Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →
Top 23 Compliance Open-Source Projects
-
lynis
Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
-
prowler
Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
Wazuh
Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
-
immudb
immudb - immutable database based on zero trust, SQL/Key-Value/Document model, tamperproof, data change history
-
checkov
Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
cloud-custodian
Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
-
ThreatMapper
Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more.
-
OSSEC
OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
-
bearer
Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks.
-
lunasec
LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/
-
cli
a lightweight, security focused, BDD test framework against terraform. (by terraform-compliance)
-
cloudformation-guard
Guard offers a policy-as-code domain-specific language (DSL) to write rules and validate JSON- and YAML-formatted data such as CloudFormation Templates, K8s configurations, and Terraform JSON plans/configurations against those rules. Take this survey to provide feedback about cfn-guard: https://amazonmr.au1.qualtrics.com/jfe/form/SV_bpyzpfoYGGuuUl0
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
Linux has (free) tools to improve security and detect/remove malware: Lynis,Chkrootkit,Rkhunter,ClamAV,Vuls,LMD,radare2,Yara,ntopng,maltrail,Snort,Suricata...
1. Prowler: https://github.com/prowler-cloud/prowler Prowler provides security best practices assessments, audits, incident response readiness, and continuous monitoring for AWS environments.
There is currently no feature for excluding specific SCA rules however this feature has been requested here and would be added to the roadmap for future releases.
Project mention: The API database architecture – Stop writing HTTP-GET endpoints | news.ycombinator.com | 2024-05-10Yeah, I fully agree. The tooling for putting that much logic into the database is just not great. I've been decently happy with Sqitch[0] for DB change management, but even with that you don't really get a good basis for testing some of the logic you could otherwise test in isolation in app code.
I've also tried to rely heavily on the database handling security and authorization, but as soon as you start to do somewhat non-trivial attribute-/relationship-based authorization (as you would find in many products nowadays), it really isn't fun anymore, and you spend a lot of the time you saved on manually building backend routes on trying to fit you authz model into those basic primitives (and avoiding performance bottlenecks). Especially compares to other modern authz solutions like OPA[1] or oso[2] it really doesn't stack up.
[0]: https://github.com/sqitchers/sqitch
[1]: https://www.openpolicyagent.org
[2]: https://www.osohq.com
Project mention: Ask HN: What is your experience of tamper proof systems? | news.ycombinator.com | 2024-01-05
3. tfsec: https://github.com/aquasecurity/tfsec tfsec uses a suite of security checks to scan your Terraform templates, helping to identify potential security issues before infrastructure is deployed.
1. Checkov: https://github.com/bridgecrewio/checkov Checkov is a static code analysis tool that helps developers prevent cloud misconfigurations during the development phase by scanning Terraform, CloudFormation, Kubernetes, and more.
Project mention: Cutting down AWS cost by $150k per year simply by shutting things off | news.ycombinator.com | 2024-01-22> The best optimization is simply shutting things off
This is the way.
A similar idea has been bouncing around in my mind for a while now. An ideal, turnkey system would do the following:
- Execute via Lambda (serverless).
- Support automated startup and shutdown of various AWS resources on a schedule influenced by specially formatted tags.
- Enable resources to be brought back up out of schedule when demand dictates.
- Operate as a TCP/HTTP proxy that can delay clients so that a given service can be started when it is dormant or, even better, the service isn't serverless but you want it to be. This can't work for everything, but perhaps enough things such that the need to run always on services is reduced.
Cloud Custodian [1] can purportedly do some of this, but I've been reluctant to learn yet another YAML-based DSL to use it.
So this is my "make things designed to be always-on serverless instead" project and the work AWS has done to make Java apps function on Lambda keeps me thinking about the potential to take things that 1) have a relatively long startup time and 2) are designed to be long running service loops, and find a way to force them into the serverless execution model.
[1] https://cloudcustodian.io/
Project mention: ThreatMapper: Open-source cloud native security observability platform | news.ycombinator.com | 2023-09-10
Project mention: Ballerine Implements Open Source Transaction Monitoring for Fintech Companies | news.ycombinator.com | 2024-03-13
If you want to validate your resources against the schema of the resources (mind you also crds) you can use kubeconform.
Project mention: Show HN: Bearer Code Security Scanner Add Support for Java, PHP, Go, and Python | news.ycombinator.com | 2023-10-26
Project mention: Pull Request Reporting with CDK-Validator-CFNGuard and Azure DevOps | dev.to | 2024-02-16If you now use these services to fix the infrastructure findings, a drift occurs that is not always easy to fix. It is better to check for possible problems before the actual deployment. This approach is called “Shift-Left”. This can be done with the package cdk-validator-cfnguard. It's based on the CloudFormation Guard package.
There are even some free open source policy generator tools like this one: https://github.com/strongdm/comply
Compliance related posts
-
CISO Assistant, Open-source solution with and30 cybersecurity frameworks
-
Free open-source solution for cybersecurity posture management (GRC)
-
Ballerine Implements Open Source Transaction Monitoring for Fintech Companies
-
Build and Push to GAR and Deploy to GKE - End-to-End CI/CD Pipeline
-
Exclude certain CIS (sca) rules from agents
-
Deployment issue
-
Greenbone
-
A note from our sponsor - InfluxDB
www.influxdata.com | 10 May 2024
Index
What are some of the best open-source Compliance projects? This list will help you:
Project | Stars | |
---|---|---|
1 | lynis | 12,554 |
2 | prowler | 9,611 |
3 | Wazuh | 9,264 |
4 | OPA (Open Policy Agent) | 9,156 |
5 | immudb | 8,496 |
6 | tfsec | 6,576 |
7 | checkov | 6,558 |
8 | cloud-custodian | 5,229 |
9 | ThreatMapper | 4,637 |
10 | OSSEC | 4,272 |
11 | inspec | 2,816 |
12 | windows_hardening | 2,172 |
13 | content | 2,091 |
14 | ballerine | 1,951 |
15 | kubeconform | 1,939 |
16 | bearer | 1,753 |
17 | macos_security | 1,573 |
18 | ort | 1,482 |
19 | lunasec | 1,408 |
20 | cli | 1,326 |
21 | openscap | 1,280 |
22 | cloudformation-guard | 1,241 |
23 | comply | 1,236 |
Sponsored