Loading repository data…
Loading repository data…
sottlmarek / repository
Ultimate DevSecOps library
If you want to contribute to this library of knowledge please create proper PR (Pull Request) with description what you are adding following these set of rules:
Note: Currently this is an early version of the library. I recommend PR after first official release.
DevSecOps library info:
This library contains list of tools and methodologies accompanied with resources. The main goal is to provide to the engineers a guide through opensource DevSecOps tooling. This repository covers only cyber security in the cloud and the DevSecOps scope.
DevSecOps focuses on security automation, testing and enforcement during DevOps - Release - SDLC cycles. The whole meaning behind this methodology is connecting together Development, Security and Operations. DevSecOps is methodology providing different methods, techniques and processes backed mainly with tooling focusing on developer / security experience.
DevSecOps takes care that security is part of every stage of DevOps loop - Plan, Code, Build, Test, Release, Deploy, Operate, Monitor.
Various definitions:
In this section you can find lifecycle helpers, precommit hook tools and threat modeling tools. Threat modeling tools are specific category by themselves allowing you to simulate and discover potential gaps before you start to develop the software or during the process.
Modern DevSecOps tools allow using Threat modeling as code or generation of threat models based on the existing code annotations.
| Name | URL | Description | Meta |
|---|---|---|---|
| git-secrets | https://github.com/awslabs/git-secrets | AWS labs tool preventing you from committing secrets to a git repository | |
| git-hound | https://github.com/tillson/git-hound | Searchers secrets in git | |
| goSDL | https://github.com/slackhq/goSDL | Security Development Lifecycle checklist | |
| ThreatPlaybook | https://github.com/we45/ThreatPlaybook | Threat modeling as code | |
| Threat Dragon | https://github.com/OWASP/threat-dragon | OWASP Threat modeling tool | |
| threatspec | https://github.com/threatspec/threatspec | Threat modeling as code | |
Secrets management includes managing, versioning, encryption, discovery, rotating, provisioning of passwords, certificates, configuration values and other types of secrets.
| Name | URL | Description | Meta |
|---|---|---|---|
| GitLeaks | https://github.com/zricethezav/gitleaks | Gitleaks is a scanning tool for detecting hardcoded secrets | |
| ggshield | https://github.com/gitguardian/ggshield | GitGuardian shield (ggshield) is a CLI application that runs in your local environment or in a CI environment and helps you detect more than 350+ types of secrets and sensitive files. | |
| TruffleHog | https://github.com/trufflesecurity/truffleHog | TruffleHog is a scanning tool for detecting hardcoded secrets | |
| Hashicorp Vault | https://github.com/hashicorp/vault | Hashicorp Vault secrets management | |
| Mozilla SOPS | https://github.com/mozilla/sops | Mozilla Secrets Operations | |
| AWS secrets manager GH action | https://github.com/marketplace/actions/aws-secrets-manager-actions |
| pytm |
| https://github.com/izar/pytm |
| A Pythonic framework for threat modeling |
| Threagile | https://github.com/Threagile/threagile | A Go framework for threat modeling |
| MAL-lang | https://mal-lang.org/#what | A language to create cyber threat modeling systems for specific domains |
| Microsoft Threat modeling tool | https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool | Microsoft threat modeling tool |
| Talisman | https://github.com/thoughtworks/talisman | A tool to detect and prevent secrets from getting checked in |
| SEDATED | https://github.com/OWASP/SEDATED | The SEDATED® Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure) focuses on preventing sensitive data such as user credentials and tokens from being pushed to Git. |
| Sonarlint | https://github.com/SonarSource/sonarlint-core | Sonar linting utility for IDE |
| DevSkim | https://github.com/microsoft/DevSkim | DevSkim is a framework of IDE extensions and language analyzers that provide inline security analysis |
| detect-secrets | https://github.com/Yelp/detect-secrets | Detects secrets in your codebase |
| tflint | https://github.com/terraform-linters/tflint | A Pluggable Terraform Linter |
| Steampipe Code Plugin | https://github.com/turbot/steampipe-plugin-code | Use SQL to detect secrets from source code and data sources. |
| AWS secrets manager docs |
| GitRob | https://github.com/michenriksen/gitrob | Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github |
| git-wild-hunt | https://github.com/d1vious/git-wild-hunt | A tool to hunt for credentials in the GitHub |
| aws-vault | https://github.com/99designs/aws-vault | AWS Vault is a tool to securely store and access AWS credentials in a development environment |
| Knox | https://github.com/pinterest/knox | Knox is a service for storing and rotation of secrets, keys, and passwords used by other services |
| Chef vault | https://github.com/chef/chef-vault | allows you to encrypt a Chef Data Bag Item |
| Ansible vault | Ansible vault docs | Encryption/d |