A curated list of awesome DevSecOps tools to help you integrate security into your DevOps pipeline.
- SCA (Software Composition Analysis)
- SAST (Static Application Security Testing)
- DAST (Dynamic Application Security Testing)
- Infrastructure as Code (IaC) Security
- Secret Scanning
- Container Security
Analyze open-source dependencies for known vulnerabilities.
- Snyk - Developer-first platform to find and fix vulnerabilities in dependencies.
- OWASP Dependency-Check - Identifies project dependencies and checks if there are any known, publicly disclosed vulnerabilities.
- Trivy - A comprehensive security scanner for containers and other artifacts.
Scan your source code for security flaws without executing it.
- SonarQube - Automatic code review tool to detect bugs, vulnerabilities, and code smell.
- Semgrep - Lightweight static analysis for many languages.
- Scheck - Specifically for inspecting Go source code for security problems.
Testing the application while it is running.
- OWASP ZAP - The world’s most widely used web app scanner (Free and Open Source).
- Burp Suite - A leading graphical tool for testing Web application security.
- Nikto - An Open Source web server scanner.
Scan Terraform, CloudFormation, or Kubernetes manifests.
- Checkov - Static analysis tool for IaC.
- Terrascan - Detect compliance and security violations across IaC.
- Tfsec - Specifically for Terraform security scanning.
Prevent passwords and API keys from being leaked to GitHub.
- Gitleaks - Audit git repos for secrets.
- TruffleHog - Searches through git repositories for high entropy strings and secrets.
- Anchore - A tool for analyzing container images for vulnerabilities.
- Clair - Vulnerability static analysis for containers.
Contributions are welcome! Please read the contribution guidelines.