Project Icon

DevSecOps

DevSecOps工具库与最佳实践方法论

该项目整理了一套完整的DevSecOps开源工具和方法论资源库。内容涵盖软件开发全生命周期,包括预提交检查、秘密管理、依赖分析、容器和云安全等多个领域。此外还介绍了威胁建模、混沌工程等前沿理念。旨在为开发人员提供实用的DevSecOps实践指南,助力在各个阶段融入安全措施。

Ultimate DevSecOps library

Contribution rules

If you want to contribute to this library of knowledge please create proper PR (Pull Request) with description what you are adding following these set of rules:

  • Clear description of PR (which tool, why, number of stars, maturity and topic)
  • Keep it simple - Fill the description properly
  • Fact over feelings or personal opinions
  • Add source and follow the library style
  • Avoid duplicits - one tool, one topic
  • Try to make bigger updates then on tool link
  • Currently open-source only
  • Add only active projects
  • Add only security tools
  • Report typos as issue not via PR.

Note: Currently this is an early version of the library. I recommend PR after first official release.

DevSecOps library info:

stars watchers watchers

This library contains list of tools and methodologies accompanied with resources. The main goal is to provide to the engineers a guide through opensource DevSecOps tooling. This repository covers only cyber security in the cloud and the DevSecOps scope.

Table of Contents

What is DevSecOps

DevSecOps focuses on security automation, testing and enforcement during DevOps - Release - SDLC cycles. The whole meaning behind this methodology is connecting together Development, Security and Operations. DevSecOps is methodology providing different methods, techniques and processes backed mainly with tooling focusing on developer / security experience.

DevSecOps takes care that security is part of every stage of DevOps loop - Plan, Code, Build, Test, Release, Deploy, Operate, Monitor.

Various definitions:

Tooling

Pre-commit time tools

In this section you can find lifecycle helpers, precommit hook tools and threat modeling tools. Threat modeling tools are specific category by themselves allowing you to simulate and discover potential gaps before you start to develop the software or during the process.

Modern DevSecOps tools allow using Threat modeling as code or generation of threat models based on the existing code annotations.

NameURLDescriptionMeta
git-secretshttps://github.com/awslabs/git-secretsAWS labs tool preventing you from committing secrets to a git repositoryGit Secrets
git-houndhttps://github.com/tillson/git-houndSearchers secrets in gitgit-hound
goSDLhttps://github.com/slackhq/goSDLSecurity Development Lifecycle checklistgoSDL
ThreatPlaybookhttps://github.com/we45/ThreatPlaybookThreat modeling as codeGitLeaks
Threat Dragonhttps://github.com/OWASP/threat-dragonOWASP Threat modeling toolThreatDragon
threatspechttps://github.com/threatspec/threatspecThreat modeling as codethreatspec
pytmhttps://github.com/izar/pytmA Pythonic framework for threat modelingpytm
Threagilehttps://github.com/Threagile/threagileA Go framework for threat modelingThreagile
MAL-langhttps://mal-lang.org/#what A language to create cyber threat modeling systems for specific domainsMal
Microsoft Threat modeling toolhttps://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-toolMicrosoft threat modeling toolMS Threat modeling tool
Talismanhttps://github.com/thoughtworks/talismanA tool to detect and prevent secrets from getting checked inTalisman
SEDATEDhttps://github.com/OWASP/SEDATEDThe SEDATED® Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure) focuses on preventing sensitive data such as user credentials and tokens from being pushed to Git.Talisman
Sonarlinthttps://github.com/SonarSource/sonarlint-coreSonar linting utility for IDESonarlint
DevSkimhttps://github.com/microsoft/DevSkimDevSkim is a framework of IDE extensions and language analyzers that provide inline security analysisDevSkim
detect-secretshttps://github.com/Yelp/detect-secretsDetects secrets in your codebaseDevSkim
tflinthttps://github.com/terraform-linters/tflintA Pluggable Terraform Lintertflint
Steampipe Code Pluginhttps://github.com/turbot/steampipe-plugin-codeUse SQL to detect secrets from source code and data sources.GitHub stars

Secrets management

Secrets management includes managing, versioning, encryption, discovery, rotating, provisioning of passwords, certificates, configuration values and other types of secrets.

NameURLDescriptionMeta
GitLeakshttps://github.com/zricethezav/gitleaksGitleaks is a scanning tool for detecting hardcoded secretsGitLeaks
ggshieldhttps://github.com/gitguardian/ggshieldGitGuardian shield (ggshield) is a CLI application that runs in your local environment or in a CI environment and helps you detect more than 350+ types of secrets and sensitive files.ggshield
TruffleHoghttps://github.com/trufflesecurity/truffleHogTruffleHog is a scanning tool for detecting hardcoded secretsTruffleHog
Hashicorp Vaulthttps://github.com/hashicorp/vaultHashicorp Vault secrets managementVault
Mozilla SOPShttps://github.com/mozilla/sops Mozilla Secrets OperationsSOPS
AWS secrets manager GH actionhttps://github.com/marketplace/actions/aws-secrets-manager-actionsAWS secrets manager docsAWS Secrets manager action
GitRobhttps://github.com/michenriksen/gitrobGitrob is a tool to help find potentially sensitive files pushed to public repositories on GithubGitRob
git-wild-hunthttps://github.com/d1vious/git-wild-huntA tool to hunt for credentials in the GitHubgit-wild-hunt
aws-vaulthttps://github.com/99designs/aws-vaultAWS Vault is a tool to securely store and access AWS credentials in a development environmentaws-vault
Knoxhttps://github.com/pinterest/knoxKnox is a service for storing and rotation of secrets, keys, and passwords used by other servicesKnox
Chef vaulthttps://github.com/chef/chef-vaultallows you to encrypt a Chef Data Bag ItemChef vault
Ansible vaultAnsible vault docsEncryption/decryption utility for Ansible data filesAnsible vault

OSS and Dependency management

Dependency security testing and analysis is very important part of discovering supply chain attacks. SBOM creation and following dependency scanning (Software composition analysis) is critical part of continuous integration (CI). Data series and data trends tracking should be part of CI tooling. You need to know what you produce and what you consume in context of libraries and packages.

NameURLDescriptionMeta
CycloneDXhttps://github.com/orgs/CycloneDX/repositoriesCycloneDX format for SBOMCycloneDX
cdxgenhttps://github.com/AppThreat/cdxgenGenerates CycloneDX SBOM, supports many languages and package managers.CycloneDX
SPDXhttps://github.com/spdx/spdx-specSPDX format for SBOM - Software Package Data ExchangeSpDX
Snykhttps://github.com/snyk/snykSnyk scans and monitors your projects for security vulnerabilitiesSnyk
vulncosthttps://github.com/snyk/vulncostSecurity Scanner for VS CodeVulncost
Dependency Combobulatorhttps://github.com/apiiro/combobulatorDependency-related attacks detection and prevention through heuristics and insight engine (support multiple dependency schemes)Combobulator
DependencyTrackhttps://github.com/DependencyTrack/dependency-trackDependency security tracking platformDependencyTrack
DependencyCheckhttps://github.com/jeremylong/DependencyCheckSimple dependency security scanner good for CIDependencyCheck
Retire.jshttps://github.com/retirejs/retire.js/Helps developers to detect the use of JS-library versions with known vulnerabilitiesRetire.js
PHP security checkerhttps://github.com/fabpot/local-php-security-checkerCheck vulnerabilities in PHP dependenciesRetire.js
bundler-audithttps://github.com/rubysec/bundler-auditPatch-level verification for bundler![Bundler
项目侧边栏1项目侧边栏2
推荐项目
Project Cover

豆包MarsCode

豆包 MarsCode 是一款革命性的编程助手,通过AI技术提供代码补全、单测生成、代码解释和智能问答等功能,支持100+编程语言,与主流编辑器无缝集成,显著提升开发效率和代码质量。

Project Cover

问小白

问小白是一个基于 DeepSeek R1 模型的智能对话平台,专为用户提供高效、贴心的对话体验。实时在线,支持深度思考和联网搜索。免费不限次数,帮用户写作、创作、分析和规划,各种任务随时完成!

Project Cover

白日梦AI

白日梦AI提供专注于AI视频生成的多样化功能,包括文生视频、动态画面和形象生成等,帮助用户快速上手,创造专业级内容。

Project Cover

有言AI

有言平台提供一站式AIGC视频创作解决方案,通过智能技术简化视频制作流程。无论是企业宣传还是个人分享,有言都能帮助用户快速、轻松地制作出专业级别的视频内容。

Project Cover

讯飞绘镜

讯飞绘镜是一个支持从创意到完整视频创作的智能平台,用户可以快速生成视频素材并创作独特的音乐视频和故事。平台提供多样化的主题和精选作品,帮助用户探索创意灵感。

Project Cover

讯飞文书

讯飞文书依托讯飞星火大模型,为文书写作者提供从素材筹备到稿件撰写及审稿的全程支持。通过录音智记和以稿写稿等功能,满足事务性工作的高频需求,帮助撰稿人节省精力,提高效率,优化工作与生活。

Project Cover

阿里绘蛙

绘蛙是阿里巴巴集团推出的革命性AI电商营销平台。利用尖端人工智能技术,为商家提供一键生成商品图和营销文案的服务,显著提升内容创作效率和营销效果。适用于淘宝、天猫等电商平台,让商品第一时间被种草。

Project Cover

Trae

Trae是一种自适应的集成开发环境(IDE),通过自动化和多元协作改变开发流程。利用Trae,团队能够更快速、精确地编写和部署代码,从而提高编程效率和项目交付速度。Trae具备上下文感知和代码自动完成功能,是提升开发效率的理想工具。

Project Cover

AIWritePaper论文写作

AIWritePaper论文写作是一站式AI论文写作辅助工具,简化了选题、文献检索至论文撰写的整个过程。通过简单设定,平台可快速生成高质量论文大纲和全文,配合图表、参考文献等一应俱全,同时提供开题报告和答辩PPT等增值服务,保障数据安全,有效提升写作效率和论文质量。

投诉举报邮箱: service@vectorlightyear.com
@2024 懂AI·鲁ICP备2024100362号-6·鲁公网安备37021002001498号