to orchestrate
and analyze chaos in their
environments.

Chaos enginnering SaaS


https://github.com/gremlin/gremlin-
Gremlin platform with free plan and STARS 53

python
some open source libraries

https://github.com/aws-
AWS FIS AWS Fault injection
samples/aws-fault-injection- STARS 31

samples simulator samples


simulator-samples

CLI tool to delete all


https://github.com/gruntwork-
CloudNuke resources in an AWS STARS 2.5K

io/cloud-nuke
account

Infrastructure as code security


Scanning your infrastructure when it is only code helps shift-left the security. Many tools offer in
IDE scanning and providing real-time advisory do Cloud engineers.

Name URL Description Meta

Checkmarx security
KICS https://github.com/Checkmarx/kics testing opensource for STARS 1.7K

IaC

Checkov is a static

https://md2pdf.netlify.app/ Page 28 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

code analysis tool for


Checkov https://github.com/bridgecrewio/checkov STARS 5.9K

infrastructure-as-
code

tfsec uses static


analysis of your
terraform templates to
tfsec https://github.com/aquasecurity/tfsec spot potential security STARS 6.3K

issues. Now with


terraform CDK
support

Terrascan is a static
terrascan https://github.com/accurics/terrascan code analyzer for STARS 4.2K

Infrastructure as Code

cfsec scans
CloudFormation
cfsec https://github.com/aquasecurity/cfsec STARS 59

configuration files for


security issues

Looks for insecure


cfn_nag https://github.com/stelligent/cfn_nag patterns in STARS 1.2K

CloudFormation

Scans your repository


Sysdig IaC
https://github.com/sysdiglabs/cloud-iac- with Sysdig IAC
scanner STARS 4

scanner-action Scanner and report


action
the vulnerabilities.

Check compliance of
Terraform Terraform
https://github.com/turbot/steampipe-
Compliance configurations to AWS stars 20

mod-terraform-aws-compliance
for AWS security best
practices.

Check compliance of
Terraform Terraform
https://github.com/turbot/steampipe-
Compliance configurations to stars 5

mod-terraform-azure-compliance
for Azure Azure security best
practices.

https://md2pdf.netlify.app/ Page 29 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

Check compliance of
Terraform Terraform
https://github.com/turbot/steampipe-
Compliance configurations to GCP stars 2

mod-terraform-gcp-compliance
for GCP security best
practices.

Check compliance of
Terraform Terraform
https://github.com/turbot/steampipe-
Compliance configurations to OCI stars 2

mod-terraform-oci-compliance
for OCI security best
practices.

Orchestration
Event driven security help to drive, automate and execute tasks for security processes. The
tools here and not dedicated security tools but are helping to automate and orchestrate security
tasks or are part of most modern security automation frameworks or tools.

Name URL Description Meta

Platform for integration


and automation across
StackStorm https://github.com/StackStorm/st2 services and tools STARS 5.7K

supporting event driven


security

https://github.com/camunda/camunda- Workflow and process


Camunda STARS 3.5K

bpm-platform automation

Security orchestration
https://github.com/DefectDojo/django-
DefectDojo and vulnerability STARS 3K

DefectDojo
management platform

Security suite for


Security Orchestration,
Faraday https://github.com/infobyte/faraday vulnerability stars 4.2k

management and
centralized information

https://md2pdf.netlify.app/ Page 30 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

Methodologies, whitepapers and architecture


List of resources worth investigating:

https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Re
ference%20Design%20v1.0_Public%20Release.pdf
https://dodcio.defense.gov/Portals/0/Documents/Library/DoDEnterpriseDevSecOpsStrategy
Guide.pdf
https://csrc.nist.gov/publications/detail/sp/800-204c/draft
https://owasp.org/www-project-devsecops-maturity-model/
https://www.sans.org/posters/cloud-security-devsecops-best-practices/

AWS DevOps whitepapers:

https://d1.awsstatic.com/whitepapers/aws-development-test-environments.pdf
https://d1.awsstatic.com/whitepapers/AWS_DevOps.pdf
https://d1.awsstatic.com/whitepapers/AWS_Blue_Green_Deployments.pdf
https://d1.awsstatic.com/whitepapers/DevOps/import-windows-server-to-amazon-ec2.pdf
https://d1.awsstatic.com/whitepapers/DevOps/Jenkins_on_AWS.pdf
https://d1.awsstatic.com/whitepapers/DevOps/practicing-continuous-integration-
continuous-delivery-on-AWS.pdf
https://d1.awsstatic.com/whitepapers/DevOps/infrastructure-as-code.pdf
https://d1.awsstatic.com/whitepapers/microservices-on-aws.pdf
https://d1.awsstatic.com/whitepapers/DevOps/running-containerized-microservices-on-
aws.pdf
https://d1.awsstatic.com/Marketplace/solutions-center/downloads/AppSec-DevSecOps-
AWS-SANS-eBook.pdf (AWS + SANS whitepaper)

AWS blog:

https://aws.amazon.com/blogs/devops/building-end-to-end-aws-devsecops-ci-cd-
pipeline-with-open-source-sca-sast-and-dast-tools/
https://aws.amazon.com/blogs/devops/building-an-end-to-end-kubernetes-based-
devsecops-software-factory-on-aws/

Microsoft whitepapers:

https://md2pdf.netlify.app/ Page 31 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

https://azure.microsoft.com/mediahandler/files/resourcefiles/6-tips-to-integrate-security-
into-your-devops-practices/DevSecOps_Report_Tips_D6_fm.pdf
https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-in-
azure
https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-in-
github

GCP whitepapers:

https://cloud.google.com/architecture/devops/devops-tech-shifting-left-on-security
https://cloud.google.com/security/overview/whitepaper
https://services.google.com/fh/files/misc/security_whitepapers_march2018.pdf
https://cloud.google.com/security/encryption-in-transit/application-layer-transport-security
https://services.google.com/fh/files/misc/google-cloud-security-foundations-guide.pdf

Other
Here are the other links and resources that do not fit in any previous category. They can meet
multiple categories in time or help you in your learning.

Name URL Description Meta

ASH is a one stop shop for


security scanners, and does
not require any installation. It
will identify the different
frameworks, and download
the relevant, up to date tools.
Automated
https://github.com/aws- ASH is running on isolated
Security
samples/automated-security- Docker containers, keeping STARS 227

Helper
helper the user environment clean,
(ASH)
with a single aggregated
report. The following
frameworks are supported:
Git, Python, Javascript,
Cloudformation, Terraform
and Jupyter Notebooks.

https://md2pdf.netlify.app/ Page 32 of 33
Ultimate DevSecOps library 21/09/2023, 08:02

Mobile
https://github.com/MobSF/Mobile- SAST, DAST and pentesting
security STARS 15K

Security-Framework-MobSF tool for mobile apps


framework

Detect and remediate


https://github.com/Legit- misconfigurations and
Legitify STARS 639

Labs/legitify security risks across all your


GitHub and GitLab assets

Training - https://www.practical-devsecops.com/devsecops-university/

DevSecOps videos - Hackitect playground

License
MIT license

Marek Šottl (c) 2022

https://md2pdf.netlify.app/ Page 33 of 33

You might also like