Top 23 Go security-tool Projects

• trivy

  82 21,316 9.7 Go

  Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

  

Project mention: A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons | dev.to | 2024-04-16

Trivy Owner/Maintainer: Aqua Security Age: First released on GitHub on May 7th, 2019 License: Apache License 2.0 backward-compatible with tfsec

• gitleaks

  35 15,225 8.2 Go

  Protect and discover secrets using Gitleaks 🔑

  

Project mention: How to use Lefthooks in your node project? | dev.to | 2024-04-11

install gitleaks in your machine gitleaks

• WorkOS

  workos.com sponsored

  The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

  

• trufflehog

  25 13,863 9.9 Go

  Find and verify credentials

  

Project mention: Seeking help to identify vulnerabilities and secrets in a website backup file | /r/HowToHack | 2023-07-03

Trufflehog

• vuls

  3 10,659 8.8 Go

  Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices

  

• sliver

  20 7,551 9.6 Go

  Adversary Emulation Framework

  

Project mention: With VPN's such as Twin Gate and TailScale, why open ports to expose services to the internet? | /r/selfhosted | 2023-07-05

IDK if you are too young to remember the fallout from Snowden, but the Kremlin threw out entire rooms computers and for a time used actual typewriters. Because those computers had, more or less, twingate connectors on them. That's a bit of a rich example, but you're essentially installing what sliver calls an implant, what meterpreter calls a payload, and what Cobalt Strike calls a beacon. It's cool if you want to, but there's no need when you can just open a port with the same technology a Fortune 50 does.

• gosec

  19 7,441 8.8 Go

  Go security checker

  

Project mention: Top 10 Snyk Alternatives for Code Security | dev.to | 2023-08-31

6. Gosec

• traitor

  17 6,491 0.0 Go

  :arrow_up: :skull_and_crossbones: :fire: Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins, pwnkit, dirty pipe, +w docker.sock

Project mention: Traitor – Automatic Linux privesc via exploitation of low-hanging fruits | news.ycombinator.com | 2023-06-12

• InfluxDB

  www.influxdata.com sponsored

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• certificates

  40 6,131 9.5 Go

  🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.

  

Project mention: You shouldn't run NSA-grade Wi-Fi at home | news.ycombinator.com | 2024-01-04

You can roll your own with https://github.com/smallstep/certificates. We maintain major open source projects and contribute a lot to other projects. I don’t think that means everything we do has to be open source. Sorry this one wasn’t. Doing this in pure open source would be a book, not a blog post.

Love Let’s Encrypt — we’re sponsors — but using them for WiFi is a terrible idea. You need internal PKI for WiFi.

• osv-scanner

  10 5,825 9.6 Go

  Vulnerability scanner written in Go which uses the data provided by https://osv.dev

  

Project mention: An Intro to SBOMs | news.ycombinator.com | 2023-04-25

• scan4all

  1 5,231 7.7 Go

  Official repository vuls Scan: 15000+PoCs; 23 kinds of application password crack; 7000+Web fingerprints; 146 protocols and 90000+ rules Port scanning; Fuzz, HW, awesome BugBounty( ͡° ͜ʖ ͡°)...

  

• syzkaller

  7 5,124 0.0 Go

  syzkaller is an unsupervised coverage-guided kernel fuzzer

  

Project mention: Automated Unit Test Improvement Using Large Language Models at Meta | news.ycombinator.com | 2024-02-17

https://arxiv.org/abs/2402.09171 :

> This paper describes Meta's TestGen-LLM tool, which uses LLMs to automatically improve existing human-written tests. TestGen-LLM verifies that its generated test classes successfully clear a set of filters that assure measurable improvement over the original test suite, thereby eliminating problems due to LLM hallucination. [...] We believe this is the first report on industrial scale deployment of LLM-generated code backed by such assurances of code improvement.

Coverage-guided unit test improvement might [with LLMs] be efficient too.

https://github.com/topics/coverage-guided-fuzzing :

- e.g. Google/syzkaller is a coverage-guided syscall fuzzer: https://github.com/google/syzkaller

- Gitlab CI supports coverage-guided fuzzing: https://docs.gitlab.com/ee/user/application_security/coverag...

- oss-fuzz, osv

Additional ways to improve tests:

Hypothesis and pynguin generate tests from type annotations.

There are various tools to generate type annotations for Python code;

> pytype (Google) [1], PyAnnotate (Dropbox) [2], and MonkeyType (Instagram) [3] all do dynamic / runtime PEP-484 type annotation type inference [4] to generate type annotations. https://news.ycombinator.com/item?id=39139198

icontract-hypothesis generates tests from icontract DbC Design by Contract type, value, and invariance constraints specified as precondition and postcondition @decorators:

• osmedeus

  2 5,069 6.5 Go

  A Workflow Engine for Offensive Security

• Modlishka

  11 4,670 6.0 Go

  Modlishka. Reverse Proxy.

• terrascan

  22 4,494 6.9 Go

  Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

  

Project mention: A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons | dev.to | 2024-04-16

Terrascan Owner/Maintainer: Tenable (acquired in 2022) Age: First release on GitHub on November 28th, 2017 License: Apache License 2.0

• spicedb

  38 4,489 9.7 Go

  Open Source, Google Zanzibar-inspired permissions database to enable fine-grained access control for customer applications

  

Project mention: How do you manage transactions in Go? Do we really need to use one transaction for each request? | /r/golang | 2023-06-02

Have you taken a look at SpiceDB? The Authzed blog has a few posts that are useful to improving your understanding -- I can think of two: New Enemies and Writing relationships to SpiceDB.

• Cameradar

  3 3,884 3.4 Go

  Cameradar hacks its way into RTSP videosurveillance cameras

Project mention: Hacking ip cameras | /r/Hacking_Tutorials | 2023-04-29

You might want to try this tool https://github.com/Ullaakut/cameradar , as most of the webcams are based on RTSP( Real-Time Streaming Protocol ) protocol.

• cli

  8 3,478 9.2 Go

  🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc. (by smallstep)

  

Project mention: Google will disable all but OAuth for IMAP, SMTP and POP starting Sept. 30 | news.ycombinator.com | 2024-01-18

https://github.com/smallstep/cli implements some OAuth flows from the CLI, it may be helpful for you.

• SecretScanner

  7 2,956 7.3 Go

  :unlock: :unlock: Find secrets and passwords in container images and file systems :unlock: :unlock:

  

• dockle

  2 2,651 5.8 Go

  Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start

  

• ContainerSSH

  12 2,565 5.6 Go

  ContainerSSH: Launch containers on demand

  

Project mention: Ask HN: Tell us about your project that's not done yet but you want feedback on | news.ycombinator.com | 2023-08-16

- Build your own honeypot with ContainerSSH (DevConf CZ 2021) [4]

[1]: https://containerssh.io

• Stowaway

  33 2,415 7.1 Go

  👻Stowaway -- Multi-hop Proxy Tool for pentesters

Project mention: Stowaway -- Multi-hop Proxy Tool for pentesters | /r/hacking | 2023-11-13

• Picocrypt

  78 2,248 6.5 Go

  A very small, very simple, yet very secure encryption tool.

Project mention: BitLocker vs Veracrypt | /r/Bitwarden | 2023-06-20

There's also Picocrypt.

• ksubdomain

  1 2,086 0.0 Go

  无状态子域名爆破工具

  

• SaaSHub

  www.saashub.com sponsored

  SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

  

Go security-tools related posts

• SLSA up to v1.9.0 (latest) breaking GHA pipelines
  1 project | news.ycombinator.com | 20 Mar 2024
• A tool for using AWS Identity Center for the CLI and web console
  1 project | news.ycombinator.com | 13 Feb 2024
• I Analyzed StackOverflow for Secrets
  1 project | news.ycombinator.com | 17 Nov 2023
• [Help Needed] Securing Customized Gitleaks and Backend Communication?
  1 project | /r/cybersecurity | 16 Nov 2023
• With VPN's such as Twin Gate and TailScale, why open ports to expose services to the internet?
  1 project | /r/selfhosted | 5 Jul 2023
• Distributing ACME Let'sEncrypt certs for homelab
  1 project | /r/homelab | 5 Jul 2023
• Safety in Go
  2 projects | /r/golang | 4 Jul 2023
• A note from our sponsor - WorkOS
  workos.com | 24 Apr 2024

  The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning. Learn more →

Index

Sponsored

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com

Do not miss the trending Go projects with our weekly report!