DevSecOps library

Table of Contents

• Definition
• Tooling
• Precommit and threat modeling
• SAST
• DAST
• Orchestration
• Supply chain and dependencies
• Infrastructure as code
• Containers security
• Kubernetes
• Cloud
• Chaos engineering
• Policy as code
• Methodologies
• Other
• License

What is DevSecOps

DevSecOps focuses on security automation, testing, and enforcement during DevOps - Release - SDLC cycles. The whole meaning behind this methodology is connecting together Development, Security, and Operations. DevSecOps is a methodology providing different methods, techniques and processes backed mainly with tooling focusing on developer/security experience.

DevSecOps takes care that security is part of every stage of the DevOps loop - Plan, Code, Build, Test, Release, Deploy, Operate, Monitor.

Various definitions:

• https://www.redhat.com/en/topics/devops/what-is-devsecops
• https://www.ibm.com/cloud/learn/devsecops
• https://snyk.io/series/devsecops/
• https://www.synopsys.com/glossary/what-is-devsecops.html

Tooling

Pre-commit time tools

In this section, you can find lifecycle helpers, pre-commit hook tools, and threat modeling tools. Threat modeling tools are specific categories by themselves allowing you to simulate and discover potential gaps before you start to develop the software or during the process.

Modern DevSecOps tools allow using Threat modeling as code or generation of threat models based on the existing code annotations.

NameURLDescription

Metagit-secretshttps://github.com/awslabs/git-secretsAWS labs tool preventing you from committing secrets to a git repository

git-houndhttps://github.com/tillson/git-houndSearchers secrets in git

goSDLhttps://github.com/slackhq/goSDLSecurity Development Lifecycle checklist

ThreatPlaybook https://github.com/we45/ThreatPlaybookThreat modeling as code

Threat Dragon https://github.com/OWASP/threat-dragonOWASP Threat modeling tool

threatspec https://github.com/threatspec/threatspecThreat modeling as code

pytm https://github.com/izar/pytmA Pythonic framework for threat modeling

Threagilehttps://github.com/Threagile/threagileA Pythonic framework for threat modeling

MAL-langhttps://mal-lang.org/#whatA language to create cyber threat modeling systems for specific domains

Microsoft Threat modeling toolhttps://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-toolMicrosoft threat modeling tool

Talismanhttps://github.com/thoughtworks/talismanA tool to detect and prevent secrets from getting checked in

SEDATEDhttps://github.com/OWASP/SEDATEDThe SEDATED? Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure) focuses on preventing sensitive data such as user credentials and tokens from being pushed to Git.

Sonarlinthttps://github.com/SonarSource/sonarlint-coreSonar linting utility for IDE

DevSkimhttps://github.com/microsoft/DevSkimDevSkim is a framework of IDE extensions and language analyzers that provide inline security analysis

detect-secretshttps://github.com/Yelp/detect-secretsDetects secrets in your codebase

tflinthttps://github.com/terraform-linters/tflintA Pluggable Terraform Linter

Secrets management

Secrets management includes managing, versioning, encryption, discovery, rotating, provisioning of passwords, certificates, configuration values, and other types of secrets.

NameURLDescriptionMeta

GitLeakshttps://github.com/zricethezav/gitleaksGitleaks is a scanning tool for detecting hard coded secrets

TruffleHoghttps://github.com/trufflesecurity/truffleHogTruffleHog is a scanning tool for detecting hard coded secrets

Hashicorp Vaulthttps://github.com/hashicorp/vaultHashicorp Vault secrets management

Mozilla SOPShttps://github.com/mozilla/sopsMozilla Secrets Operations

AWS secrets manager GH actionhttps://github.com/marketplace/actions/aws-secrets-manager-actionsAWS secrets manager?docs

GitRobhttps://github.com/michenriksen/gitrobGitrob is a tool to help find potentially sensitive files pushed to public repositories on Github

git-wild-hunthttps://github.com/d1vious/git-wild-huntA tool to hunt for credentials in the GitHub

aws-vaulthttps://github.com/99designs/aws-vaultAWS Vault is a tool to securely store and access AWS credentials in a development environment

Knoxhttps://github.com/pinterest/knoxKnox is a service for storing and rotation of secrets, keys, and passwords used by other services

Chef vaulthttps://github.com/chef/chef-vaultallows you to encrypt a Chef Data Bag Item

Ansible vaultAnsible vault docsEncryption/decryption utility for Ansible data files

OSS and Dependency management

Dependency security testing and analysis are a very important part of discovering supply chain attacks. SBOM creation and following dependency scanning (Software composition analysis) is critical part of continuous integration (CI). Data series and data trends tracking should be part of CI tooling. You need to know what you produce and what you consume in the context of libraries and packages.

NameURLDescriptionMeta

CycloneDXhttps://github.com/orgs/CycloneDX/repositoriesCycloneDX format for?

SBOMSPDXhttps://github.com/spdx/spdx-specSPDX format for?

SBOM?- Software Package Data ExchangeSnykhttps://github.com/snyk/snykSnyk scans and monitors your projects for security vulnerabilities

vulncosthttps://github.com/snyk/vulncostSecurity Scanner for VS Code

Dependency Combobulatorhttps://github.com/apiiro/combobulatorDependency-related attacks detection and prevention through heuristics and insight engine (support multiple dependency schemes)

DependencyTrackhttps://github.com/DependencyTrack/dependency-trackDependency security tracking platform

DependencyCheckhttps://github.com/jeremylong/DependencyCheckSimple dependency security scanner good for CIRetire.jshttps://github.com/retirejs/retire.js/Helps developers to detect the use of JS-library versions with known vulnerabilities

PHP security checkerhttps://github.com/fabpot/local-php-security-checkerCheck vulnerabilities in PHP dependencies

bundler-audithttps://github.com/rubysec/bundler-auditPatch-level verification for bundler

gemnasiumhttps://gitlab.com/gitlab-org/security products/analyzers/gemnasiumDependency Scanning Analyzer based on Gemnasium

Dependabothttps://github.com/dependabot/dependabot-coreAutomated dependency updates built into GitHub providing security alerts

Renovatebothttps://github.com/renovatebot/renovateAutomated dependency updates, patches multi-platform and multi-language

npm-checkhttps://www.npmjs.com/package/npm-checkCheck for outdated, incorrect, and unused dependencies.

Supply chain specific tools

The supply chain is often the target of attacks. Which libraries you use can have a massive impact on the security of the final product (artifacts). CI (continuous integration) must be monitored inside the tasks and jobs in pipeline steps. Integrity checks must be stored out of the system and in the ideal cases, several validations runs with a comparison of integrity hashes / or attestation must be performed.

NameURLDescriptionMeta

Tekton chainshttps://github.com/tektoncd/chainsKubernetes Custom Resource Definition (CRD) controller that allows you to manage your supply chain security in Tekton.

in-totohttps://github.com/in-toto/attestation/tree/v0.1.0/specAn in-toto attestation is authenticated metadata about one or more software artifacts

SLSAOfficial GitHub link supply-chain Levels for Software Artifacts

kritishttps://github.com/grafeas/kritisSolution for securing your software supply chain for Kubernetes apps

ratifyhttps://github.com/deislabs/ratifyArtifact Ratification Framework

SAST

Static code review tools working with source code and looking for known patterns and relationships of methods, variables, classes, and libraries. SAST works with the raw code and usually not with build packages.

NameURLDescriptionMeta

Brakemanhttps://github.com/presidentbeef/brakemanBrakeman is a static analysis tool that checks Ruby on Rails applications for security vulnerabilities

Semgrephttps://semgrep.dev/Hi-Quality Open source works on 17+ languages

Bandithttps://github.com/PyCQA/banditPython specific SAST tool

libsasthttps://github.com/ajinabraham/libsastGeneric SAST for Security Engineers. Powered by regex-based pattern matcher and semantic aware semgrep

ESLinthttps://eslint.org/Find and fix problems in your JavaScript code

nodejsscanhttps://github.com/ajinabraham/nodejsscanNodeJs SAST scanner with GUI

FindSecurityBugshttps://find-sec-bugs.github.io/The SpotBugs plugin for security audits of Java web applications

SonarQube communityhttps://github.com/SonarSource/sonarqubeDetect security issues in code review with Static Application Security Testing (SAST)

gosechttps://github.com/securego/gosecInspects source code for security problems by scanning the Go AST.

OWASP curated list of SAST tools:?https://owasp.org/www-community/Source_Code_Analysis_Tools

DAST

Dynamic application security testing (DAST) is a type of application testing (in most cases web) that checks your application from the outside by active communication and analysis of the responses based on injected inputs. DAST tools rely on inputs and outputs to operate. A DAST tool uses these to check for security problems while the software is actually running and is actively deployed on the server (or serverless function).

NameURLDescriptionMeta

Zap proxyhttps://owasp.org/www-project-zap/Zap proxy providing various docker containers for CI/CD pipeline

Wapitihttps://github.com/wapiti-scanner/wapitiLight pipeline ready scanning tool

Nucleihttps://github.com/projectdiscovery/nucleiTemplate based security scanning tool

purpleteamhttps://github.com/purpleteam-labs/purpleteamCLI DAST tool incubator projec

toss-fuzzhttps://github.com/google/oss-fuzzOSS-Fuzz: Continuous Fuzzing for Open Source Software

niktohttps://github.com/sullo/niktoNikto web server scanner

skipfishhttps://code.google.com/archive/p/skipfish/Skipfish is an active web application security reconnaissance tool

Continuous deployment security

NameURLDescriptionMetaSecureCodeBoxhttps://github.com/secureCodeBox/secureCodeBoxToolchain for continuous scanning of applications and infrastructureOpenSCAPhttps://github.com/OpenSCAP/openscapOpen Source Security Compliance Solution

Kubernetes

NameURLDescriptionMeta

KubiScanhttps://github.com/cyberark/KubiScanA tool for scanning Kubernetes cluster for risky permissions

Kubeaudithttps://github.com/Shopify/kubeauditAudit Kubernetes clusters for various different security concerns

Kubescapehttps://github.com/armosec/kubescapeThe first open-source tool for testing if Kubernetes is deployed according to the NSA-CISA and the MITRE ATT&CK?.

kubesechttps://github.com/controlplaneio/kubesecSecurity risk analysis for Kubernetes resources

kube-benchhttps://github.com/aquasecurity/kube-benchKubernetes benchmarking tool

kube-scorehttps://github.com/zegl/kube-scoreStatic code analysis of your Kubernetes object definitions

kube-hunterhttps://github.com/aquasecurity/kube-hunterActive scanner for k8s (purple)

Calicohttps://github.com/projectcalico/calicoCalico is open-source networking and network security solution for containers

Kyvernohttps://github.com/kyverno/kyverno/Kyverno is a policy engine designed for Kubernetes

Kranehttps://github.com/appvia/kraneSimple Kubernetes RBAC static analysis tool

Starboardhttps://github.com/aquasecurity/starboardStarboard integrates security tools by outputs into Kubernetes CRDs

Gatekeeperhttps://github.com/open-policy-agent/gatekeeperOpen policy agent gatekeeper for k8s

Inspektor-gadgethttps://github.com/kinvolk/inspektor-gadgetCollection of tools (or gadgets) to debug and inspect k8s

kube-linterhttps://github.com/stackrox/kube-linterStatic analysis for Kubernetes

Containers

NameURLDescriptionMeta

Harborhttps://github.com/goharbor/harborTrusted cloud native registry project

Anchorehttps://github.com/anchore/anchore-engineCentralized service for inspection, analysis, and certification of container images

Clairhttps://github.com/quay/clairDocker vulnerability scanner

Deepfence ThreatMapperhttps://github.com/deepfence/ThreatMapperApache v2, powerful runtime vulnerability scanner for Kubernetes, virtual machines, and serverless.

Docker benchhttps://github.com/docker/docker-bench-securityDocker benchmarking against CIS

Falcohttps://github.com/falcosecurity/falcoContainer runtime protection

Trivyhttps://github.com/aquasecurity/trivyComprehensive scanner for vulnerabilities in container images

Notaryhttps://github.com/notaryproject/notaryDocker signing

Cosignhttps://github.com/sigstore/cosignContainer signing

watchtowerhttps://github.com/containrrr/watchtowerUpdates the running version of your containerized app

Multi-Cloud

NameURLDescriptionMeta

Cloudsploithttps://github.com/aquasecurity/cloudsploitDetection of security risks in cloud infrastructure

ScoutSuitehttps://github.com/nccgroup/ScoutSuiteNCCgroup multicolor scanning tool

CloudCustodianhttps://github.com/cloud-custodian/cloud-custodian/Multicloud security analysis framework

AWS

AWS-specific DevSecOps tooling. Tools here cover different areas like inventory management, misconfiguration scanning, or IAM roles and policies review.

NameURLDescriptionMeta

Dragoneyehttps://github.com/indeni/dragoneyeDragoneye Indeni AWS scanner

Prowlerhttps://github.com/toniblyx/prowlerProwler is a command-line tool that helps with AWS security assessment, auditing, hardening, and incident response.

aws-inventoryhttps://github.com/nccgroup/aws-inventoryHelps to discover all AWS resources created in an account

PacBothttps://github.com/tmobile/pacbotPolicy as Code Bot (PacBot)

Komiserhttps://github.com/mlabouardy/komiserMonitoring dashboard for costs and security

Cloudsplaininghttps://github.com/salesforce/cloudsplainingIAM analysis framework

ElectricEyehttps://github.com/jonrau1/ElectricEyeContinuously monitor your AWS services for configurations

Cloudmapperhttps://github.com/duo-labs/cloudmapperCloudMapper helps you analyze your Amazon Web Services (AWS) environments

cartographyhttps://github.com/lyft/cartographyConsolidates AWS infrastructure assets and the relationships between them in an intuitive graph

policy_sentryhttps://github.com/salesforce/policy_sentryIAM Least Privilege Policy Generator

AirIAMhttps://github.com/bridgecrewio/AirIAMIAM Least Privilege analyzer and Terraformer

StreamAlerthttps://github.com/airbnb/streamalertAirBnB serverless, real-time data analysis framework which empowers you to ingest, analyze, and alert

CloudQueryhttps://github.com/cloudquery/cloudquery/AirBnB serverless, real-time data analysis framework which empowers you to ingest, analyze, and alert

S3Scannerhttps://github.com/sa7mon/S3Scanner/A tool to find open S3 buckets and dump their contents

aws-iam-authenticatorhttps://github.com/kubernetes-sigs/aws-iam-authenticator/A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster

kube2iamhttps://github.com/jtblin/kube2iam/A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster AWS

open source security samplesOfficial AWS opensource recollection of official AWS open-source resources

Google cloud platform

GCP-specific DevSecOps tooling. Tools here cover different areas like inventory management, misconfiguration scanning, or IAM roles and policies review.

NameURLDescriptionMeta

Forsetihttps://github.com/forseti-security/forseti-securityComplex security orchestration and scanning platform

Policy as code

Policy as code is the idea of writing code in a high-level language to manage and automate policies. By representing policies as code in text files, proven software development best practices can be adopted such as version control, automated testing, and automated deployment. (Source:?https://docs.hashicorp.com/sentinel/concepts/policy-as-code)

NameURLDescriptionMeta

Open Policy agenthttps://github.com/open-policy-agent/opaGeneral-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack

Inspechttps://github.com/inspec/inspecChef InSpec is an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security, and policy requirements.

Cloud Formation guardhttps://github.com/aws-cloudformation/cloudformation-guardCloud Formation policy as code

Chaos engineering

Chaos Engineering is the discipline of experimenting on a system in order to build confidence in the system’s capability to withstand turbulent conditions in production.

Reading and manifestos:?https://principlesofchaos.org/

NameURLDescriptionMeta

chaos-meshhttps://github.com/chaos-mesh/chaos-meshIt is a cloud-native Chaos Engineering platform that orchestrates chaos on Kubernetes environment

chaos monkeyhttps://netflix.github.io/chaosmonkey/Chaos Monkey is responsible for randomly terminating instances in production to ensure that engineers implement their services to be resilient to instance failures.

chaoskubehttps://github.com/linki/chaoskubeTest how your system behaves under arbitrary pod failures.

Kube-Invadershttps://github.com/lucky-sideburn/KubeInvadersGamified chaos engineering tool for Kubernetes

kube-monkeyhttps://github.com/asobti/kube-monkeyGamified chaos engineering tool for Kubernetes

Gremlinhttps://github.com/gremlin/gremlin-pythonChaos engineering SaaS platform with a free plan and some open-source libraries

AWS FIS sampleshttps://github.com/aws-samples/aws-fault-injection-simulator-samplesAWS Fault injection simulator samples

CloudNukehttps://github.com/gruntwork-io/cloud-nukeCLI tool to delete all resources in an AWS account

Infrastructure as code security

Scanning your infrastructure when it is only code helps shift-left the security. Many tools offer in IDE scanning and providing real-time advisory do Cloud engineers.

NameURLDescriptionMeta

KICShttps://github.com/Checkmarx/kicsCheckmarx security testing opensource for IaC

Checkovhttps://github.com/bridgecrewio/checkovCheckov is a static code analysis tool for infrastructure-as-code

tfsechttps://github.com/aquasecurity/tfsectfsec uses static analysis of your terraforms templates to spot potential security issues. Now with terraforming, CDK support

terrascanhttps://github.com/accurics/terrascanTerrascan is a static code analyzer for Infrastructure as Code

cfsechttps://github.com/aquasecurity/cfseccfsec scans CloudFormation configuration files for security issues

cfn_naghttps://github.com/stelligent/cfn_nagLooks for insecure patterns in CloudFormation

Sysdig IaC scanner actionhttps://github.com/sysdiglabs/cloud-iac-scanner-actionScans your repository with Sysdig IAC Scanner and report the vulnerabilities.

Orchestration

Event-driven security help to drive, automate and execute tasks for security processes. The tools here and not dedicated security tools but are helping to automate and orchestrate security tasks or are part of most modern security automation frameworks or tools.

NameURLDescriptionMeta

StackStormhttps://github.com/StackStorm/st2Platform for integration and automation across services and tools supporting event-driven security

Camundahttps://github.com/camunda/camunda-bpm-platformWorkflow and process automation

DefectDojohttps://github.com/DefectDojo/django-DefectDojoSecurity orchestration and vulnerability management platform