A curated list of awesome DevSecOps tools, practices, and resources for integrating security into the software development lifecycle
DevSecOps is the philosophy of integrating security practices within the DevOps process. This list covers tools, frameworks, and best practices for building security into every stage of the software development lifecycle.
- Learning & Getting Started
- Code Security
- Security Testing
- Container & Kubernetes Security
- Infrastructure Security
- Secrets Management
- CI/CD Security
- Security Monitoring & Incident Response
- Compliance & Policy
- Security Automation
- Threat Modeling
- Vulnerability Management
- Security Champions Programs
- Open Source Security
- Cloud Security
- Platforms & Solutions
- Community & Resources
- Related Lists
- Contributing
- DevSecOps Handbook - Comprehensive guide to DevSecOps
- The Phoenix Project - Novel about IT, DevOps, and helping your business win
- Accelerate - Building and scaling high-performing technology organizations
- OWASP DevSecOps Guideline - Official OWASP guide
- Alice and Bob Learn Application Security - Beginner-friendly security book
- Certified DevSecOps Professional (CDP) - Professional certification
- SANS DevSecOps Courses - Professional training
- Linux Foundation DevSecOps - Secure development fundamentals
- Cloud Security Alliance CCSK - Cloud security certification
- ISC2 CSSLP - Certified Secure Software Lifecycle Professional
- NIST Secure Software Development Framework (SSDF) - Secure SDLC framework
- OWASP Top 10 - Top web application security risks
- OWASP SAMM - Software Assurance Maturity Model
- CIS Benchmarks - Security configuration benchmarks
- NIST Cybersecurity Framework - Framework for improving critical infrastructure cybersecurity
- ISO 27001 - Information security management
Commercial:
-
Snyk Code - Developer-first SAST
- Real-time scanning in IDE
- AI-powered fix suggestions
- Low false positives
- Multiple language support
-
SonarQube - Code quality and security
- Supports 29+ languages
- Quality gates
- Security hotspots
- CI/CD integration
-
Checkmarx - Enterprise SAST
- Comprehensive coverage
- IDE plugins
- Remediation guidance
-
Veracode - Application security platform
- Static analysis
- Dynamic analysis
- SCA and penetration testing
Open Source:
-
Semgrep - Fast, customizable static analysis
- Open source core
- Custom rule creation
- CI/CD friendly
- 30+ languages
-
Bandit - Python security linter
- Finds common security issues
- Configurable
- CI integration
-
Brakeman - Ruby on Rails security scanner
- Static analysis for Rails
- Fast scanning
- Low false positives
-
SpotBugs - Java static analysis
- Find bugs in Java code
- Security plugin available
- Maven/Gradle integration
-
Snyk Open Source - Dependency scanning
- Automated fix PRs
- License compliance
- Real-time monitoring
-
Dependabot - GitHub's dependency updater
- Automated security updates
- Free for public repos
- Multi-ecosystem support
-
OWASP Dependency-Check - SCA tool
- Free and open source
- Identifies known vulnerabilities
- Multiple language support
-
WhiteSource (Mend) - Open source security
- License compliance
- Vulnerability detection
- Policy enforcement
-
Trivy - Comprehensive scanner
- Vulnerabilities in dependencies
- Container images
- IaC misconfigurations
-
GitGuardian - Secrets detection
- Real-time scanning
- GitHub/GitLab integration
- Secret remediation
-
TruffleHog - Find secrets in git repos
- High entropy string detection
- Git history scanning
- Pre-commit hooks
-
Gitleaks - SAST for secrets
- Fast scanning
- Custom rules
- CI/CD integration
-
detect-secrets - Prevent secrets in code
- Baseline secrets
- Pre-commit hooks
- Low false positives
-
OWASP ZAP - Web app security scanner
- Free and open source
- Automated scanning
- Manual testing tools
- CI/CD integration
-
Burp Suite - Web security testing
- Industry standard
- Manual and automated testing
- Extensible with plugins
- Free community edition
-
Nuclei - Vulnerability scanner
- Template-based scanning
- Fast and customizable
- CI/CD friendly
- 3000+ templates
-
Acunetix - Web vulnerability scanner
- Comprehensive scanning
- Low false positives
- Issue management
- OWASP API Security Top 10 - API security risks
- Postman - API testing with security features
- RestAssured - REST API testing
- SoapUI - API testing tool
- Burp Suite - API security testing
-
AFL++ - American Fuzzy Lop
- Coverage-guided fuzzing
- Fast and effective
- Multiple platforms
-
LibFuzzer - In-process fuzzing
- Part of LLVM
- Coverage-guided
- Easy integration
-
OSS-Fuzz - Continuous fuzzing for OSS
- Google's fuzzing service
- Free for open source
- Automated bug reporting
-
Trivy - Comprehensive scanner
- OS packages
- Application dependencies
- IaC misconfigurations
- Fast and accurate
-
Clair - Container vulnerability scanner
- Static analysis
- Continuous monitoring
- API-driven
-
Anchore Grype - Vulnerability scanner
- Fast scanning
- Multiple distros
- SBOM support
-
Docker Scout - Docker's security tool
- Image analysis
- Remediation advice
- Policy evaluation
-
Snyk Container - Container security
- Base image recommendations
- Kubernetes integration
- Fix guidance
-
Falco - Cloud-native runtime security
- Runtime threat detection
- CNCF project
- Custom rules
- eBPF-based
-
Kube-bench - CIS benchmark checker
- Checks K8s security
- Based on CIS standards
- Easy to run
-
Kube-hunter - Kubernetes penetration testing
- Hunt for security weaknesses
- Active and passive modes
- Reports findings
-
Kubescape - K8s security platform
- Risk analysis
- Compliance scanning
- RBAC visualizer
- CNCF project
-
Polaris - Kubernetes best practices
- Configuration validation
- Admission controller
- Dashboard
- Falco - Runtime security
- Sysdig Secure - Container and Kubernetes security
- Aqua Security - Full lifecycle container security
- Tracee - Runtime security and forensics
-
Checkov - IaC static analysis
- Terraform, CloudFormation, K8s
- 1000+ policies
- CI/CD integration
- Open source
-
Terrascan - IaC security scanner
- 500+ policies
- Multiple IaC tools
- Pre-commit hooks
-
tfsec - Terraform security scanner
- Fast scanning
- Custom checks
- CI/CD friendly
-
KICS - IaC security scanner
- Keeps Infrastructure as Code Secure
- Multiple platforms
- Custom queries
-
Snyk IaC - IaC security
- Fix guidance
- Multiple frameworks
- Developer-friendly
-
Prowler - AWS/Azure/GCP security tool
- CIS benchmarks
- 350+ checks
- Open source
-
CloudSploit - Cloud security scanner
- AWS, Azure, GCP, Oracle
- 600+ plugins
- Free and open source
-
ScoutSuite - Multi-cloud security auditing
- AWS, Azure, GCP, Alibaba, Oracle
- HTML reports
- Open source
-
CloudCustodian - Cloud governance
- Policy as code
- Multi-cloud
- Automated remediation
- Cilium - eBPF-based networking and security
- Calico - Container networking and security
- Istio - Service mesh with security features
- Open Policy Agent (OPA) - Policy engine
-
HashiCorp Vault - Secrets management
- Dynamic secrets
- Encryption as a service
- PKI and TLS certificates
- Multi-cloud support
-
AWS Secrets Manager - AWS secrets service
- Automatic rotation
- Fine-grained permissions
- Integration with AWS services
-
Azure Key Vault - Azure secrets management
- Keys, secrets, certificates
- HSM support
- Managed identities
-
Google Secret Manager - GCP secrets service
- Encrypted storage
- Versioning
- IAM integration
-
Doppler - Secrets management platform
- Developer-friendly
- Multi-environment
- Integrations
-
Sealed Secrets - Kubernetes secrets
- Encrypted K8s secrets
- GitOps-friendly
- Open source
-
GitHub Advanced Security - GitHub security features
- Code scanning
- Secret scanning
- Dependency review
-
GitLab Security - Built-in security scanning
- SAST, DAST, SCA
- Container scanning
- License compliance
-
Jenkins Security Plugins - Security plugins
-
CircleCI Security - CI/CD security
-
Azure DevOps Security - ADO security
Best Practices:
- Principle of least privilege
- Secure credential storage
- Pipeline security scanning
- Audit logging
- Infrastructure as Code
- Immutable pipelines
-
Wazuh - Security monitoring platform
- Log analysis
- Intrusion detection
- Compliance monitoring
- Open source
-
OSSEC - Host-based intrusion detection
- Log analysis
- File integrity checking
- Rootkit detection
-
Elastic Security - SIEM solution
- Threat detection
- Investigation
- Response
-
TheHive - Security incident response platform
- Case management
- Observable enrichment
- Task automation
-
Cortex - Observable analysis engine
- Automated analysis
- Threat intelligence
- Integration with TheHive
-
Open Policy Agent (OPA) - Policy engine
- Policy as code
- Unified framework
- Cloud-native
-
Gatekeeper - OPA for Kubernetes
- Admission controller
- Policy enforcement
- Custom policies
-
Kyverno - Kubernetes-native policy management
- No new language
- Validation, mutation, generation
- Easy to use
-
Allstar - GitHub security policy enforcement
- Automated enforcement
- Configurable policies
- Organization-wide
- Security Automation Platform (SOAR) - Automation frameworks
- Ansible Security Automation - Security playbooks
- DefectDojo - Security orchestration
- Vulnerability management
- Tool integration
- Workflow automation
-
OWASP Threat Dragon - Threat modeling tool
- Free and open source
- Desktop and web
- Diagrams and reports
-
Microsoft Threat Modeling Tool - Microsoft's tool
- STRIDE methodology
- Windows application
- Template-based
-
IriusRisk - Threat modeling platform
- Automated threat modeling
- Integration with tools
- Collaboration features
-
Threatspec - Threat modeling as code
- Code-centric
- Version controlled
- Developer-friendly
- DefectDojo - Vulnerability management
- Faraday - Collaborative penetration test platform
- ArcherySec - Vulnerability assessment and management
- OpenVAS - Vulnerability scanner
- OWASP Security Champions Guide - Building security champions
- Security Champions Playbook - Open source playbook
-
OpenSSF - Open Source Security Foundation
- Best practices
- Scorecards
- Security tooling
-
OpenSSF Scorecard - Security health metrics
- Automated checks
- Risk assessment
- Open source projects
-
SBOM Tools - Software Bill of Materials
- Dependency tracking
- Supply chain security
- Compliance
-
Sigstore - Software signing
- Keyless signing
- Transparency log
- Open source
- AWS Security Hub - Centralized security
- AWS GuardDuty - Threat detection
- AWS Inspector - Vulnerability management
- CloudTrail - Audit logging
- Microsoft Defender for Cloud - Cloud security posture
- Azure Sentinel - SIEM and SOAR
- Azure Policy - Governance
- Security Command Center - Security management
- Cloud Security Scanner - Web vulnerability scanner
- Binary Authorization - Deploy-time security
- Snyk - Developer security platform
- Aqua Security - Cloud-native security
- Sysdig - Cloud and container security
- Palo Alto Prisma Cloud - CNAPP platform
- Lacework - Cloud security platform
- OWASP Blog - Security news
- The DevSecOps Blog - DevSecOps insights
- Snyk Blog - Developer security
- Aqua Security Blog - Cloud-native security
- Absolute AppSec - Application security
- Application Security Weekly - AppSec news
- Darknet Diaries - True security stories
- DevSecOps Slack - Community chat
- OWASP Slack - OWASP community
- r/netsec - Network security
- r/devops - DevOps community
- DevSecCon - DevSecOps conference
- RSA Conference - Security conference
- Black Hat - InfoSec event
- OWASP Global AppSec - Application security
- awesome-security - Security resources
- awesome-application-security - Application security
- awesome-kubernetes-security - Kubernetes security
- awesome-cloud-security - Cloud security
- awesome-threat-intelligence - Threat intelligence
Contributions welcome! Please read the contribution guidelines first.
What to contribute:
- DevSecOps tools and platforms
- Security best practices
- Training resources
- Case studies and examples
- Automation scripts and templates
To the extent possible under law, Tyson Cung has waived all copyright and related or neighboring rights to this work.
Star β this repo to stay updated with the latest DevSecOps tools and practices!