• 设为首页
  • 点击收藏
  • 手机版
    手机扫一扫访问
    迪恩网络手机版
  • 关注官方公众号
    微信扫一扫关注
    迪恩网络公众号

sottlmarek/DevSecOps: Ultimate DevSecOps library

原作者: [db:作者] 来自: 网络 收藏 邀请

开源软件名称(OpenSource Name):

sottlmarek/DevSecOps

开源软件地址(OpenSource Url):

https://github.com/sottlmarek/DevSecOps

开源编程语言(OpenSource Language):


开源软件介绍(OpenSource Introduction):

Ultimate DevSecOps library

Contribution rules

If you want to contribute to this library of knowledge please create proper PR (Pull Request) with description what you are adding following these set of rules:

  • Clear description of PR (which tool, why, number of stars, maturity and topic)
  • Keep it simple - Fill the description properly
  • Fact over feelings or personal opinions
  • Add source and follow the library style
  • Avoid duplicits - one tool, one topic
  • Try to make bigger updates then on tool link
  • Currently open-source only
  • Add only active projects
  • Add only security tools
  • Report typos as issue not via PR.

Note: Currently this is an early version of the library. I recommend PR after first official release.

DevSecOps library info:

stars watchers watchers

This library contains list of tools and methodologies accompanied with resources. The main goal is to provide to the engineers a guide through opensource DevSecOps tooling. This repository covers only cyber security in the cloud and the DevSecOps scope.

Table of Contents

What is DevSecOps

DevSecOps focuses on security automation, testing and enforcement during DevOps - Release - SDLC cycles. The whole meaning behind this methodology is connecting together Development, Security and Operations. DevSecOps is methodology providing different methods, techniques and processes backed mainly with tooling focusing on developer / security experience.

DevSecOps takes care that security is part of every stage of DevOps loop - Plan, Code, Build, Test, Release, Deploy, Operate, Monitor.

Various definitions:

Tooling

Pre-commit time tools

In this section you can find lifecycle helpers, precommit hook tools and threat modeling tools. Threat modeling tools are specific category by themselves allowing you to simulate and discover potential gaps before you start to develop the software or during the process.

Modern DevSecOps tools allow using Threat modeling as code or generation of threat models based on the existing code annotations.

Name URL Description Meta
git-secrets https://github.com/awslabs/git-secrets AWS labs tool preventing you from committing secrets to a git repository Git Secrets
git-hound https://github.com/tillson/git-hound Searchers secrets in git git-hound
goSDL https://github.com/slackhq/goSDL Security Development Lifecycle checklist goSDL
ThreatPlaybook https://github.com/we45/ThreatPlaybook Threat modeling as code GitLeaks
Threat Dragon https://github.com/OWASP/threat-dragon OWASP Threat modeling tool ThreatDragon
threatspec https://github.com/threatspec/threatspec Threat modeling as code threatspec
pytm https://github.com/izar/pytm A Pythonic framework for threat modeling pytm
Threagile https://github.com/Threagile/threagile A Go framework for threat modeling Threagile
MAL-lang https://mal-lang.org/#what A language to create cyber threat modeling systems for specific domains Mal
Microsoft Threat modeling tool https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool Microsoft threat modeling tool MS Threat modeling tool
Talisman https://github.com/thoughtworks/talisman A tool to detect and prevent secrets from getting checked in Talisman
SEDATED https://github.com/OWASP/SEDATED The SEDATED® Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure) focuses on preventing sensitive data such as user credentials and tokens from being pushed to Git. Talisman
Sonarlint https://github.com/SonarSource/sonarlint-core Sonar linting utility for IDE Sonarlint
DevSkim https://github.com/microsoft/DevSkim DevSkim is a framework of IDE extensions and language analyzers that provide inline security analysis DevSkim
detect-secrets https://github.com/Yelp/detect-secrets Detects secrets in your codebase DevSkim
tflint https://github.com/terraform-linters/tflint A Pluggable Terraform Linter tflint

Secrets management

Secrets management includes managing, versioning, encryption, discovery, rotating, provisioning of passwords, certificates, configuration values and other types of secrets.

Name URL Description Meta
GitLeaks https://github.com/zricethezav/gitleaks Gitleaks is a scanning tool for detecting hardcoded secrets GitLeaks
ggshield https://github.com/gitguardian/ggshield GitGuardian shield (ggshield) is a CLI application that runs in your local environment or in a CI environment and helps you detect more than 350+ types of secrets and sensitive files. ggshield
TruffleHog https://github.com/trufflesecurity/truffleHog TruffleHog is a scanning tool for detecting hardcoded secrets TruffleHog
Hashicorp Vault https://github.com/hashicorp/vault Hashicorp Vault secrets management Vault
Mozilla SOPS https://github.com/mozilla/sops Mozilla Secrets Operations SOPS
AWS secrets manager GH action https://github.com/marketplace/actions/aws-secrets-manager-actions AWS secrets manager docs AWS Secrets manager action
GitRob https://github.com/michenriksen/gitrob Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github GitRob
git-wild-hunt https://github.com/d1vious/git-wild-hunt A tool to hunt for credentials in the GitHub git-wild-hunt
aws-vault https://github.com/99designs/aws-vault AWS Vault is a tool to securely store and access AWS credentials in a development environment aws-vault
Knox https://github.com/pinterest/knox Knox is a service for storing and rotation of secrets, keys, and passwords used by other services Knox
Chef vault https://github.com/chef/chef-vault allows you to encrypt a Chef Data Bag Item Chef vault
Ansible vault Ansible vault docs Encryption/decryption utility for Ansible data files Ansible vault

OSS and Dependency management

Dependency security testing and analysis is very important part of discovering supply chain attacks. SBOM creation and following dependency scanning (Software composition analysis) is critical part of continuous integration (CI). Data series and data trends tracking should be part of CI tooling. You need to know what you produce and what you consume in context of libraries and packages.

Name URL Description Meta
CycloneDX https://github.com/orgs/CycloneDX/repositories CycloneDX format for SBOM CycloneDX
SPDX https://github.com/spdx/spdx-spec SPDX format for SBOM - Software Package Data Exchange SpDX
Snyk https://github.com/snyk/snyk Snyk scans and monitors your projects for security vulnerabilities Snyk
vulncost https://github.com/snyk/vulncost Security Scanner for VS Code Vulncost
Dependency Combobulator https://github.com/apiiro/combobulator Dependency-related attacks detection and prevention through heuristics and insight engine (support multiple dependency schemes) Combobulator
DependencyTrack https://github.com/DependencyTrack/dependency-track Dependency security tracking platform DependencyTrack
DependencyCheck https://github.com/jeremylong/DependencyCheck Simple dependency security scanner good for CI DependencyCheck
Retire.js https://github.com/retirejs/retire.js/ Helps developers to detect the use of JS-library versions with known vulnerabilities Retire.js
PHP security checker https://github.com/fabpot/local-php-security-checker Check vulnerabilities in PHP dependencies Retire.js
bundler-audit https://github.com/rubysec/bundler-audit Patch-level verification for bundler Bundler audit
gemnasium https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium Dependency Scanning Analyzer based on Gemnasium
Dependabot https://github.com/dependabot/dependabot-core Automated dependency updates built into GitHub providing security alerts Dependabot
Renovatebot https://github.com/renovatebot/renovate Automated dependency updates, patches multi-platform and multi-language Renovatebot
npm-check https://www.npmjs.com/package/npm-check Check for outdated, incorrect, and unused dependencies. npm-check

Supply chain specific tools

Supply chain is often the target of attacks. Which libraries you use can have a massive impact on security of the final product (artifacts). CI (continuous integration) must be monitored inside the tasks and jobs in pipeline steps. Integrity checks must be stored out of the system and in ideal case several validation runs with comparison of integrity hashes / or attestation must be performed.

Name URL Description Meta
Tekton chains https://github.com/tektoncd/chains Kubernetes Custom Resource Definition (CRD) controller that allows you to manage your supply chain security in Tekton. Chains
in-toto https://github.com/in-toto/attestation/tree/v0.1.0/spec An in-toto attestation is authenticated metadata about one or more software artifacts in-toto
SLSA Official GitHub link Supply-chain Levels for Software Artifacts SLSA
kritis https://github.com/grafeas/kritis Solution for securing your software supply chain for Kubernetes apps Kritis
ratify https://github.com/deislabs/ratify Artifact Ratification Framework ratify

SAST

Static code review tools working with source code and looking for known patterns and relationships of methods, variables, classes and libraries. SAST works with the raw code and usually not with build packages.

Name URL Description Meta
Brakeman https://github.com/presidentbeef/brakeman Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities Brakeman
Semgrep https://semgrep.dev/ Hi-Quality Open source, works on 17+ languages Semgrep
Bandit https://github.com/PyCQA/bandit Python specific SAST tool Bandit
libsast https://github.com/ajinabraham/libsast Generic SAST for Security Engineers. Powered by regex based pattern matcher and semantic aware semgrep libsast
ESLint https://eslint.org/ Find and fix problems in your JavaScript code
nodejsscan https://github.com/ajinabraham/nodejsscan NodeJs S

鲜花

握手

雷人

路过

鸡蛋
该文章已有0人参与评论

请发表评论

全部评论

专题导读
热门推荐
阅读排行榜

扫描微信二维码

查看手机版网站

随时了解更新最新资讯

139-2527-9053

在线客服(服务时间 9:00~18:00)

在线QQ客服
地址:深圳市南山区西丽大学城创智工业园
电邮:jeky_zhao#qq.com
移动电话:139-2527-9053

Powered by 互联科技 X3.4© 2001-2213 极客世界.|Sitemap