Sec Your DevOps

Tools and resources for securing your development and operations environments.

• Tools
  • Application Security
  • Source Code Management
  • CI/CD
  • Secrets
  • Platform Security
  • Infrastructure as Code
  • Cloud Security
  • Offensive Tools
  • Observability
• Cloud Security
• Amazon Web Services
  • IAM
  • Secrets
  • Service Configuration & Hardening
  • Observability
  • CI/CD
  • Offensive Tools
  • Training and Lab Environments
  • News & Social
  • Additional Resources
• Methodology & Frameworks
• Training
• News & Social
• Other Lists
• Books

Tools

Application Security

• Semgrep: Static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time.
• SonarQube: Continuous inspection tool for code quality and security.
• Snyk: Static analysis of code, container images, and IaC. CLI, IDE, CI/CD, PaaS.
• OWASP Zed Attack Proxy (ZAP): Popular penetration testing tool that can also be leveraged within CI/CD to perform passive baseline scans.
• ShiftLeft: PaaS SAST and SCA tool offering scheduled and CI/CD initiated testing.
• AllStar: Github app to set and enforce repository security policies
• It-Depends: A tool to automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories.
• Trivy: Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues.
• ClusterFuzzLite: Simple continuous fuzzing that runs in CI.
• Scorecard: Security health metrics for open source.
• jfrog-npm-tools: A collection of tools to help audit your NPM dependencies for suspicious packages or continuously monitor dependencies for future security events.
• Dastardly: Runs a scan using Dastardly by Burp Suite against a target site and creates a JUnit XML report for the scan on completion.
• hijagger: Checks all maintainers of all NPM and Pypi packages for hijackable packages through domain re-registration.
• GuardDog: A CLI tool to identify malicious PyPI packages.
• Macaron: A supply chain security analysis tool that checks conformance to the SLSA framework.

Source Code Management

• GitGat: A tool to evaluate GitHub security posture.
• policy-bot: A GitHub App that enforces approval policies on pull requests.
• Github Analyzer: A tool to check the security settings of Github Organizations.
• ToBeReviewed Bot: GitHub App to watch for PRs merged without a reviewer approving.
• Cleanowners: A GitHub Action to suggest removal of non-organization members from CODEOWNERS files.

CI/CD

• actionlint: Static checker for GitHub Actions workflow files.
• Ratchet: A tool for securing CI/CD workflows with version pinning.
• GitHub Actions Importer: Helps you plan and automate the migration of Azure DevOps, CircleCI, GitLab, Jenkins, and Travis CI pipelines to GitHub Actions.
• GroovyWaiter: Jenkins enumeration and remediation tool.
• poutine: A security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository.

Secrets

• Mozilla SOPS: Simple and flexible tool for managing secrets.
• GitGuardian: Scan Github repositories for secrets, CLI, CI/CD, PaaS.
• git-secrets: Prevents you from committing secrets and credentials into git repositories.
• git-hound: Reconnaissance tool for GitHub code search. Finds exposed API keys using pattern matching, commit history searching, and a unique result scoring system.
• repo-supervisor: Scans GitHub repositories for security misconfigurations, passwords, and secrets.
• TruffleHog: A tool to find credentials all over the place.
• Gitleaks: A SAST tool for detecting and preventing hardcoded secrets in git repos.
• Secrets Patterns DB: The largest open-source database for detecting secrets, API keys, passwords, tokens, and more.

Platform Security

• Sysdig: Linux system exploration and troubleshooting tool with first class support for containers.
• Syft: CLI tool and library for generating a Software Bill of Materials from container images and filesystems.
• Mozzila SSL Config: Secure SSL configuration generator.
• Hadolint: Dockerfile linter, validate inline bash, written in Haskell.
• Docker Bench for Security: A script that checks for dozens of common best-practices around deploying Docker containers in production.
• Inspec: Security and compliance testing framework with a human- and machine-readable language for comparing actual versus desired system state.
• KubeEye: Finds various problems on Kubernetes, such as application misconfiguration, unhealthy cluster components and node problems.
• Watchtower: A process for automating Docker container base image updates.

Infrastructure as Code

• tfsec: Static analysis for Terraform code.
• checkov: Static code analysis tool with coverage for Terraform, CloudFormation, Kubernetes/Helm, Dockerfiles, Serverless, and ARM templates.
• terrascan: Static code analysis tool with coverage for Terraform, Kubernetes/Helm, and Dockerfiles.
• Azure Terrafy: A tool to bring existing Azure resources under Terraform's management.
• Terraform IAM Policy Validator: A command line tool that validates AWS IAM Policies in a Terraform template against AWS IAM best practice.
• Pike: A tool to determine the minimum permissions required for a Terraform run.

Offensive Tools

• Stratus Red Team: Granular, actionable adversary emulation for the cloud.
• PurplePanda: Identify privilege escalation paths within and across different clouds (currently supports GCP, GitHub, and Kubernetes)
• Gato: GitHub self-hosted runner enumeration and attack tool.

Observability

• DefectDojo: DevSecOps and vulnerability management tool.

Cloud Security

• Cartography: A Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
• ScoutSuite: Multi-cloud security auditing tool.
• Cloud Custodian: Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources.
• Cloudlist: a tool for listing Assets from multiple Cloud Providers.

Amazon Web Services

AWS: IAM

• SAML2AWS: CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP.
• CloudTracker: Helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
• PMapper: A tool for quickly evaluating IAM permissions in AWS.
• Aaia: AWS IAM visualizer and anomaly finder.
• aws-sso-reporter: Uses the AWS SSO API to list all users, accounts, permission sets etc. and dumps it into a CSV file for additional parsing or viewing.
• awspx: A graph-based tool for visualizing effective access and resource relationships in AWS environments.
• IAM Access Key Report: A tool to enumerate data about all active IAM access keys across an AWS Organization and enrich each key with account tag information.

AWS: Secrets

• S3cret Scanner: A tool designed to provide a complementary layer for the Amazon S3 Security Best Practices by proactively hunting secrets in public S3 buckets.
• aws-vault: A vault for securely storing and accessing AWS credentials in development environments.

AWS: Service Configuration & Hardening

• Prowler: Open source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
• cloud-nuke: A tool for cleaning up your AWS accounts by nuking (deleting) all resources within it.
• AWS Security Toolbox: Single Docker container combining several popular security tools.
• CloudMapper: Helps analyze your AWS environments, including auditing for security issues.
• aws-security-viz: Visualize your AWS security groups.
• s3tk: A security toolkit for AWS S3.
• Metabadger: Automated EC2 Instance Metadata Service upgrade to v2 (IMDSv2).
• Remediate AWS IMDSv1: Simple tool to identify and remediate the use of the AWS EC2 IMDSv1.
• ImdsPacketAnalyzer: A tool that traces TCP interactions with IMDS to assist in identifying the processes making IMDSv1 calls.
• Sustainable Personal Accounts: Adds custom maintenance windows for AWS accounts, allowing automatic resource preparation and purging.
• CloudJack: Route53/CloudFront vulnerability assessment utility.
• CDK-Dia: Automated diagrams of AWS CDK provisioned infrastructure.
• superwerker: A free, open-source solution that lets you quickly set up an AWS Cloud environment following best practices for security and efficiency.
• domain-protect: Discover and protect against subdomain takeover vulnerabilities in AWS & Cloudflare.
• SCPkit: A Python module to manage service control policies (SCPs).

AWS: Observability

• Security Hub Automated Response & Remediation: An add-on solution that works with AWS Security Hub to provide a ready-to-deploy architecture and a library of automated playbooks.
• Assisted Log Enabler: Find AWS resources that are not logging and turn them on.
• TrailScraper: A command-line tool to get valuable information out of AWS CloudTrail.
• AWS CloudSaga: Test security controls and alerts within AWS, using generated alerts based on security events seen by the AWS Customer Incident Response Team (CIRT).

AWS: CI/CD

• GitHub Action: Configure AWS Credentials: Configure AWS credential environment variables for use in other GitHub Actions.

AWS: Offensive Tools

• Quiet Riot: Unauthenticated enumeration of services, roles, and users in an AWS account or in every AWS account in existence.
• aws-list-resources: A tool that uses the AWS Cloud Control API to list resources that are present in a given AWS account and regions.
• Sandcastle: A Python script for AWS S3 bucket enumeration.
• Pacu: An AWS exploitation framework.
• LambdaLooter: A tool to help reduce the amount of time it takes to review AWS Lambda code.

AWS: Training & Lab Environments

• IAM Vulnerable: Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground.
• Disposable Cloud Environment: Allows users to "lease" an AWS account for a defined period of time and with a limited budget. At the end of the lease, or if the lease's budget is reached, the account is wiped clean and returned to the account pool so it may be leased again.
• EC2 Metadata Mock: A tool to simulate Amazon EC2 instance metadata.
• LocalStack: Local AWS cloud emulator.
• S3 Game Galaxy: A series of challenges to learn S3 features.

AWS: News & Social

• AWS Security Digest: A weekly AWS security digest by Victor Grenu.
• Last Week in AWS: Snarky takes on AWS news and announcements by Corey Quinn.

AWS: Additional Resources

• AWS Security Blog: Official announcements, product highlights, and walk-throughs. Optional mailing list.
• AWS Customer Security Incidents: A repository tracking known breaches of AWS customers.
• AWS Security Arsenal: List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.
• AWSome Pentesting Cheatsheet: A guide to help pentesters learn more about AWS misconfigurations and ways to abuse them.

Methodology & Frameworks

• NIST Software Supply Chain and DevOps Security Practices
• CIS Software Supply Chain Security Guide v1.0
• MITRE DevSecOps Best Practices Guide
• DoD DevSecOps Fundamentals Guidebook
• DoD Enterprise DevSecOps Reference Design
• CNCF Software Supply Chain Best Practices
• Common Threat Matrix for CI/CD: An ATT&CK-like matrix focused on CI/CD pipeline specific risk.
• Cloud Security Orienteering Checklist: How to orienteer in a cloud environment, dig in to identify the risks that matter, and put together actionable plans that address short, medium, and long term goals.
• Container Security Checklist: Checklist for container security and DevSecOps practices.
• DevSecOps Playbook: A step-by-step guide to implementing a DevSecOps program for any size organization.

Training

• Actions by Example: An introduction to GitHub actions through annotated examples.
• OWASP WrongSecrets: Pwnable application focused on secrets storage.
• KustomizeGoat: Vulnerable Kustomize Kubernetes templates for training and education.
• CI/CD Goat: A deliberately vulnerable CI/CD environment.
• DevOps The Hard Way: Free labs for setting up an entire workflow and DevOps environment from a real-world perspective in AWS.
• Container.Training: Slides and code samples for training, tutorials, and workshops about Docker, containers, and Kubernetes.
• TerraGoat: A terraformed learning and training environment that demonstrates how common configuration errors can find their way into production cloud environments. Covers AWS, Azure, and GCP.
• SadServers: A SaaS where users can test their Linux troubleshooting skills on real Linux servers in a "Capture the Flag" fashion.
• messy poutine: A collection of purposely vulnerable CI/CD pipelines.

News & Social

• tl;dr sec: Best newsletter source for tools, blog posts, conference talks, and original research. By Clint Gibler.
• CloudSecList: A low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape. By Marco Lancini.
• Awesome Security Newsletters: Newsletters and Twitter lists that capture the latest news, summaries of conference talks, research, best practices, tools, events, vulnerabilities, and analysis of trending threats and attacks.
• InfoSec: Top 100 Tweeters: Curated by @RayRedacted.

Other Lists

• Open Source Security Index: A list of the most popular & fastest growing open source security projects on GitHub.
• HOUDINI: Hundreds of offensive and useful Docker images for network intrusion.
• Open Source Web Scanners: A list of open source web security scanners sorted by GitHub stars.
• Awesome DevOps: A curated list of awesome DevOps tools, platforms and resources.
• Application Security Tools: Curated list of free/open source application security tools.
• Awesome Security Hardening: A collection of awesome security hardening guides, tools and other resources.
• Awesome Container Tinkering: A list of tools to tinker with containers.
• SSC Reading List: A reading list for software supply-chain security.
• AWS Security Arsenal: List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.

Books

• Securing DevOps: by Julien Vehent.
• Container Security: Fundamental Technology Concepts that Protect Containerized Applications: by Liz Rice.