Professional Documents
Culture Documents
Ultimate DevOps Library PDF
Ultimate DevOps Library PDF
LIBRARY
By sottlmarek
Abstract
This library contains list of tools and methodologies accompanied with
resources. The main goal is to provide to the engineers a guide through
opensource DevSecOps tooling. This repository covers only cyber security
in the cloud and the DevSecOps scope.
What is DevSecOps
DevSecOps focuses on security automation, testing and enforcement during DevOps -
Release - SDLC cycles. The whole meaning behind this methodology is connecting
together Development, Security and Operations. DevSecOps is methodology providing
different methods, techniques and processes backed mainly with tooling focusing on
developer / security experience.
DevSecOps takes care that security is part of every stage of DevOps loop - Plan, Code,
Build, Test, Release, Deploy, Operate, Monitor.
Various definitions:
https://www.redhat.com/en/topics/devops/what-is-devsecops
https://www.ibm.com/cloud/learn/devsecops
https://snyk.io/series/devsecops/
https://www.synopsys.com/glossary/what-is-devsecops.html
https://spacelift.io/blog/what-is-devsecops
Tooling
Pre-commit time tools
In this section you can find lifecycle helpers, precommit hook tools and threat modeling
tools. Threat modeling tools are specific category by themselves allowing you to
simulate and discover potential gaps before you start to develop the software or during
the process.
Modern DevSecOps tools allow using Threat modeling as code or generation of threat
models based on the existing code annotations.
Searchers
git-hound https://github.com/tillson/git-hound
secrets in git
Security
Development
goSDL https://github.com/slackhq/goSDL
Lifecycle
checklist
Threat
ThreatPlaybook https://github.com/we45/ThreatPlaybook modeling as
code
OWASP Threat
Threat Dragon https://github.com/OWASP/threat-dragon
modeling tool
Name URL Description Meta
Threat
threatspec https://github.com/threatspec/threatspec modeling as
code
A Pythonic
framework for
pytm https://github.com/izar/pytm
threat
modeling
A Go
framework for
Threagile https://github.com/Threagile/threagile
threat
modeling
A language to
create cyber
threat
MAL-lang https://mal-lang.org/#what modeling
systems for
specific
domains
A tool to
detect and
prevent
Talisman https://github.com/thoughtworks/talisman
secrets from
getting
checked in
The
SEDATED https://github.com/OWASP/SEDATED SEDATED®
Project
(Sensitive
Name URL Description Meta
Enterprise
Data Analyzer
To Eliminate
Disclosure)
focuses on
preventing
sensitive data
such as user
credentials
and tokens
from being
pushed to Git.
DevSkim is a
framework of
IDE extensions
and language
DevSkim https://github.com/microsoft/DevSkim
analyzers that
provide inline
security
analysis
Detects
detect-secrets https://github.com/Yelp/detect-secrets secrets in your
codebase
A Pluggable
tflint https://github.com/terraform-linters/tflint Terraform
Linter
Secrets management
Secrets management includes managing, versioning, encryption, discovery, rotating,
provisioning of passwords, certificates, configuration values and other types of secrets.
Met
Name URL Description
a
Gitleaks is a
scanning tool for
GitLeaks https://github.com/zricethezav/gitleaks
detecting hardcoded
secrets
GitGuardian shield
(ggshield) is a CLI
application that runs
in your local
environment or in a
ggshield https://github.com/gitguardian/ggshield
CI environment and
helps you detect
more than 350+
types of secrets and
sensitive files.
TruffleHog is a
TruffleHo https://github.com/trufflesecurity/truffleH scanning tool for
g og detecting hardcoded
secrets
AWS
secrets https://github.com/marketplace/actions/a AWS secrets
manager ws-secrets-manager-actions manager docs
GH action
Met
Name URL Description
a
Gitrob is a tool to
help find potentially
sensitive files
GitRob https://github.com/michenriksen/gitrob
pushed to public
repositories on
Github
allows you to
Chef vault https://github.com/chef/chef-vault encrypt a Chef Data
Bag Item
Encryption/decryptio
Ansible
Ansible vault docs n utility for Ansible
vault
data files
Met
Name URL Description
a
CycloneDX
https://github.com/orgs/CycloneDX/reposi
CycloneDX format
tories
for SBOM
Generates
CycloneDX SB
OM, supports
cdxgen https://github.com/AppThreat/cdxgen many
languages and
package
managers.
SPDX format
for SBOM -
SPDX https://github.com/spdx/spdx-spec Software
Package Data
Exchange
Security
vulncost https://github.com/snyk/vulncost Scanner for VS
Code
Dependency Dependency-
https://github.com/apiiro/combobulator
Combobulator related attacks
Met
Name URL Description
a
detection and
prevention
through
heuristics and
insight engine
(support
multiple
dependency
schemes)
Dependency
DependencyTr https://github.com/DependencyTrack/depe security
ack ndency-track tracking
platform
Simple
dependency
DependencyCh https://github.com/jeremylong/Dependenc
security
eck yCheck
scanner good
for CI
Helps
developers to
detect the use
Retire.js https://github.com/retirejs/retire.js/ of JS-library
versions with
known
vulnerabilities
Check
PHP security https://github.com/fabpot/local-php- vulnerabilities
checker security-checker in PHP
dependencies
Met
Name URL Description
a
Patch-level
bundler-audit https://github.com/rubysec/bundler-audit verification for
bundler
Dependency
https://gitlab.com/gitlab-org/security- Scanning
gemnasium
products/analyzers/gemnasium Analyzer based
on Gemnasium
Automated
dependency
https://github.com/dependabot/dependab updates built
Dependabot
ot-core into GitHub
providing
security alerts
Automated
dependency
updates,
Renovatebot https://github.com/renovatebot/renovate
patches multi-
platform and
multi-language
Check for
outdated,
https://www.npmjs.com/package/npm-
npm-check incorrect, and
check
unused
dependencies.
Checks for
several security
Security health metrics
https://securityscorecards.dev on open source
Scorecards
libraries and
provides a
score (0-10) to
Met
Name URL Description
a
be considered
in the decision
making of what
libraries to use.
Kubernetes Custom
Resource Definition (CRD)
Tekton https://github.com/tektoncd/chains controller that allows you to
chains manage your supply chain
security in Tekton.
An in-toto attestation is
https://github.com/in- authenticated metadata
in-toto
toto/attestation/tree/v0.1.0/spec about one or more software
artifacts
Name URL Description Meta
Artifact Ratification
ratify https://github.com/deislabs/ratify
Framework
SAST
Static code review tools working with source code and looking for known patterns and
relationships of methods, variables, classes and libraries. SAST works with the raw code
and usually not with build packages.
Met
Name URL Description
a
Brakeman is a
static analysis
tool which
https://github.com/presidentbeef/brakem checks Ruby
Brakeman an on Rails
applications
for security
vulnerabilities
Hi-Quality
Open source,
Semgrep https://semgrep.dev/
works on 17+
languages
Met
Name URL Description
a
Python
Bandit https://github.com/PyCQA/bandit specific SAST
tool
Generic SAST
for Security
Engineers.
Powered by
regex based
libsast https://github.com/ajinabraham/libsast
pattern
matcher and
semantic
aware
semgrep
NodeJs SAST
https://github.com/ajinabraham/nodejssca
nodejsscan scanner with
n
GUI
The SpotBugs
plugin for
FindSecurityBug
https://find-sec-bugs.github.io/ security audits
s
of Java web
applications
Detect
SonarQube https://github.com/SonarSource/sonarqub security issues
community e in code
review with
Static
Met
Name URL Description
a
Application
Security
Testing (SAST)
Inspects
source code
for security
gosec https://github.com/securego/gosec
problems by
scanning the
Go AST.
Checks
Python
dependencies
Safety https://github.com/pyupio/safety for known
security
vulnerabilities
.
Note: Semgrep is free CLI tool, however some rulesets (https://semgrep.dev/r) are
having various licences, some can be free to use and can be commercial.
DAST
Dynamic application security testing (DAST) is a type of application testing (in most
cases web) that checks your application from the outside by active communication and
analysis of the responses based on injected inputs. DAST tools rely on inputs and
outputs to operate. A DAST tool uses these to check for security problems while the
software is actually running and is actively deployed on the server (or serverless
function).
Name URL Description Meta
Zap proxy
providing various
Zap proxy https://owasp.org/www-project-zap/
docker containers
for CI/CD pipeline
Light pipeline
Wapiti https://github.com/wapiti-scanner/wapiti ready scanning
tool
Template based
Nuclei https://github.com/projectdiscovery/nuclei security scanning
tool
OSS-Fuzz:
Continuous
oss-fuzz https://github.com/google/oss-fuzz
Fuzzing for Open
Source Software
Skipfish is an
active web
application
skipfish https://code.google.com/archive/p/skipfish/
security
reconnaissance
tool
Toolchain
for
continuous
SecureCodeB https://github.com/secureCodeBox/secureCod scanning of
ox eBox applications
and
infrastructur
e
Open Source
Security
OpenSCAP https://github.com/OpenSCAP/openscap
Compliance
Solution
ThreatMapp
er hunts for
vulnerabilitie
s in your
production
ThreatMappe platforms,
https://github.com/deepfence/ThreatMapper
r and ranks
these
vulnerabilitie
s based on
their risk-of-
exploit.
Kubernetes
Met
Name URL Description
a
A tool for
KubiScan https://github.com/cyberark/KubiScan scanning
Kubernetes
Met
Name URL Description
a
cluster for
risky
permissions
Audit
Kubernetes
clusters for
Kubeaudit https://github.com/Shopify/kubeaudit various
different
security
concerns
Security risk
analysis for
kubesec https://github.com/controlplaneio/kubesec
Kubernetes
resources
Kubernetes
kube-bench https://github.com/aquasecurity/kube-bench benchmarking
tool
Static code
kube-score https://github.com/zegl/kube-score analysis of
your
Kubernetes
Met
Name URL Description
a
object
definitions
Active scanner
kube-
https://github.com/aquasecurity/kube-hunter for k8s
hunter
(purple)
Calico is an
open source
networking
Calico https://github.com/projectcalico/calico and network
security
solution for
containers
Simple
Kubernetes
Krane https://github.com/appvia/krane
RBAC static
analysis tool
Starboard
inegrates
security tools
Starboard https://github.com/aquasecurity/starboard by outputs
into
Kubernetes
CRDs
Open policy
https://github.com/open-policy- agent
Gatekeeper
agent/gatekeeper gatekeeper for
k8s
Inspektor- Collection of
https://github.com/kinvolk/inspektor-gadget tools (or
gadget
gadgets) to
Met
Name URL Description
a
debug and
inspect k8s
Static analysis
kube-linter https://github.com/stackrox/kube-linter
for Kubernetes
A simple-yet-
powerful API
traffic viewer
for Kubernetes
enabling you
mizu-api- to view all API
traffic- https://github.com/up9inc/mizu communicatio
viewer n between
microservices
to help your
debug and
troubleshoot
regressions.
The Helm
plugin for
Snyk provides
HelmSnyk https://github.com/snyk-labs/helm-snyk a
subcommand
for testing the
images.
Policy as code
Kubewarde https://github.com/orgs/kubewarden/repositor
for kubernetes
n ies
from SUSE.
Kubernetes
Kubernetes
https://github.com/kubernetes-sigs/bom BOM
-sigs BOM
generator
Met
Name URL Description
a
A multi-
tenancy and
Capsule https://github.com/clastix/capsule policy-based
framework for
Kubernetes
Badrobot is a
Kubernetes
Badrobot https://github.com/controlplaneio/badrobot
Operator audit
tool
Istio is a
service mesh
based on
Envoy. Engage
encryption,
Istio https://istio.io
role-based
access, and
authentication
across
services.
Containers
Met
Name URL Description
a
Trusted cloud
Harbor https://github.com/goharbor/harbor native registry
project
Centralized
Anchore https://github.com/anchore/anchore-engine service for
inspection,
analysis, and
Met
Name URL Description
a
certification of
container
images
Docker
Clair https://github.com/quay/clair vulnerability
scanner
Apache v2,
powerful
runtime
Deepfence vulnerability
https://github.com/deepfence/ThreatMappe
ThreatMappe scanner for
r
r kubernetes,
virtual
machines and
serverless.
Docker
https://github.com/docker/docker-bench-
Docker bench benchmarking
security
against CIS
Container
Falco https://github.com/falcosecurity/falco runtime
protection
Comprehensiv
e scanner for
Trivy https://github.com/aquasecurity/trivy vulnerabilities
in container
images
Container
Cosign https://github.com/sigstore/cosign
signing
Updates the
running
watchtower https://github.com/containrrr/watchtower version of your
containerized
app
Vulnerability
scanner for
container
Grype https://github.com/anchore/grype
images (and
also
filesystems).
Multi-Cloud
Name URL Description Meta
Detection of
security risks
Cloudsploit https://github.com/aquasecurity/cloudsploit
in cloud
infrastructure
NCCgroup
ScoutSuite https://github.com/nccgroup/ScoutSuite mutlicloud
scanning tool
Multicloud
https://github.com/cloud-custodian/cloud- security
CloudCustodian
custodian/ analysis
framework
Name URL Description Meta
GraphQL API
+ Security for
CloudGraph https://github.com/cloudgraphdev/cli
AWS, Azure,
GCP, and K8s
AWS
AWS specific DevSecOps tooling. Tools here cover different areas like inventory
management, misconfiguration scanning or IAM roles and policies review.
Met
Name URL Description
a
Dragoneye
Dragoneye https://github.com/indeni/dragoneye Indeni AWS
scanner
Prowler is a
command line
tool that helps
with AWS
security
Prowler https://github.com/toniblyx/prowler
assessment,
auditing,
hardening and
incident
response.
Helps to
discover all
https://github.com/nccgroup/aws-
aws-inventory AWS resources
inventory
created in an
account
Met
Name URL Description
a
Policy as Code
PacBot https://github.com/tmobile/pacbot
Bot (PacBot)
Monitoring
dashboard for
Komiser https://github.com/mlabouardy/komiser
costs and
security
Continuously
monitor your
ElectricEye https://github.com/jonrau1/ElectricEye AWS services
for
configurations
CloudMapper
helps you
analyze your
Cloudmapper https://github.com/duo-labs/cloudmapper
Amazon Web
Services (AWS)
environments
Consolidates
AWS
infrastructure
assets and the
cartography https://github.com/lyft/cartography
relationships
between them
in an intuitive
graph
IAM Least
policy_sentry https://github.com/salesforce/policy_sentry Privilege Policy
Generator
Met
Name URL Description
a
IAM Least
Privilege
AirIAM https://github.com/bridgecrewio/AirIAM
anmalyzer and
Terraformer
AirBnB
serverless, real-
time data
analysis
framework
StreamAlert https://github.com/airbnb/streamalert
which
empowers you
to ingest,
analyze, and
alert
AirBnB
serverless, real-
time data
analysis
https://github.com/cloudquery/cloudquery framework
CloudQuery
/ which
empowers you
to ingest,
analyze, and
alert
A tool to find
open S3
S3Scanner https://github.com/sa7mon/S3Scanner/ buckets and
dump their
contents
authenticate to
a Kubernetes
cluster
A tool to use
AWS IAM
credentials to
kube2iam https://github.com/jtblin/kube2iam/
authenticate to
a Kubernetes
cluster
Deploy, update,
and stage your
AWS Firewall WAFs while
Globaldatanet FMS automation
factory managing them
centrally via
FMS
Parliament is an
Parliment Parliment AWS IAM
linting library
Adds
informative and
consistent tags
across
Yor Yor infrastructure-
as-code
frameworks
such as
Terraform,
Met
Name URL Description
a
CloudFormatio
n, and
Serverless
Complex security
https://github.com/forseti-
Forseti orchestration and scanning
security/forseti-security
platform
Policy as code
Policy as code is the idea of writing code in a high-level language to manage and
automate policies. By representing policies as code in text files, proven software
development best practices can be adopted such as version control, automated testing,
and automated deployment.
(Source: https://docs.hashicorp.com/sentinel/concepts/policy-as-code)
General-purpose policy
Open engine that enables
https://github.com/open-policy-
Policy unified, context-aware
agent/opa
agent policy enforcement
across the entire stack
Name URL Description Meta
Kyverno is a policy
Kyverno https://github.com/kyverno/kyverno engine designed for
Kubernetes
Cloud
https://github.com/aws- Cloud Formation policy
Formation
cloudformation/cloudformation-guard as code
guard
cnspec is a cloud-native
and powerful Policy as
Code engine to assess
the security and
compliance of your
business-critical
infrastructure. cnspec
finds vulnerabilities and
misconfigurations on all
cnspec https://github.com/mondoohq/cnspec systems in your
infrastructure including:
public and private cloud
environments,
Kubernetes clusters,
containers, container
registries, servers and
endpoints, SaaS
products, infrastructure
as code, APIs, and more.
Chaos engineering
Chaos Engineering is the discipline of experimenting on a system in order to build
confidence in the system’s capability to withstand turbulent conditions in production.
It is a cloud-native
Chaos Engineering
chaos- https://github.com/chaos-mesh/chaos- platform that
mesh mesh orchestrates chaos on
Kubernetes
environments
Chaos Monkey is
responsible for
randomly terminating
instances in
Chaos
https://netflix.github.io/chaosmonkey/ production to ensure
monkey
that engineers
implement their
services to be resilient
to instance failures.
platform fails to do so
on it's own.
Gamified chaos
Kube- https://github.com/lucky-
engineering tool for
Invaders sideburn/KubeInvaders
Kubernetes
Gamified chaos
kube- https://github.com/asobti/kube-
engineering tool for
monkey monkey
Kubernetes
Litmus is an end-to-
end chaos engineering
platform for cloud
native infrastructure
Litmus
https://litmuschaos.io/ and applications.
Chaos
Litmus is designed to
orchestrate and
analyze chaos in their
environments.
Chaos enginnering
https://github.com/gremlin/gremlin- SaaS platform with free
Gremlin
python plan and some open
source libraries
Checkmarx security
KICS https://github.com/Checkmarx/kics testing opensource
for IaC
Checkov is a static
code analysis tool for
Checkov https://github.com/bridgecrewio/checkov
infrastructure-as-
code
Terrascan is a static
code analyzer for
terrascan https://github.com/accurics/terrascan
Infrastructure as
Code
cfsec scans
CloudFormation
cfsec https://github.com/aquasecurity/cfsec
configuration files for
security issues
Orchestration
Event driven security help to drive, automate and execute tasks for security processes.
The tools here and not dedicated security tools but are helping to automate and
orchestrate security tasks or are part of most modern security automation frameworks
or tools.
Platform for
integration and
automation across
StackStorm https://github.com/StackStorm/st2
services and tools
supporting event
driven security
Security
orchestration and
https://github.com/DefectDojo/django-
DefectDojo vulnerability
DefectDojo
management
platform
centralized
information
https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20
Reference%20Design%20v1.0_Public%20Release.pdf
https://dodcio.defense.gov/Portals/0/Documents/Library/DoDEnterpriseDevSecOpsStrat
egyGuide.pdf
https://csrc.nist.gov/publications/detail/sp/800-204c/draft
https://owasp.org/www-project-devsecops-maturity-model/
https://www.sans.org/posters/cloud-security-devsecops-best-practices/
https://d1.awsstatic.com/whitepapers/aws-development-test-environments.pdf
https://d1.awsstatic.com/whitepapers/AWS_DevOps.pdf
https://d1.awsstatic.com/whitepapers/AWS_Blue_Green_Deployments.pdf
https://d1.awsstatic.com/whitepapers/DevOps/import-windows-server-to-amazon-
ec2.pdf
https://d1.awsstatic.com/whitepapers/DevOps/Jenkins_on_AWS.pdf
https://d1.awsstatic.com/whitepapers/DevOps/practicing-continuous-integration-
continuous-delivery-on-AWS.pdf
https://d1.awsstatic.com/whitepapers/DevOps/infrastructure-as-code.pdf
https://d1.awsstatic.com/whitepapers/microservices-on-aws.pdf
https://d1.awsstatic.com/whitepapers/DevOps/running-containerized-microservices-on-
aws.pdf
https://d1.awsstatic.com/Marketplace/solutions-center/downloads/AppSec-DevSecOps-
AWS-SANS-eBook.pdf (AWS + SANS whitepaper)
AWS blog:
https://aws.amazon.com/blogs/devops/building-end-to-end-aws-devsecops-ci-cd-
pipeline-with-open-source-sca-sast-and-dast-tools/
https://aws.amazon.com/blogs/devops/building-an-end-to-end-kubernetes-based-
devsecops-software-factory-on-aws/
Microsoft whitepapers:
https://azure.microsoft.com/mediahandler/files/resourcefiles/6-tips-to-integrate-
security-into-your-devops-practices/DevSecOps_Report_Tips_D6_fm.pdf
https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-
in-azure
https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-
in-github
GCP whitepapers:
https://cloud.google.com/architecture/devops/devops-tech-shifting-left-on-security
https://cloud.google.com/security/overview/whitepaper
https://services.google.com/fh/files/misc/security_whitepapers_march2018.pdf
https://cloud.google.com/security/encryption-in-transit/application-layer-transport-
security
https://services.google.com/fh/files/misc/google-cloud-security-foundations-guide.pdf
Other
Here are the other links and resources that do not fit in any previous category. They can
meet multiple categories in time or help you in your learning.
Training - https://www.practical-devsecops.com/devsecops-university/
License
MIT license