Top 23 Compliance Open-Source Projects

• lynis

  72 12,493 8.1 Shell

  Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.

  

Project mention: Who does check linux distros of malware - open source | /r/linux | 2023-12-10

Linux has (free) tools to improve security and detect/remove malware: Lynis,Chkrootkit,Rkhunter,ClamAV,Vuls,LMD,radare2,Yara,ntopng,maltrail,Snort,Suricata...

• prowler

  24 9,514 9.9 Python

  Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more

  

Project mention: Ask HN: Cloud security auditing for indie-grade projects? | news.ycombinator.com | 2023-12-04

Which cloud provider?

https://github.com/prowler-cloud/prowler is easy to get going with, and gives decent results. It's much stronger at AWS than GCP or Azure.

Steampipe can be a little harder to wrap your head around, but scales really well and has broader support: https://hub.steampipe.io/mods?objectives=security

• InfluxDB

  www.influxdata.com sponsored

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• OPA (Open Policy Agent)

  90 9,118 9.6 Go

  Open Policy Agent (OPA) is an open source, general-purpose policy engine.

  

Project mention: SAP BTP, Terraform and Open Policy Agent | dev.to | 2024-04-02

How can we handle this? Are there any mechanisms to prevent or at least to some extent safeguard this kind of issues without falling back to a manual workflow? There is. One huge advantage of sticking to (de-facto) standards like Terraform is that first we are probably not the first ones to come up with this question and second there is a huge ecosystem around Terraform that might help us with such challenges. And for this specific scenario the solution is the Open Policy Agent. Let us take a closer look how the solution could look like.

• Wazuh

  151 9,108 10.0 C

  Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.

  

Project mention: Exclude certain CIS (sca) rules from agents | /r/Wazuh | 2023-12-11

There is currently no feature for excluding specific SCA rules however this feature has been requested here and would be added to the roadmap for future releases.

• immudb

  52 8,481 9.5 Go

  immudb - immutable database based on zero trust, SQL/Key-Value/Document model, tamperproof, data change history

  

Project mention: Ask HN: What is your experience of tamper proof systems? | news.ycombinator.com | 2024-01-05

• tfsec

  28 6,544 5.5 Go

  Security scanner for your Terraform code

  

Project mention: A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons | dev.to | 2024-04-16

tfsec Owner/Maintainer: Aqua Security (acquired in 2021) Age: First released on GitHub on March 5th, 2019 License: MIT License tfsec project is no longer actively maintained in favor of the Trivy tool. But because many people still use it and it's quite famous, I added tfsec to this comparison. However, I recommend against using it for new projects.

• checkov

  54 6,512 9.9 Python

  Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.

  

Project mention: A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons | dev.to | 2024-04-16

Checkov Owner/Maintainer: Prisma Cloud by Palo Alto Networks (acquired in 2021) Age: First released on GitHub on March 31st, 2021 License: Apache License 2.0

• WorkOS

  workos.com sponsored

  The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

  

• cloud-custodian

  32 5,201 9.5 Python

  Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources

  

Project mention: Cutting down AWS cost by $150k per year simply by shutting things off | news.ycombinator.com | 2024-01-22

> The best optimization is simply shutting things off

This is the way.

A similar idea has been bouncing around in my mind for a while now. An ideal, turnkey system would do the following:

- Execute via Lambda (serverless).

- Support automated startup and shutdown of various AWS resources on a schedule influenced by specially formatted tags.

- Enable resources to be brought back up out of schedule when demand dictates.

- Operate as a TCP/HTTP proxy that can delay clients so that a given service can be started when it is dormant or, even better, the service isn't serverless but you want it to be. This can't work for everything, but perhaps enough things such that the need to run always on services is reduced.

Cloud Custodian [1] can purportedly do some of this, but I've been reluctant to learn yet another YAML-based DSL to use it.

So this is my "make things designed to be always-on serverless instead" project and the work AWS has done to make Java apps function on Lambda keeps me thinking about the potential to take things that 1) have a relatively long startup time and 2) are designed to be long running service loops, and find a way to force them into the serverless execution model.

[1] https://cloudcustodian.io/

• ThreatMapper

  32 4,631 9.9 TypeScript

  Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more.

  

Project mention: ThreatMapper: Open-source cloud native security observability platform | news.ycombinator.com | 2023-09-10

• OSSEC

  12 4,256 4.5 C

  OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

  

Project mention: Local ignore rule on manager not working | /r/Wazuh | 2023-05-04

• inspec

  13 2,810 9.4 Ruby

  InSpec: Auditing and Testing Framework

  

• windows_hardening

  14 2,153 7.4 PowerShell

  HardeningKitty and Windows Hardening settings and configurations

• content

  7 2,076 10.0 Shell

  Security automation content in SCAP, Bash, Ansible, and other formats (by ComplianceAsCode)

  

Project mention: Oracle linux CIS benchmark | /r/ansible | 2023-06-07

• ballerine

  11 1,934 9.9 TypeScript

  Open-source infrastructure and data orchestration platform for risk decisioning

  

Project mention: Ballerine Implements Open Source Transaction Monitoring for Fintech Companies | news.ycombinator.com | 2024-03-13

• kubeconform

  4 1,912 6.0 Go

  A FAST Kubernetes manifests validator, with support for Custom Resources!

Project mention: Dealing with Yaml files | /r/kubernetes | 2023-07-05

If you want to validate your resources against the schema of the resources (mind you also crds) you can use kubeconform.

• bearer

  18 1,736 9.6 Go

  Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks.

  

Project mention: Show HN: Bearer Code Security Scanner Add Support for Java, PHP, Go, and Python | news.ycombinator.com | 2023-10-26

• macos_security

  18 1,547 8.4 YAML

  macOS Security Compliance Project

  

Project mention: Windows Security Compliance project | /r/Intune | 2023-10-27

• ort

  3 1,472 9.9 Kotlin

  A suite of tools to automate software compliance checks.

  

• lunasec

  36 1,406 5.5 TypeScript

  LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/

  

• cli

  7 1,321 5.3 Python

  a lightweight, security focused, BDD test framework against terraform. (by terraform-compliance)

  

• openscap

  3 1,268 9.2 XSLT

  NIST Certified SCAP 1.2 toolkit

  

• comply

  7 1,236 0.0 Go

  Compliance automation framework, focused on SOC2

  

Project mention: SOC2: Drata, Scrut, Vanta | /r/cybersecurity | 2023-05-15

There are even some free open source policy generator tools like this one: https://github.com/strongdm/comply

• sudo_pair

  4 1,230 0.0 Rust

  Plugin for sudo that requires another human to approve and monitor privileged sudo sessions

  

• SaaSHub

  www.saashub.com sponsored

  SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

  

Compliance related posts

• Ballerine Implements Open Source Transaction Monitoring for Fintech Companies
  1 project | news.ycombinator.com | 13 Mar 2024
• Build and Push to GAR and Deploy to GKE - End-to-End CI/CD Pipeline
  3 projects | dev.to | 2 Jan 2024
• Exclude certain CIS (sca) rules from agents
  1 project | /r/Wazuh | 11 Dec 2023
• Deployment issue
  1 project | /r/Wazuh | 11 Dec 2023
• Greenbone
  1 project | /r/ITProTuesday | 8 Dec 2023
• Learn security best practices
  2 projects | /r/cybersecurity | 7 Dec 2023
• Update vulnerability databases through proxy with authentication
  3 projects | /r/Wazuh | 7 Dec 2023
• A note from our sponsor - WorkOS
  workos.com | 23 Apr 2024

  The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning. Learn more →

Index

Sponsored

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com