35 DevSecOps Tools to Add Sec to Your DevOps
This article describes 35 DevSecOps tools you can use to harden your security application. The tools are open source and have been arranged in order with regards to their star on GitHub.
The DevSecOps practice is becoming popularly known as cloud-native technologies keep getting adopted. Some tools have been designed for easily integrating security into development workflows. In the order of most starred to the less starred on GitHub, we briefly described these 35 tools to share what each tool is about.
Mobile security framework (MobSF)
MobSF is a universal mobile application security tool. It is an automated, malware analysis and security assessment framework that carries out static and dynamic analysis of mobile applications. It supports Android, IOS, and Windows operating systems and supports mobile app binaries like APK, XAPK, IPA, and APPX.
Trivy is a vulnerability scanner in container images, Git repos, file systems, and configuration issues.
Trivy scans IaC, detects language-specific packages and OS packages. Its features are but are not limited to, DevSecOps, misconfiguration detection, comprehensive vulnerability detection, multiple target support.
gitleaks is an easy-to-use SAST tool used in detecting secrets like API keys and tokens in git repos. It is a tool available in binary form for popular platforms and OS and also can be installed using Docker, Go, and Homebrew. It can also be implemented as a pre-commit hook directly in your repo.
Kubescape is an open source tool used to test if kubernetes deployment is secure following multiple frameworks like company policies, regulatory, and DevSecOps practices.
Kubescape detects misconfigurations and software vulnerabilities at the early stages of the CI/CD pipelines and scans the K8s clusters, HELM charts, and YAML files. Kubescape provides an instant risk score and over-time risk trends after scanning for vulnerabilities and can integrate with other DevOps tools like GitHub workflows, Jenkins and CircleCI.
Prowler is a high-level architecture command-line tool used in AWS security assessment, auditing, hardening, and incident response. You can run prowler from an EC2 instance, your workstation, or Fargate, or any other container, and it follows the CIS AWS Foundations Benchmark.
TFsec is an open source security scanner for Terraform codes. It spots security issues through the static analysis of the Terraform template. It can be installed with Go, and used with Docker, VS code, and as GitHub Actions. It has been acquired by Aquasecurity.
Checkov is a static code analysis tool that scans cloud infrastructure with Terraform, Cloudformation, AWS SAM, Kubernetes, Serverless, etc. Bridgecrew designs it for preventing misconfigurations, identifying, and fixing IaC files. It detects security and compliance misconfigurations using graph-based scanning.
Faraday is a platform used for carrying out penetration tests and vulnerability management.
It introduces a new concept that is a multiuser penetration test IDE - Integrated Penetration-Test Environment (IPE). It is designed for analyzing, indexing, and distributing any generated data during a security audit. It has features like Faraday Agents Dispatcher, Workspaces, and CSV exporting.
What IDE is to programming, Faraday is to penetration-testing
Terrascan, licensed under Apache 2.0 is a static code analyzer for IaC. Terrascan is a tool that offers flexibility to run locally or integrate with your CI/CD. It detects compliance violations and security vulnerabilities and mitigates risks before provisioning cloud native infrastructure. Terracsan supports AWS, Azure, GCP, Kubernetes, Dockerfile, and GitHub.
bunkerized-nginx is a security-inclined web server on the notorious nginx. The tool integrates directly into Linux, Kubernetes, Docker, etc. to make the web services secure by default. It automatically applies security best practices while keeping every setting under control to meet your work requirement.
OpenRASP is an open source runtime application self-protection that directly integrates its protection by instrumentation into the application server. OpenRASP hooks sensitive functions and block or examine the inputs fed into them when attack happens. OpenRASP have a lesser false positive and high detection rate because only successful attacks trigger alarms. Its stack trace is logged in details making its forensic analysis easy, and it’s insusceptible to malformed protocol. It supports Java and PHP web application servers for Linux platforms
It can be integrated to send alerts through slack or emails, while it integrates as a CI/CD scanner with GitHub Actions, Gitlab CI/CD, and Travis CI.
DefectDojo is an open source platform for security orchestration and vulnerability management.
DefectDojo has features like application security program management, product and application information maintenance, triage vulnerabilities, and findings push to systems like JIRA and Slack.
Archery is an open source tool used by developers and pentesters to carry out vulnerabilities scanning and management. It uses popular open source tools for comprehensively scanning web applications and networks. It can also be utilized by developers for implementing DevOps CI/CD environment.
Kubernetes Goat is a tool developed to be an intentional vulnerable cluster environment so as to learn and practice Kubernetes security. It can be used for some scenarios, including attacking private registries, gaining environment information, RBAC least privileges misconfiguration, sensitive keys in code-bases, etc.
Note that Kubernetes Goat shouldn’t be deployed in a production environment or alongside any sensitive cluster resources.
Netmaker is a tool designed to scale from business to enterprise and it automates virtual networks between data centers, edge devices, and clouds. Kernel wireGuard has maximum speed, performance,e and security capabilities, and Netmaker plus WireGuard can be highly customized for site-to-site, peer-to-peer, Kubernetes, and more.
DalFox is a XSS scanner and parameter analysis tool based on Golang parser. It supports CI/CD, a friendly pipeline, and testing of different types of XSS.
It has features like Discovery, scanning, HTTP, concurrency, output, extensibility and package.
Dependency-Track is a component analysis platform used in identifying and reducing risk in the software supply chains by organizations. Dependency-Track proactively identifies risk by monitoring component usage across all application versions in its portfolio. It has an API-first design and quite ideal for CI/CD environments.
CMSScan is a tool used in CMS security scans through a provided centralized security dashboard by the tool. It supports both on-demand and scheduled scans and it is powered by droopescan, wpscan, joomscan, and vbscan. It also can send email reports.
ThreatMapper is a tool that hunts for vulnerabilities, ranks these vulnerabilities based on risk-of-exploit in production platforms. ThreatMapper does mainly three things; discover workloads, discover vulnerabilities, and rank the discovered vulnerabilities based on exploit level. ThreatMapper sensors are deployed on your production platforms. The platforms that ThreatMapper supports are Kubernetes, Docker, Fargate, Bare Metal and other VM-based platforms.
GitGuardian Shield (ggshield)
GitGuardian Shield is a CLI application used in detecting over 300 types of secrets and other potential security vulnerabilities or policy breaks. Ggshield runs in your local environment or a CI environment. It supports integrations like GitHub Actions, Docker, Jenkins, GitLab, CircleCI Orbs, Azure pipelines, etc.
Kube-Scan is a Kubernetes risk assessment tool that uses the Kubernetes Common Configuration Scoring System (KCCSS). It gives a 0 - 10 risk score for each workload with 0 being at the no-risk level and 10 at the high-risk level. The risk is based on each workload’s runtime configuration, and KCCSS scores risks and remediations as separate rules, which in turn lets users calculate a risk for every runtime setting of a workload and the total risk of the workload.
TerraGoat is a tool that helps DevSecOps design and implements a sustainable misconfiguration prevention strategy. TerraGoat follows the tradition of the existing Goat projects and can be used to test a policy as code framework, inline-linters, pre-commit hooks, or other code scanning methods.
Note: Do not deploy TerraGoat in a production environment or alongside any sensitive AWS resources.
aws-security-automation is used for collecting scripts and resources for DevSecOps, security automation, and automated incident response remediation.
It has features like EC2 auto clean room forensics, IAM access denied responder, CloudTrailRemediation, and force-user-mfa.
Glue is a backbone for automating security analysis pipeline of tools. It is a framework for running a series of tools, and it is advised to be run with a docker image because it should have other tools that are already configured and available.
secureCodeBox is a Kubernetes-based toolchain for continuous software project scan. It is a tool that enables penetration testers to continuously carry out tests as continuous delivery is done by developers and allows pentesters to focus on all security issues, including major security issues and non-obvious security issues.
Scan is an open-source security tool for modern DevOps teams. Scan can be used to detect variety of security flaws in infrastructure code and applications in a single fast scan without needing any remote server. Scan has features like automatic build breaker, result baseline, and PR summary comments.
Hammer is an AWS multi-account cloud security tool used for identifying misconfigurations and insecure data exposures within the most popular AWS resources. It integrates near real-time reporting capabilities to provide feedback to engineers. It can perform auto-remediation of some misconfigurations.
It has features like S3 unencrypted buckets, EBS public snapshots, S3 policy public access, etc.
Whispers is a static code analysis tool used to search for dangerous functions and hardcoded credentials for parsing various data formats. Whispers can detect AWS keys, passwords, private keys, authentication tokens, API tokens, and more
Whispers support varieties of formats including JSON, YAML, Dockerfile, Shell Scripts, XML, etc.
GitGuardian Shield GitHub Actions (ggshield)
ggshiel GitHub Actions is used to find exposed credentials in your commits.
GitGuardian Shield is a CLI application used in detecting over 200 types of secrets and other potential security vulnerabilities or policy breaks. Ggshield runs in your local environment or in a CI environment. It supports integrations like GitHub Actions, Docker, Jenkins, GitLab, CircleCI Orbs, Azure pipelines, etc.
netassert is a security testing framework used in Kubernetes network policies, services and non-containerized hosts like VMs and bare metal for fast, safe iteration on firewall, routing, and NACL rules.
Shisho is a static code analyzer designed for developers. Shisho is a lightweight, pluggable, and configurable linter that gives developers a way to codify their domain knowledge. Shisho concept uses a Detection-as-code and allows developers to analyze and transform their source code with DSL.
tfquery is a framework used in running SQL queries on Terraform code. tfquery can be used for running security and compliance checks, analyzing Terraform infrastructure, developing CI benchmarks, locating resources, and many more. You can use tfquery to know more information about your infrastructure-as-code and use it to query resources and analyze configurations through a SQL-powered framework.
OWASP Risk Assessment Framework
OWASP risk assessment framework is a framework that consists of SAST and risk assessment tools used to analyze and review code quality and vulnerabilities without requiring additional setup. It can be integrated into the DevSecOps toolchain to help developers write and produce secure code.
Get similar stories in your inbox weekly, for free
Share this story:
If you are still determining which option to implement DevOps is good for you or …