Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →
Top 23 Python security-audit Projects
-
prowler
Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
Project mention: Ask HN: Cloud security auditing for indie-grade projects? | news.ycombinator.com | 2023-12-04Which cloud provider?
https://github.com/prowler-cloud/prowler is easy to get going with, and gives decent results. It's much stronger at AWS than GCP or Azure.
Steampipe can be a little harder to wrap your head around, but scales really well and has broader support: https://hub.steampipe.io/mods?objectives=security
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
-
Reconnoitre
A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing.
-
owasp-masvs
The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security.
Project mention: More ways to identify independently security tested apps on Google Play | news.ycombinator.com | 2023-11-03https://github.com/OWASP/owasp-masvs :
> The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security.
-
inql
InQL is a robust, open-source Burp Suite extension for advanced GraphQL testing, offering intuitive vulnerability detection, customizable scans, and seamless Burp integration.
-
There is now an issue ticket in ssh-mitm to discuss the similarities between ssh-mitm and terrapin attack: https://github.com/ssh-mitm/ssh-mitm/issues/165
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
enum4linux-ng
A next generation version of enum4linux (a Windows/Samba enumeration tool) with additional features like JSON/YAML export. Aimed for security professionals and CTF players.
-
-
pip-audit
Audits Python environments, requirements files and dependency trees for known security vulnerabilities, and can automatically fix them
Project mention: Smooth Packaging: Flowing from Source to PyPi with GitLab Pipelines | dev.to | 2024-01-18Next up is making sure, none of the dependencies used throughout the project brings with it any already identified security issue. The makefile target audit, invokes the handy tool pip-audit.
-
ElectricEye
ElectricEye is a multi-cloud, multi-SaaS Python CLI tool for Asset Management, Security Posture Management & Attack Surface Monitoring supporting 100s of services and evaluations to harden your CSP & SaaS environments with controls mapped to over 20 industry, regulatory, and best practice controls frameworks
-
-
dep-scan
OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
Project mention: Show devsecops: OWASP dep-scan v5 - a next-generation security and risk audit tool for everyone | /r/devsecops | 2023-12-05Depscan v5 is the first opensource SCA tool that can perform precision reachability analysis for Java, JavaScript/TypeScript, and Python applications to triage and prioritize the results. We invented an automatic symbols tagger, a lightweight data-flow analyzer, and a static slicer to compute all reachable flows with or without vulnerabilities. We open-sourced all our work, including the specification.
-
betterscan-ce
Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners + OpenAI GPT with One Report (Code, IaC) - Betterscan Community Edition (CE)
-
packj
Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
Creator of Packj [1] here. How do you envision sandboxing/security policies will be specified? Per-lib policies when you've hundreds of dependencies will become overwhelming. Having built an eBPF-based sandbox [2], I anticipate that accuracy will be another challenge here: too restrictive will block functionality, too permissive defeats the purpose.
1. https://github.com/ossillate-inc/packj flags malicious/risky NPM/PyPI/RubyGems/Rust/Maven/PHP packages by carrying out static+dynamic+metadata analysis.
-
Project mention: Aura – Python source code auditing and static analysis on a large scale | news.ycombinator.com | 2023-04-10
-
-
-
-
-
-
dummy
Generator of static files for testing file upload. It can generate the png file of any number of bytes! (by sterrasec)
Project mention: GitHub - sterrasec/dummy: Generator of static files for testing file upload. It can generate the png file of any number of bytes! | /r/webdev | 2023-10-20 -
Dimorf
Dimorf is a ransomware using 256-bit AES with a self-destructing, randomly generated key for Linux OS´s
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
Python security-audit related posts
- Ask HN: Cloud security auditing for indie-grade projects?
- GitHub - sterrasec/dummy: Generator of static files for testing file upload. It can generate the png file of any number of bytes!
- Automating AWS Prowler Scans
- Pyscan: A command-line tool to detect security issues in your python dependencies.
- How Attackers Can Sneakily Slip Malware Packages Into Poetry.lock Files
- Show HN: TypeScript Security Scanner
- Aura – Python source code auditing and static analysis on a large scale
-
A note from our sponsor - InfluxDB
www.influxdata.com | 28 Mar 2024
Index
What are some of the best open-source security-audit projects in Python? This list will help you:
Project | Stars | |
---|---|---|
1 | prowler | 9,424 |
2 | faraday | 4,558 |
3 | github-dorks | 2,620 |
4 | Reconnoitre | 2,065 |
5 | owasp-masvs | 1,924 |
6 | inql | 1,439 |
7 | ssh-mitm | 1,211 |
8 | enum4linux-ng | 991 |
9 | kubestriker | 976 |
10 | pip-audit | 903 |
11 | ElectricEye | 858 |
12 | habu | 849 |
13 | dep-scan | 676 |
14 | betterscan-ce | 672 |
15 | packj | 594 |
16 | aura | 482 |
17 | aws-cloudsaga | 415 |
18 | zap-cli | 220 |
19 | kcare-uchecker | 183 |
20 | poro | 141 |
21 | pyrcrack | 113 |
22 | dummy | 51 |
23 | Dimorf | 50 |