sottlmarek/DevSecOps: Ultimate DevSecOps library

原作者: [db:作者] 来自: 网络收藏邀请

开源软件名称（OpenSource Name）：

sottlmarek/DevSecOps

开源软件地址(OpenSource Url)：

https://github.com/sottlmarek/DevSecOps

开源编程语言(OpenSource Language)：

开源软件介绍(OpenSource Introduction)：

Ultimate DevSecOps library

Contribution rules

If you want to contribute to this library of knowledge please create proper PR (Pull Request) with description what you are adding following these set of rules:

Clear description of PR (which tool, why, number of stars, maturity and topic)
Keep it simple - Fill the description properly
Fact over feelings or personal opinions
Add source and follow the library style
Avoid duplicits - one tool, one topic
Try to make bigger updates then on tool link
Currently open-source only
Add only active projects
Add only security tools
Report typos as issue not via PR.

Note: Currently this is an early version of the library. I recommend PR after first official release.

DevSecOps library info:

This library contains list of tools and methodologies accompanied with resources. The main goal is to provide to the engineers a guide through opensource DevSecOps tooling. This repository covers only cyber security in the cloud and the DevSecOps scope.

Definition
Tooling
Precommit and threat modeling
SAST
DAST
Orchestration
Supply chain and dependencies
Infrastructure as code
Containers security
Kubernetes
Cloud
Chaos engineering
Policy as code
Methodologies
Other
License

What is DevSecOps

DevSecOps focuses on security automation, testing and enforcement during DevOps - Release - SDLC cycles. The whole meaning behind this methodology is connecting together Development, Security and Operations. DevSecOps is methodology providing different methods, techniques and processes backed mainly with tooling focusing on developer / security experience.

DevSecOps takes care that security is part of every stage of DevOps loop - Plan, Code, Build, Test, Release, Deploy, Operate, Monitor.

Various definitions:

Tooling

Pre-commit time tools

In this section you can find lifecycle helpers, precommit hook tools and threat modeling tools. Threat modeling tools are specific category by themselves allowing you to simulate and discover potential gaps before you start to develop the software or during the process.

Modern DevSecOps tools allow using Threat modeling as code or generation of threat models based on the existing code annotations.

Name	URL	Description
git-secrets	https://github.com/awslabs/git-secrets	AWS labs tool preventing you from committing secrets to a git repository
git-hound	https://github.com/tillson/git-hound	Searchers secrets in git
goSDL	https://github.com/slackhq/goSDL	Security Development Lifecycle checklist
ThreatPlaybook	https://github.com/we45/ThreatPlaybook	Threat modeling as code
Threat Dragon	https://github.com/OWASP/threat-dragon	OWASP Threat modeling tool
threatspec	https://github.com/threatspec/threatspec	Threat modeling as code
pytm	https://github.com/izar/pytm	A Pythonic framework for threat modeling
Threagile	https://github.com/Threagile/threagile	A Go framework for threat modeling
MAL-lang	https://mal-lang.org/#what	A language to create cyber threat modeling systems for specific domains
Microsoft Threat modeling tool	https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool	Microsoft threat modeling tool
Talisman	https://github.com/thoughtworks/talisman	A tool to detect and prevent secrets from getting checked in
SEDATED	https://github.com/OWASP/SEDATED	The SEDATED® Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure) focuses on preventing sensitive data such as user credentials and tokens from being pushed to Git.
Sonarlint	https://github.com/SonarSource/sonarlint-core	Sonar linting utility for IDE
DevSkim	https://github.com/microsoft/DevSkim	DevSkim is a framework of IDE extensions and language analyzers that provide inline security analysis
detect-secrets	https://github.com/Yelp/detect-secrets	Detects secrets in your codebase
tflint	https://github.com/terraform-linters/tflint	A Pluggable Terraform Linter

Secrets management

Secrets management includes managing, versioning, encryption, discovery, rotating, provisioning of passwords, certificates, configuration values and other types of secrets.

Name	URL	Description
GitLeaks	https://github.com/zricethezav/gitleaks	Gitleaks is a scanning tool for detecting hardcoded secrets
ggshield	https://github.com/gitguardian/ggshield	GitGuardian shield (ggshield) is a CLI application that runs in your local environment or in a CI environment and helps you detect more than 350+ types of secrets and sensitive files.
TruffleHog	https://github.com/trufflesecurity/truffleHog	TruffleHog is a scanning tool for detecting hardcoded secrets
Hashicorp Vault	https://github.com/hashicorp/vault	Hashicorp Vault secrets management
Mozilla SOPS	https://github.com/mozilla/sops	Mozilla Secrets Operations
AWS secrets manager GH action	https://github.com/marketplace/actions/aws-secrets-manager-actions	AWS secrets manager docs
GitRob	https://github.com/michenriksen/gitrob	Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github
git-wild-hunt	https://github.com/d1vious/git-wild-hunt	A tool to hunt for credentials in the GitHub
aws-vault	https://github.com/99designs/aws-vault	AWS Vault is a tool to securely store and access AWS credentials in a development environment
Knox	https://github.com/pinterest/knox	Knox is a service for storing and rotation of secrets, keys, and passwords used by other services
Chef vault	https://github.com/chef/chef-vault	allows you to encrypt a Chef Data Bag Item
Ansible vault	Ansible vault docs	Encryption/decryption utility for Ansible data files

OSS and Dependency management

Dependency security testing and analysis is very important part of discovering supply chain attacks. SBOM creation and following dependency scanning (Software composition analysis) is critical part of continuous integration (CI). Data series and data trends tracking should be part of CI tooling. You need to know what you produce and what you consume in context of libraries and packages.

Name	URL	Description
CycloneDX	https://github.com/orgs/CycloneDX/repositories	CycloneDX format for SBOM
SPDX	https://github.com/spdx/spdx-spec	SPDX format for SBOM - Software Package Data Exchange
Snyk	https://github.com/snyk/snyk	Snyk scans and monitors your projects for security vulnerabilities
vulncost	https://github.com/snyk/vulncost	Security Scanner for VS Code
Dependency Combobulator	https://github.com/apiiro/combobulator	Dependency-related attacks detection and prevention through heuristics and insight engine (support multiple dependency schemes)
DependencyTrack	https://github.com/DependencyTrack/dependency-track	Dependency security tracking platform
DependencyCheck	https://github.com/jeremylong/DependencyCheck	Simple dependency security scanner good for CI
Retire.js	https://github.com/retirejs/retire.js/	Helps developers to detect the use of JS-library versions with known vulnerabilities
PHP security checker	https://github.com/fabpot/local-php-security-checker	Check vulnerabilities in PHP dependencies
bundler-audit	https://github.com/rubysec/bundler-audit	Patch-level verification for bundler
gemnasium	https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium	Dependency Scanning Analyzer based on Gemnasium
Dependabot	https://github.com/dependabot/dependabot-core	Automated dependency updates built into GitHub providing security alerts
Renovatebot	https://github.com/renovatebot/renovate	Automated dependency updates, patches multi-platform and multi-language
npm-check	https://www.npmjs.com/package/npm-check	Check for outdated, incorrect, and unused dependencies.

Supply chain specific tools

Supply chain is often the target of attacks. Which libraries you use can have a massive impact on security of the final product (artifacts). CI (continuous integration) must be monitored inside the tasks and jobs in pipeline steps. Integrity checks must be stored out of the system and in ideal case several validation runs with comparison of integrity hashes / or attestation must be performed.

Name	URL	Description
Tekton chains	https://github.com/tektoncd/chains	Kubernetes Custom Resource Definition (CRD) controller that allows you to manage your supply chain security in Tekton.
in-toto	https://github.com/in-toto/attestation/tree/v0.1.0/spec	An in-toto attestation is authenticated metadata about one or more software artifacts
SLSA	Official GitHub link	Supply-chain Levels for Software Artifacts
kritis	https://github.com/grafeas/kritis	Solution for securing your software supply chain for Kubernetes apps
ratify	https://github.com/deislabs/ratify	Artifact Ratification Framework

SAST

Static code review tools working with source code and looking for known patterns and relationships of methods, variables, classes and libraries. SAST works with the raw code and usually not with build packages.

Name	URL	Description
Brakeman	https://github.com/presidentbeef/brakeman	Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities
Semgrep	https://semgrep.dev/	Hi-Quality Open source, works on 17+ languages
Bandit	https://github.com/PyCQA/bandit	Python specific SAST tool
libsast	https://github.com/ajinabraham/libsast	Generic SAST for Security Engineers. Powered by regex based pattern matcher and semantic aware semgrep
ESLint	https://eslint.org/	Find and fix problems in your JavaScript code
nodejsscan	https://github.com/ajinabraham/nodejsscan	NodeJs S