Collection and Roadmap for everyone who wants DevSecOps, contains list of tools and methodologies
- Overview
- Development Lifecycle
- Threat Model
- SAST(Static Application Security Testing)
- DAST(Dynamic Application Security Testing)
- Penetration testing
- Security Hardening & Config
- Security Scanning
- RASP(Run-time Application Security Protection)
- Security Patch
- Security Audit
- Security Monitor
- Security Analysis
- sonarQube(SAST)
- unit Test (Junit & Jacoco)
- mutation Test (PIT)
- Vulnerability scan -Docker
- dependency check
- Trivy
- OPA conftest
- kubernetes deployment
- kubesec scan
- OPA scan
- trivy
- integration test
- owasp zap (DAST)
- CIS benchmark (kube-bench)
- monitoring
Tips :
- integration test check valid request and response api request
- we install openapi plugin in spring or other framework then get api-docs for pentesting woth zap proxy
- we use slack hook for send notification from jenkin, after any error or warm in report
- prometheus is a good notification manager and make graph with graphana
- use kiali for monitoring GUI kubernetis
- use mTls with istio for secure comunication betwean pods
- falco is opensource cloud native runtime security project
- helm id package manager for kubernetis like yum
| Name | URL | Description |
|---|---|---|
| git-secrets | https://github.com/awslabs/git-secrets | AWS labs tool preventing you from committing secrets to a git repository |
| Talisman | https://github.com/thoughtworks/talisman | A tool to detect and prevent secrets from getting checked in |
| Name | URL | Description |
|---|---|---|
| GitLeaks | https://github.com/zricethezav/gitleaks | Gitleaks is a scanning tool for detecting hardcoded secrets |
| Name | URL | Description |
|---|---|---|
| Snyk | https://github.com/snyk/snyk | Snyk scans and monitors your projects for security vulnerabilities |
| npm-check | https://www.npmjs.com/package/npm-check | Check for outdated, incorrect, and unused dependencies. |
| Name | URL | Description |
|---|---|---|
| Bandit | https://github.com/PyCQA/bandit | Python specific SAST tool |
| nodejsscan | https://github.com/ajinabraham/nodejsscan | NodeJs SAST scanner with GUI |
| SonarQube community | https://github.com/SonarSource/sonarqube | Detect security issues in code review with Static Application Security Testing (SAST) |
| Name | URL | Description |
|---|---|---|
| Zap proxy | https://owasp.org/www-project-zap/ | Zap proxy providing various docker containers for CI/CD pipeline |
| Nuclei | https://github.com/projectdiscovery/nuclei | Template based security scanning tool |
| Name | URL | Description |
|---|---|---|
| Docker bench | https://github.com/docker/docker-bench-security | Docker benchmarking against CIS |
| Trivy | https://github.com/aquasecurity/trivy | Comprehensive scanner for vulnerabilities in container images |
| Name | URL | Description |
|---|---|---|
| kube-bench | https://github.com/aquasecurity/kube-bench | Kubernetes benchmarking tool |
| kube-hunter | https://github.com/aquasecurity/kube-hunter | Active scanner for k8s (purple) |
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent