├── LICENSE └── README.md /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Tools 2 | 3 | Curated list of security tools 4 | 5 | 💰 - Commercial Tool 6 | 7 | # Secrets Detection 8 | 9 | ## Proactive 10 | 11 | - [Talisman](https://github.com/thoughtworks/talisman) - A tool to detect and prevent secrets from getting checked in. 12 | - [Security for Bitbucket](https://marketplace.atlassian.com/apps/1221399/security-for-bitbucket?hosting=datacenter&tab=overview) - Bitbucket plugin to detect and Block Sensitive Commits from Check-in 13 | 14 | ## Reactive 15 | 16 | - [GitGuardian](https://www.gitguardian.com/) 💰 - Automated secrets detection & remediation.Monitor public or private source code, and other data sources as well. Detect API keys, database credentials, certificates, … 17 | - [truffleHog](https://github.com/dxa4481/truffleHog) - Searches through git repositories for high entropy strings and secrets, digging deep into commit history 18 | - [Gitleaks](https://github.com/zricethezav/gitleaks) - A SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos. 19 | - [ban-sensitive-files](https://github.com/bahmutov/ban-sensitive-files) - Checks filenames to be committed against a library of filename rules to prevent storing sensitive files in Git. Checks some files for sensitive contents (for example authToken inside .npmrc file). 20 | 21 | # OSS Dependency Scanners (Application) 22 | 23 | ## Java 24 | 25 | - [OWASP Dependency Check](https://jeremylong.github.io/DependencyCheck/) - Checks dependencies for known, publicly disclosed, vulnerabilities. 26 | 27 | ## JavaScript 28 | 29 | - [NPM Audit](https://docs.npmjs.com/cli/audit) - Scan your project for vulnerabilities and automatically install any compatible updates to vulnerable dependencies. 30 | - [YARN Audit](https://classic.yarnpkg.com/en/docs/cli/audit/) - Scan your project for vulnerabilities and automatically install any compatible updates to vulnerable dependencies. 31 | - [retire.js](http://retirejs.github.io/retire.js) - Scanner detecting the use of JavaScript libraries with known vulnerabilities. 32 | - [AuditJS](https://www.npmjs.com/package/auditjs) - Scan JavaScript (node.js inclusive) projects for vulnerable third party dependencies 33 | 34 | ## Python 35 | 36 | - [Safety](https://pyup.io/safety/) - Safety checks your dependencies for known security vulnerabilities. 37 | - [Requires](https://requires.io/) - Requires.io keeps your python projects secure by monitoring their dependencies. 38 | - [Jake](https://github.com/sonatype-nexus-community/jake) - Scan Python and Conda environments for vulnerable third-party dependencies. 39 | 40 | ## Go 41 | 42 | - [Nancy](https://github.com/sonatype-nexus-community/nancy) A tool to check for vulnerabilities in your Golang dependencies, powered by [Sonatype OSS Index](https://ossindex.sonatype.org/) 43 | 44 | ## Rust 45 | 46 | - [cargo-audit](https://rustsec.org/) - Audit Cargo.lock for crates with security vulnerabilities reported to the RustSec Advisory Database. 47 | - [rust-audit](https://github.com/Shnatsel/rust-audit) - Audit Rust binaries for known bugs or security vulnerabilities. This works by embedding data about the dependency tree (Cargo.lock) in JSON format into a dedicated linker section of the compiled executable. 48 | 49 | ## Mutliple Languages 50 | 51 | - [Synk](https://snyk.io/) 💰 - Automatically find, prioritize and fix vulnerabilities in your open source dependencies throughout your development process 52 | - [Aqua](https://www.aquasec.com/products/container-vulnerability-scanning/) 💰 - Aqua’s CyberCenter feed is updated daily, providing extensive OS and programming language coverage, application dependency detection, and reduction in false positives and false negatives based on proprietary algorithms reconciling multiple sources (NVD, vendor advisories, and Aqua research) 53 | - [Hawkeye](https://github.com/hawkeyesec/scanner-cli) - The Hawkeye scanner-cli is a project security, vulnerability and general risk highlighting tool. It is meant to be integrated into your pre-commit hooks and your pipelines. 54 | - [Sonatype OSS INDEX](https://ossindex.sonatype.org/) - Scan your projects for open source vulnerabilities, and build security into your development toolchain with native tools and integrations. The scan tools all utilize the OSS Index public REST API. 55 | - [Deeptracy](https://github.com/BBVA/deeptracy) - The Security Dependency Orchestrator Service 56 | 57 | ## Automated PR (Bonus💖) 58 | 59 | - [Renovate](https://github.com/renovatebot/renovate) - Universal dependency update tool that fits into your workflows. Automated dependency updates. Multi-platform and multi-language. 60 | - [Dependabot](https://dependabot.com/) - Dependabot creates pull requests to keep your dependencies secure and up-to-date. 61 | - [Sonatype Depshield](https://www.sonatype.com/depshield) - Sonatype DepShield is a free GitHub App used by developers to identify and remediate vulnerabilities in their open source dependencies. 62 | 63 | ## IDE Plugins 64 | 65 | Most of the above tools have plugins support. Below are the some of the plugins. 66 | 67 | - [Vuln Cost](https://snyk.io/security-scanner-vuln-cost/) - Find security vulnerabilities in open source packages while you code in JavaScript, TypeScript and HTML. 68 | - [Grype](https://github.com/anchore/grype-vscode) - The Grype extension makes it easy to know when your project is using dependencies that have known security vulnerabilities. 69 | - [Snyk Security Scanner](https://github.com/snyk/snyk-intellij-plugin) - The Snyk Vulnerability Scanner plugin for IDEs (like IntelliJ, eclipse, vscode) helps you find and fix security vulnerabilities in your projects, all from within your favorite IDE. 70 | - [Trivy Vulnerability Scanner](https://marketplace.visualstudio.com/items?itemName=AquaSecurityOfficial.trivy-vulnerability-scanner) - Trivy Vulnerability Scanner is a VS Code plugin that helps you find vulnerabilities in your software projects without leaving the comfort of your VS Code window. 71 | 72 | # SCA 73 | 74 | - [OWASP Dependency Track](https://dependencytrack.org/) - Continuous Component Analysis Platform 75 | - [Nexus lifecycle](https://www.sonatype.com/nexus/lifecycle) - Take full control of your software supply chain with Nexus Lifecycle. Integrate precise and accurate component intelligence directly into the development tools. 76 | - [WhiteHat Sentinel SCA](https://www.whitehatsec.com/platform/software-composition-analysis/) - Analyzes applications for third parties and open source software to detect illegal, dangerous, or outdated code. Accelerate the time-to-market for your applications by safely and confidently utilizing open source code. 77 | 78 | # Static Code Aanalysis 79 | 80 | ## C / C++ 81 | 82 | - [flawfinder](https://www.dwheeler.com/flawfinder) - Finds possible security weaknesses. 83 | - [Polyspace Bug Finder](https://www.mathworks.com/products/polyspace-bug-finder.html) 💰 - Identifies run-time errors, concurrency issues, security vulnerabilities, and other defects in C and C++ embedded software. 84 | - [Puma Scan](https://pumasecurity.io/) - Puma Scan provides real time secure code analysis for common vulnerabilities (XSS, SQLi, CSRF, LDAPi, crypto, deserialization, etc.) as development teams write code in Visual Studio. 85 | - [Joern](https://github.com/ShiftLeftSecurity/joern) - Open-source code analysis platform for C/C++ based on code property graphs 86 | 87 | ## Java 88 | 89 | - [Find Security Bugs](https://find-sec-bugs.github.io/) - The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects) 90 | - [Reshift](https://www.reshiftsecurity.com/) 💰 - A source code analysis tool for detecting and managing Java security vulnerabilities. 91 | 92 | ## JavaScript 93 | 94 | - [NodeJSScan](https://opensecurity.in/) - NodeJsScan is a static security code scanner for Node.js applications. 95 | - [eslint-plugin-security](https://www.npmjs.com/package/eslint-plugin-security) - ESLint rules for Node Security. This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human. 96 | - [tslint-plugin-security](https://www.npmjs.com/package/tslint-config-security) - TSLint rules for Node Security. This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human. 97 | 98 | ## Go 99 | 100 | - [gosec](https://github.com/securego/gosec) - Golang Security Checker inspects source code for security problems by scanning the Go AST. 101 | - [golangci-lint] (https://github.com/golangci/golangci-lint) - It runs linters in parallel, uses caching, supports yaml config, has integrations with all major IDE and has dozens of linters included. 102 | 103 | ## Elixer 104 | 105 | - [sobelow](https://github.com/nccgroup/sobelow) - Security-focused static analysis for the Phoenix Framework. 106 | 107 | ## PHP 108 | 109 | - [Parse](https://github.com/psecio/parse) - A Static Security Scanner. 110 | - [Progpilot](https://github.com/designsecurity/progpilot) - A static analysis tool for security purposes. 111 | 112 | ## Python 113 | 114 | - [bandit](https://bandit.readthedocs.io/en/latest) - A tool to find common security issues in Python code. 115 | - [Pysa (Python Static Analyzer)](https://pyre-check.org/docs/pysa-basics.html) - A tool based on Facebook's [pyre-check](https://github.com/facebook/pyre-check/) to identify potential security issues in Python code identified with taint analysis. 116 | - [Dlint](https://github.com/dlint-py/dlint) - A tool for ensuring Python code is secure. 117 | 118 | ## Ruby 119 | 120 | - [RuboCop](https://rubocop.org/) - A Ruby code style checker (linter) and formatter based on the community-driven Ruby Style Guide. 121 | - [brakeman](https://brakemanscanner.org/) - A Ruby on Rails Static Analysis Security Tool 122 | - [Railroader](https://railroader.org/) - An open source static analysis security vulnerability scanner for Ruby on Rails applications - fork of the Brakeman. 123 | 124 | ## Android / iOS 125 | 126 | - [iblessing](https://github.com/Soulghost/iblessing) - iblessing is an iOS security exploiting toolkit. It can be used for reverse engineering, binary analysis and vulnerability mining. 127 | - [Oversecured](https://oversecured.com/) 💰 - A mobile app vulnerability scanner, designed for security researchers and bug bounty hackers. It also allows integrations into the DevOps process for businesses. 128 | - [qark](https://github.com/linkedin/qark) - Tool to look for several security related Android application vulnerabilities. 129 | 130 | ## Binaries 131 | 132 | - [BinSkim](https://github.com/Microsoft/binskim) - A binary static analysis tool that provides security and correctness results for Windows portable executables. 133 | - [Black Duck](https://www.blackducksoftware.com/) 💰 - Tool to analyze source code and binaries for reusable code, necessary licenses and potential security aspects. 134 | - [Ghidra](https://ghidra-sre.org/) - A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission 135 | 136 | ## IaC - Infrasturcutre as code 137 | 138 | ### Docker 139 | 140 | - [dagda](https://github.com/eliasgranderubio/dagda) - Perform static analysis of known vulnerabilities in docker images/containers. 141 | - [dockle](https://github.com/goodwithtech/dockle) - Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start 142 | 143 | ### Kubernetes 144 | 145 | - [KUBESEC.IO](https://kubesec.io/) - Security risk analysis for Kubernetes resources 146 | - [kubeaudit](https://github.com/Shopify/kubeaudit) - kubeaudit helps you audit your Kubernetes clusters against common security controls 147 | 148 | ### Terraform 149 | 150 | - [checkov](https://www.checkov.io/) - Static analysis tool for Terraform files (tf>=v0.12), preventing cloud misconfigs at build time. 151 | - [terrascan](https://github.com/accurics/terrascan) - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure. 152 | - [terraform-compliance](https://terraform-compliance.com/) - A lightweight, compliance- and security focused, BDD test framework against Terraform. 153 | - [tfsec](https://github.com/tfsec/tfsec) - tfsec uses static analysis of your terraform templates to spot potential security issues. Now with terraform v0.12+ support. 154 | 155 | ## Multiple Languages 156 | 157 | - [ShiftLeft Scan (skæn)](https://slscan.io/) - Scan is a free open-source DevSecOps platform for detecting security issues in source code and dependencies. It supports a broad range of languages and CI/CD pipelines. 158 | - [Coverity®](https://scan.coverity.com/) 💰 - Synopsys Coverity supports 20 languages and over 70 frameworks including 159 | - [Checkmarx SAST (CxSAST)](https://www.checkmarx.com/products/static-application-security-testing) 💰 - An enterprise-grade flexible and accurate static analysis solution used to identify hundreds of security vulnerabilities in custom code 160 | - [Fortify Static Code Analyzer](https://www.microfocus.com/en-us/products/static-code-analysis-sast/overview) 💰 - A commercial static analysis platform that supports the scanning of 27 major programming languages. 161 | - [Veracode](https://www.veracode.com/products/binary-static-analysis-sast) 💰 - Find flaws in binaries and bytecode without requiring source. Support all major programming languages. 162 | - [Application Inspector](https://www.ptsecurity.com/ww-en/products/ai) 💰 - Commercial Static Code Analysis which generates exploits to verify vulnerabilities. 163 | - [CodePatrol](https://cyber-security.claranet.fr/en/codepatrol) 💰 - Automated SAST code reviews driven by security, supports 15+ languages and includes security training. 164 | - [CodeScan](https://www.codescan.io/) 💰 - Code Quality and Security for Salesforce Developers. Made exclusively for the Salesforce platform, CodeScan’s code analysis solutions provide you with total visibility into your code health. 165 | - [dawnscanner](https://github.com/thesp0nge/dawnscanner) - A static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks. 166 | - [DeepCode](https://www.deepcode.ai/) 💰 - DeepCode finds bugs, security vulnerabilities, performance and API issues based on AI. DeepCode's speed of analysis allow us to analyse your code in real time and deliver results when you hit the save button in your IDE. Supported languages are Java, C/C++, JavaScript, Python, and TypeScript. Integrations with GitHub, BitBucket and Gitlab. 167 | - [DeepSource](https://deepsource.io/) 💰 - In-depth static analysis to find issues in verticals of bug risks, security, anti-patterns, performance, documentation and style. Native integrations with GitHub, GitLab and Bitbucket. Less than 5% false positives. 168 | - [InsiderSec](https://insidersec.io/) - A open source Static Application Security Testing tool (SAST) written in GoLang for Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C# and Javascript (Node.js). 169 | - [Klocwork](https://www.perforce.com/products/klocwork) 💰 - Quality and Security Static analysis for C/C++, Java and C#. 170 | - [Semmle QL and LGTM]() 💰 - Find security vulnerabilities, variants, and critical code quality issues using queries over source code. Automatic PR code review; free for public GitHub/Bitbucket repo: [LGTM.com](https://lgtm.com/). 171 | - [Semgrep](https://github.com/returntocorp/semgrep) - Lightweight static analysis for many languages. Find bug variants with patterns that look like source code. 172 | - [SonarCloud](https://sonarcloud.io/) 💰 - Multi-language cloud-based static code analysis. History, trends, security hot-spots, pull request analysis and more. Free for open source. 173 | - [WhiteHat Application Security Platform](https://www.whitehatsec.com/platform/static-application-security-testing) 💰 - WhiteHat Scout (for Developers) combined with WhiteHat Sentinel Source (for Operations) supporting WhiteHat Top 40 and OWASP Top 10. 174 | - [Xanitizer](https://xanitizer.com/) 💰 - Xanitizer finds security vulnerabilities in web applications. It supports Java, Scala, JavaScript and TypeScript. 175 | 176 | # OSS License Scanner 177 | 178 | - [License Finder](https://github.com/pivotal/LicenseFinder) - LicenseFinder works with your package managers to find dependencies, detect the licenses of the packages in them, compare those licenses against a user-defined list of permitted licenses, and give you an actionable exception report. 179 | - [Fossa](https://fossa.com/) 💰 - Get continuous compliance with code SCA featuring audit-grade reporting and comprehensive dependency inventory. 180 | - [WhiteSource](https://www.whitesourcesoftware.com/) 💰 - Detect and remediate open source security and compliance issues in real-time, without the headache 181 | - [Nexus auditor](https://www.sonatype.com/nexus/auditor) 💰 - Generate a Software Bill of Materials and Triage License, Security Risk within Third Party Applications and Continuously Monitor Apps for New Vulnerabilities 182 | - [Licensebat](https://licensebat.com/) 💰 - Licensebat seamlessly integrates with your GitHub build pipeline to make sure your current and future dependencies comply with your license policies. 183 | - [Black Duck®](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) 💰 - Helps teams manage the security, quality, and license compliance risks that come from the use of open source and third-party code in applications and containers. 184 | - [FOSSology](https://www.fossology.org/) - a open source license compliance software system and toolkit. As a toolkit you can run license, copyright and export control scans from the command line. 185 | - [FOSSID](https://fossid.com/) - A Software Composition Analysis tool that scans your code for open source licenses and vulnerabilities, and gives you full transparency and control of your software products and services. 186 | - [Palamida](https://www.almtoolbox.com/palamida.php) - Palamida is the leader in advanced techniques to identify Open Source and other third party software in use within your development projects. 187 | - [OSS Review Toolkit] 188 | - [ClearlyDefined](https://clearlydefined.io/) - Lack of clarity around licenses and security vulnerabilities reduces engagement — that means fewer users, fewer contributors and a smaller community. 189 | 190 | # Container Scanner 191 | 192 | - [Trivy](https://github.com/aquasecurity/trivy) The most comprehensive and easy-to-use open source vulnerability scanner for container images 193 | - [Anchore inline-scan container](https://github.com/anchore/ci-tools) - Anchore container analysis and scan provided as inline scanner 194 | - [grype](https://github.com/anchore/grype) A vulnerability scanner for container images and filesystems 195 | 196 | # DAST 197 | 198 | - [Acunetix](https://www.acunetix.com) 💰 - scans your entire website for security vulnerabilities in front-end & server-side application and gives you actionable results. 199 | 200 | # Hardening and Compliance 201 | 202 | ## VMs 203 | 204 | - [OpenSCAP](https://www.open-scap.org/) - The OpenSCAP ecosystem provides multiple tools to assist administrators and auditors with assessment, measurement, and enforcement of security baselines. 205 | - [Lynis](https://cisofy.com/lynis/) - Auditing, system hardening, compliance testing 206 | - [OpenVAS](https://www.greenbone.net/en/) - A full-featured vulnerability scanner. Its capabilities include unauthenticated testing, authenticated testing, various high level and low level Internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test. 207 | 208 | ## Cloud 209 | 210 | - [CloudSploit](https://github.com/aquasecurity/cloudsploit) - Setection of security risks in cloud infrastructure accounts, including: AWS, Microsoft Azure, GCP, Oracle Cloud Infrastructure (OCI), and GitHub. 211 | - [Scout Suite](https://github.com/nccgroup/ScoutSuite) - Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. 212 | - [Prisma Cloud 2.0](https://www.paloaltonetworks.com/prisma/cloud) 💰 - Cloud Native Security Platform (CNSP) - The Clouds of Today, Secured Against the Threats of Tomorrow 213 | - [Sysdig Platform](https://sysdig.com/secure-devops-platform/) 💰 - Ship cloud apps faster by embedding security, compliance, and performance into your DevOps workflow 214 | - [Panther](https://github.com/panther-labs/panther) - Panther is a platform for detecting threats with log data, improving cloud security posture, and conducting investigations. 215 | - [Fugue Compliance](https://www.fugue.co/cloud-infrastructure-compliance) 💰 - Demonstrate compliance to management and auditors at any time with dashboards, reports, and visualizations. 216 | 217 | ## Kubernetes 218 | 219 | - [Kube-bench](https://github.com/aquasecurity/kube-bench) Tool for checking Kubernetes compliance with the Center for Internet Security (CIS) Benchmark 220 | - [Kube-hunter](https://github.com/aquasecurity/kube-bench) Penetration testing that simulates dozens of attack vectors on your Kubernetes cluster 221 | - [Kubei](https://github.com/Portshift/kubei) - Kubei is a flexible Kubernetes runtime scanner, scanning images of worker and Kubernetes nodes providing accurate vulnerabilities assessment 222 | - [kube-forensics](https://github.com/keikoproj/kube-forensics) - kube-forensics allows a cluster administrator to dump the current state of a running pod and all its containers so that security professionals can perform off-line forensic analysis. 223 | 224 | # IDS 225 | 226 | - [OSSEC](https://github.com/ossec/ossec-hids) - An Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. 227 | 228 | # [GitHub Apps](https://github.com/marketplace?category=security&type=apps) 229 | 230 | ## Free for Public and Private Repos 231 | 232 | - [Dependabot](https://github.com/marketplace/dependabot-preview) - GitHub Dependabot can maintain your repository's dependencies automatically. 233 | - [WhiteSource Bolt](https://github.com/marketplace/whitesource-bolt) - Continuously scans all your repos, detects vulnerabilities in open source components and provides fixes. It supports both private and public repositories. 200 programming languages support. 234 | - [WhiteSource Renovate](https://github.com/marketplace/renovate) - Automatically update dependencies using convenient Pull Requests 235 | - [Sonatype DepShield](https://github.com/marketplace/sonatype-depshield) - Identify and remediate vulnerabilities in their open source dependencies. 236 | 237 | ## Free for Public and Open Source Repos 238 | 239 | - [Depfu](https://depfu.com/) 💰 - [Depfu](https://github.com/marketplace/depfu) is like a colleague who sends you pull requests with all the info you need about a update. You stay in control if and when to merge. Only for JavaScript and Ruby. 240 | 241 | # [GitHub Actions](https://github.com/marketplace?category=security&type=actions) 242 | 243 | Most of the tools now have github action support - Refer the complete list here - https://github.com/marketplace?category=security&type=actions 244 | 245 | # Password Mangers 246 | 247 | - [Keeper Password Manager & Digital Vault](https://www.keepersecurity.com/) - 💰 248 | - [Dashlane](https://www.dashlane.com/) - 💰 249 | - [1Password](https://1password.com/) - 💰 250 | - [LastPass](https://www.lastpass.com/) - 💰 251 | - [KeePass](https://keepass.info/) - KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can store all your passwords in one database, which is locked with a master key. 252 | - [Cyph] - (https://www.cyph.com/) 253 | 254 | # Code obfuscation 255 | - https://www.oreans.com/index.php 💰 256 | 257 | # Standards 258 | 259 | - [CWE](https://cwe.mitre.org/data/index.html) - Common Weakness Enumeration (CWE™) is a list of software and hardware weaknesses types. 260 | - [CAPEC](https://capec.mitre.org/index.html) - The Common Attack Pattern Enumeration and Classification (CAPEC™) effort provides a publicly available catalog of attack patterns along with a comprehensive schema and classification taxonomy. 261 | - [WASC](http://projects.webappsec.org/w/page/13246978/Threat%20Classification) - The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. 262 | 263 | # Free Tranings 264 | 265 | - [Cloud Security Alliance (CSA)] 266 | - http://www.securitytube.net/# 267 | - https://p.ost2.fyi/ https://www.ost2.fyi/Home.html 268 | --------------------------------------------------------------------------------