DevSecOps Tooling
SAST
- returntocorp/semgrep: Lightweight static analysis for many languages. Find bug variants with patterns that look like source code. (github.com)
- GitHub - bridgecrewio/checkov: Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
- Code Quality, Security & Static Analysis Tool with SonarQube | Sonar (sonarsource.com)
- GitHub - aquasecurity/trivy: Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
- GitHub - tenable/terrascan: Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
- GitHub - aquasecurity/tfsec: Security scanner for your Terraform code
tools that I did not try:
- microsoft/DevSkim: DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities. (github.com)
- pmd/pmd: An extensible multilanguage static code analyzer. (github.com)
SAST AI Integrations
- 10x your AppSec program with Semgrep Assistant
- Triaging and Fixing Bugs: Fixing security vulnerabilities with AI - The GitHub Blog
IAST
Secret Scanning
tools that I did not try:
Container Scanning:
DockerFile
Docker Images
- GitHub - aquasecurity/trivy: Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
- GitHub - goodwithtech/dockle: Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start
- GitHub - anchore/grype: A vulnerability scanner for container images and filesystems
- Docker Scout | Docker Docs
Supply Chain/SCA
- Snyk | Top SAST & SCA Considerations
- GitHub - chainguard-dev/bincapz: enumerate binary capabilities, including malicious behaviors
- Dependabot - The GitHub Blog
Secrets Management
- GitHub - hashicorp/vault: A tool for secrets management, encryption as a service, and privileged access management tools that I did not try::
- GitHub - Infisical/infisical: ♾ Infisical is the open-source secret management platform: Sync secrets across your team/infrastructure and prevent secret leaks.
System Hardening
- Golden Packer Images (AMIs & Base Containers)
- ansible scripts on prod machines/containers/pods
- Scan docker daemon on machines: GitHub - docker/docker-bench-security: The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
AI Model Scanning
Threat Modelling as Code
- GitHub - yevh/TaaC-AI: AI-driven Threat modeling-as-a-Code (TaaC-AI)
- Irius Risk | Automated Threat Modeling Tool