DevSecOps Tooling

SAST

• returntocorp/semgrep: Lightweight static analysis for many languages. Find bug variants with patterns that look like source code. (github.com)
• GitHub - bridgecrewio/checkov: Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
• Code Quality, Security & Static Analysis Tool with SonarQube | Sonar (sonarsource.com)
• GitHub - aquasecurity/trivy: Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
• GitHub - tenable/terrascan: Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
• GitHub - aquasecurity/tfsec: Security scanner for your Terraform code

tools that I did not try:

• microsoft/DevSkim: DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities. (github.com)
• pmd/pmd: An extensible multilanguage static code analyzer. (github.com)

SAST AI Integrations

• 10x your AppSec program with Semgrep Assistant
• Triaging and Fixing Bugs: Fixing security vulnerabilities with AI - The GitHub Blog

IAST

• Contrast Security | Application Security Software Platform

Secret Scanning

• trufflesecurity/trufflehog: Find credentials all over the place (github.com)

tools that I did not try:

• thoughtworks/talisman: Using a pre-commit hook, Talisman validates the outgoing changeset for things that look suspicious — such as tokens, passwords, and private keys. (github.com)

Container Scanning:

DockerFile

• GitHub - hadolint/hadolint: Dockerfile linter, validate inline bash, written in Haskell

Docker Images

• GitHub - aquasecurity/trivy: Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
• GitHub - goodwithtech/dockle: Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start
• GitHub - anchore/grype: A vulnerability scanner for container images and filesystems
• Docker Scout | Docker Docs

Supply Chain/SCA

• Snyk | Top SAST & SCA Considerations
• GitHub - chainguard-dev/bincapz: enumerate binary capabilities, including malicious behaviors
• Dependabot - The GitHub Blog

Secrets Management

• GitHub - hashicorp/vault: A tool for secrets management, encryption as a service, and privileged access management tools that I did not try::
• GitHub - Infisical/infisical: ♾ Infisical is the open-source secret management platform: Sync secrets across your team/infrastructure and prevent secret leaks.

System Hardening

• Golden Packer Images (AMIs & Base Containers)
• ansible scripts on prod machines/containers/pods
• Scan docker daemon on machines: GitHub - docker/docker-bench-security: The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.

AI Model Scanning

• Pickle Scanning (huggingface.co)

Threat Modelling as Code

• GitHub - yevh/TaaC-AI: AI-driven Threat modeling-as-a-Code (TaaC-AI)
• Irius Risk | Automated Threat Modeling Tool

Resources

• DSOMM (owasp.org)
• GitHub - hysnsec/awesome-threat-modelling: A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.