访问官网
Github
Huggingface
文档
论文Ultimate DevSecOps library
Contribution rules
If you want to contribute to this library of knowledge please create proper PR (Pull Request) with description what you are adding following these set of rules:
- Clear description of PR (which tool, why, number of stars, maturity and topic)
- Keep it simple - Fill the description properly
- Fact over feelings or personal opinions
- Add source and follow the library style
- Avoid duplicits - one tool, one topic
- Try to make bigger updates then on tool link
- Currently open-source only
- Add only active projects
- Add only security tools
- Report typos as issue not via PR.
Note: Currently this is an early version of the library. I recommend PR after first official release.
DevSecOps library info:
This library contains list of tools and methodologies accompanied with resources. The main goal is to provide to the engineers a guide through opensource DevSecOps tooling. This repository covers only cyber security in the cloud and the DevSecOps scope.
Table of Contents
- Ultimate DevSecOps library
- Table of Contents
- What is DevSecOps
- Tooling
- Methodologies, whitepapers and architecture
- Other
- License
What is DevSecOps
DevSecOps focuses on security automation, testing and enforcement during DevOps - Release - SDLC cycles. The whole meaning behind this methodology is connecting together Development, Security and Operations. DevSecOps is methodology providing different methods, techniques and processes backed mainly with tooling focusing on developer / security experience.
DevSecOps takes care that security is part of every stage of DevOps loop - Plan, Code, Build, Test, Release, Deploy, Operate, Monitor.
Various definitions:
- https://www.redhat.com/en/topics/devops/what-is-devsecops
- https://www.ibm.com/cloud/learn/devsecops
- https://snyk.io/series/devsecops/
- https://www.synopsys.com/glossary/what-is-devsecops.html
- https://spacelift.io/blog/what-is-devsecops
Tooling
Pre-commit time tools
In this section you can find lifecycle helpers, precommit hook tools and threat modeling tools. Threat modeling tools are specific category by themselves allowing you to simulate and discover potential gaps before you start to develop the software or during the process.
Modern DevSecOps tools allow using Threat modeling as code or generation of threat models based on the existing code annotations.
| Name | URL | Description | Meta |
|---|---|---|---|
| git-secrets | https://github.com/awslabs/git-secrets | AWS labs tool preventing you from committing secrets to a git repository |  |
| git-hound | https://github.com/tillson/git-hound | Searchers secrets in git |  |
| goSDL | https://github.com/slackhq/goSDL | Security Development Lifecycle checklist |  |
| ThreatPlaybook | https://github.com/we45/ThreatPlaybook | Threat modeling as code |  |
| Threat Dragon | https://github.com/OWASP/threat-dragon | OWASP Threat modeling tool |  |
| threatspec | https://github.com/threatspec/threatspec | Threat modeling as code |  |
| pytm | https://github.com/izar/pytm | A Pythonic framework for threat modeling |  |
| Threagile | https://github.com/Threagile/threagile | A Go framework for threat modeling |  |
| MAL-lang | https://mal-lang.org/#what | A language to create cyber threat modeling systems for specific domains |  |
| Microsoft Threat modeling tool | https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool | Microsoft threat modeling tool |  |
| Talisman | https://github.com/thoughtworks/talisman | A tool to detect and prevent secrets from getting checked in |  |
| SEDATED | https://github.com/OWASP/SEDATED | The SEDATED® Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure) focuses on preventing sensitive data such as user credentials and tokens from being pushed to Git. |  |
| Sonarlint | https://github.com/SonarSource/sonarlint-core | Sonar linting utility for IDE |  |
| DevSkim | https://github.com/microsoft/DevSkim | DevSkim is a framework of IDE extensions and language analyzers that provide inline security analysis |  |
| detect-secrets | https://github.com/Yelp/detect-secrets | Detects secrets in your codebase |  |
| tflint | https://github.com/terraform-linters/tflint | A Pluggable Terraform Linter |  |
| Steampipe Code Plugin | https://github.com/turbot/steampipe-plugin-code | Use SQL to detect secrets from source code and data sources. |  |
Secrets management
Secrets management includes managing, versioning, encryption, discovery, rotating, provisioning of passwords, certificates, configuration values and other types of secrets.
| Name | URL | Description | Meta |
|---|---|---|---|
| GitLeaks | https://github.com/zricethezav/gitleaks | Gitleaks is a scanning tool for detecting hardcoded secrets |  |
| ggshield | https://github.com/gitguardian/ggshield | GitGuardian shield (ggshield) is a CLI application that runs in your local environment or in a CI environment and helps you detect more than 350+ types of secrets and sensitive files. |  |
| TruffleHog | https://github.com/trufflesecurity/truffleHog | TruffleHog is a scanning tool for detecting hardcoded secrets |  |
| Hashicorp Vault | https://github.com/hashicorp/vault | Hashicorp Vault secrets management |  |
| Mozilla SOPS | https://github.com/mozilla/sops | Mozilla Secrets Operations |  |
| AWS secrets manager GH action | https://github.com/marketplace/actions/aws-secrets-manager-actions | AWS secrets manager docs |  |
| GitRob | https://github.com/michenriksen/gitrob | Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github |  |
| git-wild-hunt | https://github.com/d1vious/git-wild-hunt | A tool to hunt for credentials in the GitHub |  |
| aws-vault | https://github.com/99designs/aws-vault | AWS Vault is a tool to securely store and access AWS credentials in a development environment |  |
| Knox | https://github.com/pinterest/knox | Knox is a service for storing and rotation of secrets, keys, and passwords used by other services |  |
| Chef vault | https://github.com/chef/chef-vault | allows you to encrypt a Chef Data Bag Item |  |
| Ansible vault | Ansible vault docs | Encryption/decryption utility for Ansible data files |  |
OSS and Dependency management
Dependency security testing and analysis is very important part of discovering supply chain attacks. SBOM creation and following dependency scanning (Software composition analysis) is critical part of continuous integration (CI). Data series and data trends tracking should be part of CI tooling. You need to know what you produce and what you consume in context of libraries and packages.
| Name | URL | Description | Meta |
|---|---|---|---|
| CycloneDX | https://github.com/orgs/CycloneDX/repositories | CycloneDX format for SBOM |  |
| cdxgen | https://github.com/AppThreat/cdxgen | Generates CycloneDX SBOM, supports many languages and package managers. |  |
| SPDX | https://github.com/spdx/spdx-spec | SPDX format for SBOM - Software Package Data Exchange |  |
| Snyk | https://github.com/snyk/snyk | Snyk scans and monitors your projects for security vulnerabilities |  |
| vulncost | https://github.com/snyk/vulncost | Security Scanner for VS Code |  |
| Dependency Combobulator | https://github.com/apiiro/combobulator | Dependency-related attacks detection and prevention through heuristics and insight engine (support multiple dependency schemes) |  |
| DependencyTrack | https://github.com/DependencyTrack/dependency-track | Dependency security tracking platform |  |
| DependencyCheck | https://github.com/jeremylong/DependencyCheck | Simple dependency security scanner good for CI |  |
| Retire.js | https://github.com/retirejs/retire.js/ | Helps developers to detect the use of JS-library versions with known vulnerabilities |  |
| PHP security checker | https://github.com/fabpot/local-php-security-checker | Check vulnerabilities in PHP dependencies |  |
| bundler-audit | https://github.com/rubysec/bundler-audit | Patch-level verification for bundler | 
