Awesome Open Source
Awesome Open Source

Ultimate DevSecOps library

Contribution rules

If you want to contribute to this library of knowledge please create proper PR (Pull Request) with description what you are adding following these set of rules:

  • Clear description of PR (which tool, why, number of stars, maturity and topic)
  • Keep it simple - Fill the description properly
  • Fact over feelings or personal opinions
  • Add source and follow the library style
  • Avoid duplicits - one tool, one topic
  • Try to make bigger updates then on tool link
  • Currently open-source only
  • Add only active projects
  • Add only security tools
  • Report typos as issue not via PR.

Note: Currently this is an early version of the library. I recommend PR after first official release.

DevSecOps library info:

stars watchers watchers

This library contains list of tools and methodologies accompanied with resources. The main goal is to provide to the engineers a guide through opensource DevSecOps tooling. This repository covers only cyber security in the cloud and the DevSecOps scope.

Table of Contents

What is DevSecOps

DevSecOps focuses on security automation, testing and enforcement during DevOps - Release - SDLC cycles. The whole meaning behind this methodology is connecting together Development, Security and Operations. DevSecOps is methodology providing different methods, techniques and processes backed mainly with tooling focusing on developer / security experience.

DevSecOps takes care that security is part of every stage of DevOps loop - Plan, Code, Build, Test, Release, Deploy, Operate, Monitor.

Various definitions:


Pre-commit time tools

In this section you can find lifecycle helpers, precommit hook tools and threat modeling tools. Threat modeling tools are specific category by themselves allowing you to simulate and discover potential gaps before you start to develop the software or during the process.

Modern DevSecOps tools allow using Threat modeling as code or generation of threat models based on the existing code annotations.

Name URL Description Meta
git-secrets AWS labs tool preventing you from committing secrets to a git repository Git Secrets
git-hound Searchers secrets in git git-hound
goSDL Security Development Lifecycle checklist goSDL
ThreatPlaybook Threat modeling as code GitLeaks
Threat Dragon OWASP Threat modeling tool ThreatDragon
threatspec Threat modeling as code threatspec
pytm A Pythonic framework for threat modeling pytm
Threagile A Go framework for threat modeling Threagile
MAL-lang A language to create cyber threat modeling systems for specific domains Mal
Microsoft Threat modeling tool Microsoft threat modeling tool MS Threat modeling tool
Talisman A tool to detect and prevent secrets from getting checked in Talisman
SEDATED The SEDATED® Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure) focuses on preventing sensitive data such as user credentials and tokens from being pushed to Git. Talisman
Sonarlint Sonar linting utility for IDE Sonarlint
DevSkim DevSkim is a framework of IDE extensions and language analyzers that provide inline security analysis DevSkim
detect-secrets Detects secrets in your codebase DevSkim
tflint A Pluggable Terraform Linter tflint

Secrets management

Secrets management includes managing, versioning, encryption, discovery, rotating, provisioning of passwords, certificates, configuration values and other types of secrets.

Name URL Description Meta
GitLeaks Gitleaks is a scanning tool for detecting hardcoded secrets GitLeaks
ggshield GitGuardian shield (ggshield) is a CLI application that runs in your local environment or in a CI environment and helps you detect more than 350+ types of secrets and sensitive files. ggshield
TruffleHog TruffleHog is a scanning tool for detecting hardcoded secrets TruffleHog
Hashicorp Vault Hashicorp Vault secrets management Vault
Mozilla SOPS Mozilla Secrets Operations SOPS
AWS secrets manager GH action AWS secrets manager docs AWS Secrets manager action
GitRob Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github GitRob
git-wild-hunt A tool to hunt for credentials in the GitHub git-wild-hunt
aws-vault AWS Vault is a tool to securely store and access AWS credentials in a development environment aws-vault
Knox Knox is a service for storing and rotation of secrets, keys, and passwords used by other services Knox
Chef vault allows you to encrypt a Chef Data Bag Item Chef vault
Ansible vault Ansible vault docs Encryption/decryption utility for Ansible data files Ansible vault

OSS and Dependency management

Dependency security testing and analysis is very important part of discovering supply chain attacks. SBOM creation and following dependency scanning (Software composition analysis) is critical part of continuous integration (CI). Data series and data trends tracking should be part of CI tooling. You need to know what you produce and what you consume in context of libraries and packages.

Name URL Description Meta
CycloneDX CycloneDX format for SBOM CycloneDX
cdxgen Generates CycloneDX SBOM, supports many languages and package managers. CycloneDX
SPDX SPDX format for SBOM - Software Package Data Exchange SpDX
Snyk Snyk scans and monitors your projects for security vulnerabilities Snyk
vulncost Security Scanner for VS Code Vulncost
Dependency Combobulator Dependency-related attacks detection and prevention through heuristics and insight engine (support multiple dependency schemes) Combobulator
DependencyTrack Dependency security tracking platform DependencyTrack
DependencyCheck Simple dependency security scanner good for CI DependencyCheck
Retire.js Helps developers to detect the use of JS-library versions with known vulnerabilities Retire.js
PHP security checker Check vulnerabilities in PHP dependencies Retire.js
bundler-audit Patch-level verification for bundler Bundler audit
gemnasium Dependency Scanning Analyzer based on Gemnasium
Dependabot Automated dependency updates built into GitHub providing security alerts Dependabot
Renovatebot Automated dependency updates, patches multi-platform and multi-language Renovatebot
npm-check Check for outdated, incorrect, and unused dependencies. npm-check
Security Scorecards Checks for several security health metrics on open source libraries and provides a score (0-10) to be considered in the decision making of what libraries to use. scorecard
Syft CLI tool and library for generating an SBOM from container images (and filesystems). syft

Supply chain specific tools

Supply chain is often the target of attacks. Which libraries you use can have a massive impact on security of the final product (artifacts). CI (continuous integration) must be monitored inside the tasks and jobs in pipeline steps. Integrity checks must be stored out of the system and in ideal case several validation runs with comparison of integrity hashes / or attestation must be performed.

Name URL Description Meta
Tekton chains Kubernetes Custom Resource Definition (CRD) controller that allows you to manage your supply chain security in Tekton. Chains
in-toto An in-toto attestation is authenticated metadata about one or more software artifacts in-toto
SLSA Official GitHub link Supply-chain Levels for Software Artifacts SLSA
kritis Solution for securing your software supply chain for Kubernetes apps Kritis
ratify Artifact Ratification Framework ratify


Static code review tools working with source code and looking for known patterns and relationships of methods, variables, classes and libraries. SAST works with the raw code and usually not with build packages.

Name URL Description Meta
Brakeman Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities Brakeman
Semgrep Hi-Quality Open source, works on 17+ languages Semgrep
Bandit Python specific SAST tool Bandit
libsast Generic SAST for Security Engineers. Powered by regex based pattern matcher and semantic aware semgrep libsast
ESLint Find and fix problems in your JavaScript code
nodejsscan NodeJs SAST scanner with GUI NodeJSscan
FindSecurityBugs The SpotBugs plugin for security audits of Java web applications FindSecuritybugs
SonarQube community Detect security issues in code review with Static Application Security Testing (SAST) SonarQube
gosec Inspects source code for security problems by scanning the Go AST. gosec
Safety Checks Python dependencies for known security vulnerabilities . Safety

Note: Semgrep is free CLI tool, however some rulesets ( are having various licences, some can be free to use and can be commercial.

OWASP curated list of SAST tools :


Dynamic application security testing (DAST) is a type of application testing (in most cases web) that checks your application from the outside by active communication and analysis of the responses based on injected inputs. DAST tools rely on inputs and outputs to operate. A DAST tool uses these to check for security problems while the software is actually running and is actively deployed on the server (or serverless function).

Name URL Description Meta
Zap proxy Zap proxy providing various docker containers for CI/CD pipeline ZAP
Wapiti Light pipeline ready scanning tool Wapiti
Nuclei Template based security scanning tool Nuclei
purpleteam CLI DAST tool incubator project purpleteam
oss-fuzz OSS-Fuzz: Continuous Fuzzing for Open Source Software osss-fuzz
nikto Nikto web server scanner nikto
skipfish Skipfish is an active web application security reconnaissance tool skipfish

Continuous deployment security

Name URL Description Meta
SecureCodeBox Toolchain for continuous scanning of applications and infrastructure SCB
OpenSCAP Open Source Security Compliance Solution oscap
ThreatMapper ThreatMapper hunts for vulnerabilities in your production platforms, and ranks these vulnerabilities based on their risk-of-exploit. kube-hunter


Name URL Description Meta
KubiScan A tool for scanning Kubernetes cluster for risky permissions Kubiscan
Kubeaudit Audit Kubernetes clusters for various different security concerns kube-audit
Kubescape The first open-source tool for testing if Kubernetes is deployed according to the NSA-CISA and the MITRE ATT&CK®. kubescape
kubesec Security risk analysis for Kubernetes resources kubesec
kube-bench Kubernetes benchmarking tool Kubiscan
kube-score Static code analysis of your Kubernetes object definitions kube-score
kube-hunter Active scanner for k8s (purple) kube-hunter
Calico Calico is an open source networking and network security solution for containers Calico
Krane Simple Kubernetes RBAC static analysis tool krane
Starboard Starboard inegrates security tools by outputs into Kubernetes CRDs starboard
Gatekeeper Open policy agent gatekeeper for k8s gatekeeper
Inspektor-gadget Collection of tools (or gadgets) to debug and inspect k8s inspector
kube-linter Static analysis for Kubernetes kube-linter
mizu-api-traffic-viewer A simple-yet-powerful API traffic viewer for Kubernetes enabling you to view all API communication between microservices to help your debug and troubleshoot regressions. GitHub stars
HelmSnyk The Helm plugin for Snyk provides a subcommand for testing the images. GitHub stars
Kubewarden Policy as code for kubernetes from SUSE. GitHub stars
Kubernetes-sigs BOM Kubernetes BOM generator GitHub stars
Capsule A multi-tenancy and policy-based framework for Kubernetes GitHub stars
Badrobot Badrobot is a Kubernetes Operator audit tool GitHub stars
Istio Istio is a service mesh based on Envoy. Engage encryption, role-based access, and authentication across services.


Name URL Description Meta
Harbor Trusted cloud native registry project Harbor
Anchore Centralized service for inspection, analysis, and certification of container images Anchore
Clair Docker vulnerability scanner Clair
Deepfence ThreatMapper Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless. ThreatMapper
Docker bench Docker benchmarking against CIS docker bench
Falco Container runtime protection Falco
Trivy Comprehensive scanner for vulnerabilities in container images Trivy
Notary Docker signing Notary
Cosign Container signing Cosign
watchtower Updates the running version of your containerized app watchtower
Grype Vulnerability scanner for container images (and also filesystems). Grype


Name URL Description Meta
Cloudsploit Detection of security risks in cloud infrastructure Cloudsploit
ScoutSuite NCCgroup mutlicloud scanning tool ScoutSuite
CloudCustodian Multicloud security analysis framework CloudCustodian
CloudGraph GraphQL API + Security for AWS, Azure, GCP, and K8s CloudGraph


AWS specific DevSecOps tooling. Tools here cover different areas like inventory management, misconfiguration scanning or IAM roles and policies review.

Name URL Description Meta
Dragoneye Dragoneye Indeni AWS scanner Dragoneye
Prowler Prowler is a command line tool that helps with AWS security assessment, auditing, hardening and incident response. Prowler
aws-inventory Helps to discover all AWS resources created in an account aws-inventory
PacBot Policy as Code Bot (PacBot) pacbot
Komiser Monitoring dashboard for costs and security komiser
Cloudsplaining IAM analysis framework cloudsplaining
ElectricEye Continuously monitor your AWS services for configurations ElectricEye
Cloudmapper CloudMapper helps you analyze your Amazon Web Services (AWS) environments cloudmapper
cartography Consolidates AWS infrastructure assets and the relationships between them in an intuitive graph cartography
policy_sentry IAM Least Privilege Policy Generator policycentry
AirIAM IAM Least Privilege anmalyzer and Terraformer AirIam
StreamAlert AirBnB serverless, real-time data analysis framework which empowers you to ingest, analyze, and alert StreamAlert
CloudQuery AirBnB serverless, real-time data analysis framework which empowers you to ingest, analyze, and alert CloudQuery
S3Scanner A tool to find open S3 buckets and dump their contents S3Scanner
aws-iam-authenticator A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster authenticator
kube2iam A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster kube2iam
AWS open source security samples Official AWS opensource repo Collection of official AWS open-source resources Amazon AWS
AWS Firewall factory Globaldatanet FMS automation Deploy, update, and stage your WAFs while managing them centrally via FMS Globaldatanet Firewall factory
Parliment Parliment Parliament is an AWS IAM linting library IAM linting
Yor Yor Adds informative and consistent tags across infrastructure-as-code frameworks such as Terraform, CloudFormation, and Serverless Yor

Google cloud platform

GCP specific DevSecOps tooling. Tools here cover different areas like inventory management, misconfiguration scanning or IAM roles and policies review.

Name URL Description Meta
Forseti Complex security orchestration and scanning platform Forseti

Policy as code

Policy as code is the idea of writing code in a high-level language to manage and automate policies. By representing policies as code in text files, proven software development best practices can be adopted such as version control, automated testing, and automated deployment. (Source:

Name URL Description Meta
Open Policy agent General-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack OPA
Kyverno Kyverno is a policy engine designed for Kubernetes kyverno
Inspec Chef InSpec is an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements. Inspec
Cloud Formation guard Cloud Formation policy as code cf-guard
cnspec cnspec is a cloud-native and powerful Policy as Code engine to assess the security and compliance of your business-critical infrastructure. cnspec finds vulnerabilities and misconfigurations on all systems in your infrastructure including: public and private cloud environments, Kubernetes clusters, containers, container registries, servers and endpoints, SaaS products, infrastructure as code, APIs, and more. cf-guard

Chaos engineering

Chaos Engineering is the discipline of experimenting on a system in order to build confidence in the system’s capability to withstand turbulent conditions in production.

Reading and manifestos:

Name URL Description Meta
chaos-mesh It is a cloud-native Chaos Engineering platform that orchestrates chaos on Kubernetes environments Chaos mesh
Chaos monkey Chaos Monkey is responsible for randomly terminating instances in production to ensure that engineers implement their services to be resilient to instance failures. Chaos monkey
Chaos Engine The Chaos Engine is a tool that is designed to intermittently destroy or degrade application resources running in cloud based infrastructure. These events are designed to occur while the appropriate resources are available to resolve the issue if the platform fails to do so on it's own. Chaos Engine
chaoskube Test how your system behaves under arbitrary pod failures. chaoskube
Kube-Invaders Gamified chaos engineering tool for Kubernetes chaoskube
kube-monkey Gamified chaos engineering tool for Kubernetes kube-monkey
Litmus Chaos Litmus is an end-to-end chaos engineering platform for cloud native infrastructure and applications. Litmus is designed to orchestrate and analyze chaos in their environments. Litmus
Gremlin Chaos enginnering SaaS platform with free plan and some open source libraries Gremlin
AWS FIS samples AWS Fault injection simulator samples AWS
CloudNuke CLI tool to delete all resources in an AWS account CloudNuke

Infrastructure as code security

Scanning your infrastructure when it is only code helps shift-left the security. Many tools offer in IDE scanning and providing real-time advisory do Cloud engineers.

Name URL Description Meta
KICS Checkmarx security testing opensource for IaC Checkmarx
Checkov Checkov is a static code analysis tool for infrastructure-as-code Checkov
tfsec tfsec uses static analysis of your terraform templates to spot potential security issues. Now with terraform CDK support tfsec
terrascan Terrascan is a static code analyzer for Infrastructure as Code terrascan
cfsec cfsec scans CloudFormation configuration files for security issues cfsec
cfn_nag Looks for insecure patterns in CloudFormation cfnag
Sysdig IaC scanner action Scans your repository with Sysdig IAC Scanner and report the vulnerabilities. sysdig iac scanner


Event driven security help to drive, automate and execute tasks for security processes. The tools here and not dedicated security tools but are helping to automate and orchestrate security tasks or are part of most modern security automation frameworks or tools.

Name URL Description Meta
StackStorm Platform for integration and automation across services and tools supporting event driven security StackStorm
Camunda Workflow and process automation Camunda
DefectDojo Security orchestration and vulnerability management platform DefectDojo
Faraday Security suite for Security Orchestration, vulnerability management and centralized information Faraday

Methodologies, whitepapers and architecture

List of resources worth investigating:

AWS DevOps whitepapers:

AWS blog:

Microsoft whitepapers:

GCP whitepapers:


Here are the other links and resources that do not fit in any previous category. They can meet multiple categories in time or help you in your learning.

Name URL Description Meta
Automated Security Helper (ASH) ASH is a one stop shop for security scanners, and does not require any installation. It will identify the different frameworks, and download the relevant, up to date tools. ASH is running on isolated Docker containers, keeping the user environment clean, with a single aggregated report. The following frameworks are supported: Git, Python, Javascript, Cloudformation, Terraform and Jupyter Notebooks. ASH
Mobile security framework SAST, DAST and pentesting tool for mobile apps MobSF

Training -

DevSecOps videos - Hackitect playground


MIT license

Marek Šottl (c) 2022

Related Awesome Lists
Top Programming Languages

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
Docker (99,781
Aws (39,318
Security (32,284
Cloud (29,186
K8s (26,018
Kubernetes (26,018
Azure (18,112
Awesome (13,904
Awesome List (13,904
Serverless (10,223
Gcp (5,658
Ci Cd (2,553
Cybersecurity (2,322
Devsecops (534