SaaSHub helps you find the best software and product alternatives Learn more โ
Top 23 Devsecops Open-Source Projects
-
trivy
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
-
Mobile-Security-Framework-MobSF
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
prowler
Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
-
Netmaker
Netmaker makes networks with WireGuard. Netmaker automates fast, secure, and distributed virtual networks.
-
Scanners-Box
A powerful and open-source toolkit for hackers and security automation - ๅฎๅ จ่กไธไปไธ่ ่ช็ ๅผๆบๆซๆๅจๅ่พ
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
firezone
Open-source VPN server and egress firewall for Linux built on WireGuard. Firezone is easy to set up (all dependencies are bundled thanks to Chef Omnibus), secure, performant, and self hostable.
-
ThreatMapper
Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more.
-
terrascan
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
-
awesome-devsecops
An authoritative list of awesome devsecops tools with the help from community experiments and contributions.
-
kubernetes-goat
Kubernetes Goat is a "Vulnerable by Design" cluster environment to learn and practice Kubernetes security using an interactive hands-on playground ๐
-
SecretScanner
:unlock: :unlock: Find secrets and passwords in container images and file systems :unlock: :unlock:
-
dependency-track
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
Project mention: A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons | dev.to | 2024-04-16Trivy Owner/Maintainer: Aqua Security Age: First released on GitHub on May 7th, 2019 License: Apache License 2.0 backward-compatible with tfsec
install gitleaks in your machine gitleaks
Project mention: Seeking help to identify vulnerabilities and secrets in a website backup file | /r/HowToHack | 2023-07-03Trufflehog
Project mention: Ask HN: Cloud security auditing for indie-grade projects? | news.ycombinator.com | 2023-12-04Which cloud provider?
https://github.com/prowler-cloud/prowler is easy to get going with, and gives decent results. It's much stronger at AWS than GCP or Azure.
Steampipe can be a little harder to wrap your head around, but scales really well and has broader support: https://hub.steampipe.io/mods?objectives=security
Project mention: A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons | dev.to | 2024-04-16tfsec Owner/Maintainer: Aqua Security (acquired in 2021) Age: First released on GitHub on March 5th, 2019 License: MIT License tfsec project is no longer actively maintained in favor of the Trivy tool. But because many people still use it and it's quite famous, I added tfsec to this comparison. However, I recommend against using it for new projects.
Project mention: Steampipe: Dynamically query APIs, code and more with SQL | news.ycombinator.com | 2024-04-04
Project mention: WireGuard -based scalable remote access platform | news.ycombinator.com | 2023-11-16
Project mention: ThreatMapper: Open-source cloud native security observability platform | news.ycombinator.com | 2023-09-10
Project mention: A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons | dev.to | 2024-04-16Terrascan Owner/Maintainer: Tenable (acquired in 2022) Age: First release on GitHub on November 28th, 2017 License: Apache License 2.0
Project mention: BunkerWeb: Nginx-based open-source Web Application Firewall (WAF) | news.ycombinator.com | 2024-01-09
Project mention: Ask HN: Tell us about your project that's not done yet but you want feedback on | news.ycombinator.com | 2023-08-16- Build your own honeypot with ContainerSSH (DevConf CZ 2021) [4]
[1]: https://containerssh.io
Project mention: Show HN: Pre-alpha tool for analyzing spdx SBOMs generated by GitHub | news.ycombinator.com | 2024-04-21I've become interested in SBOM recently, and found there were great tools like https://dependencytrack.org/ for CycloneDX SBOMs, but all I have is SPDX SBOMs generated by GitHub.
I decided to have a go at writing my own dependency track esque tool aiming to integrate with the APIs GitHub provides.
It's pretty limited in functionality so far, but can give a high level summary of the types of licenses your repository dependencies use, and let you drill down into potentially problematic ones.
Written in NextJS + mui + sqlite, and using another project of mine to generate most of the API boilerplate/glue (https://github.com/mnahkies/openapi-code-generator)
Devsecops related posts
- A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons
- Cloud Tools You Probably Haven't Heard Of
- Show HN: Vet now supports detecting malicious packages
- GitHub - boringtools/git-alerts: Tool to detect and monitor GitHub org users' public repositories for secrets and sensitive files
- GitHub - boringtools/git-alerts: Tool to detect and monitor GitHub org users' public repositories for secrets and sensitive files
- GitHub - boringtools/git-alerts: Tool to detect and monitor GitHub org users' public repositories for secrets and sensitive files
- GitHub: Can no longer search code without being logged in
-
A note from our sponsor - SaaSHub
www.saashub.com | 24 Apr 2024
Index
What are some of the best open-source Devsecops projects? This list will help you:
Project | Stars | |
---|---|---|
1 | trivy | 21,316 |
2 | Mobile-Security-Framework-MobSF | 16,289 |
3 | gitleaks | 15,197 |
4 | trufflehog | 13,863 |
5 | prowler | 9,514 |
6 | Netmaker | 8,928 |
7 | Scanners-Box | 7,967 |
8 | tfsec | 6,544 |
9 | steampipe | 6,379 |
10 | firezone | 6,186 |
11 | DevSecOps | 5,267 |
12 | ThreatMapper | 4,631 |
13 | faraday | 4,600 |
14 | terrascan | 4,494 |
15 | awesome-devsecops | 4,383 |
16 | kubernetes-goat | 3,862 |
17 | BunkerWeb | 3,422 |
18 | django-DefectDojo | 3,384 |
19 | dalfox | 3,272 |
20 | SecretScanner | 2,956 |
21 | openrasp | 2,691 |
22 | ContainerSSH | 2,565 |
23 | dependency-track | 2,315 |
Sponsored