Spending a lot of time on applying DevSecOps is searching, comparing, and making decisions about tools. These tool lists are a good way to help you reduce unnecessary time and apply them quickly 😎
| Type | Name | Description | Popularity | Language |
|---|---|---|---|---|
| Build/SAST | Gitleaks | Gitleaks is a SAST tool for detecting hardcoded secrets like API keys, tokens, and passwords in Git repositories, providing a CLI, GitHub Action, and pre-commit hooks for secret detection. |  |
 |
| Build/SAST | SonarQube | SonarQube is an open-source platform for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages. |  |
|
| Build/SAST | codeql | CodeQL |  |
 |
| Build/SAST | ggshield | An open source CLI from GitGuardian to detect 350+ types of hardcoded secrets and 70+ IaC misconfigurations |  |
 |
| Build/SAST | semgrep | Lightweight static analysis for many languages. Find bug variants with patterns that look like source code. |  |
 |
| Build/SAST | sonarcloud-github-action | Integrate SonarCloud code analysis to GitHub Actions |  |
 |
| Build/SECRET-MANAGE | kamus | An open source, git-ops, zero-trust secret encryption and decryption solution for Kubernetes applications |  |
 |
| Build/SECRET-MANAGE | secrets-sync-action | A Github Action that can sync secrets from one repository to many others. |  |
 |
| Build/SECRET-MANAGE | vault-action | A GitHub Action that simplifies using HashiCorp Vault ™ secrets as build variables. |  |
 |
| Design/THREAT | owasp-threat-dragon-desktop | An installable desktop variant of OWASP Threat Dragon |  |
 |
| Design/THREAT | pytm | A Pythonic framework for threat modeling |  |
 |
| Design/THREAT | seasponge | SeaSponge is an accessible threat modelling tool from Mozilla |  |
 |
| Design/THREAT | threagile | Agile Threat Modeling Toolkit |  |
 |
| Operate and Monitor/COMPONENT-ANALYSIS | dependency-track | Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. |  |
 |
| Operate and Monitor/K8S | kube-hunter | Hunt for security weaknesses in Kubernetes clusters |  |
 |
| Operate and Monitor/SECURITY-AUDIT | Prowler | Prowler is a security tool for AWS, providing over 100 checks for compliance with standards like CIS, GDPR, and HIPAA, and auditing AWS account configurations. |  |
 |
| Operate and Monitor/SECURITY-SCAN | Trivy | Trivy is an open-source, all-in-one security scanner for container images, file systems, and Git repositories, detecting vulnerabilities and misconfigurations. |  |
 |
| Test/DAST | action-baseline | A GitHub Action for running the OWASP ZAP Baseline scan |  |
 |
| Test/DAST | action-dalfox | XSS scanning with Dalfox on Github-action |  |
 |
| Test/DAST | action-full-scan | A GitHub Action for running the OWASP ZAP Full scan |  |
 |
| Test/DAST | zaproxy | The OWASP ZAP core project |  |
 |
| Test/PENTEST | faraday | Collaborative Penetration Test and Vulnerability Management Platform |  |
 |
| Test/PENTEST | metasploit-framework | Metasploit Framework |  |
 |
| Test/PENTEST | monkey | Infection Monkey - An automated pentest tool |  |
 |
| Test/PENTEST | nuclei | Fast and customizable vulnerability scanner based on simple YAML based DSL. |  |
 |
| Test/PENTEST | ptf | The Penetration Testers Framework (PTF) is a way for modular support for up-to-date tools. |  |
 |
Please read Contributing document!