Semgrep: Static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time.
SonarQube: Continuous inspection tool for code quality and security.
Snyk: Static analysis of code, container images, and IaC. CLI, IDE, CI/CD, PaaS.
OWASP Zed Attack Proxy (ZAP): Popular penetration testing tool that can also be leveraged within CI/CD to perform passive baseline scans.
ShiftLeft: PaaS SAST and SCA tool offering scheduled and CI/CD initiated testing.
AllStar: Github app to set and enforce repository security policies
It-Depends: A tool to automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories.
Trivy: Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues.
Scorecard: Security health metrics for open source.
jfrog-npm-tools: A collection of tools to help audit your NPM dependencies for suspicious packages or continuously monitor dependencies for future security events.
Dastardly: Runs a scan using Dastardly by Burp Suite against a target site and creates a JUnit XML report for the scan on completion.
hijagger: Checks all maintainers of all NPM and Pypi packages for hijackable packages through domain re-registration.
GuardDog: A CLI tool to identify malicious PyPI packages.
Source Code Management
GitGat: A tool to evaluate GitHub security posture.
policy-bot: A GitHub App that enforces approval policies on pull requests.
actionlint: Static checker for GitHub Actions workflow files.
Ratchet: A tool for securing CI/CD workflows with version pinning.
GitHub Actions Importer: Helps you plan and automate the migration of Azure DevOps, CircleCI, GitLab, Jenkins, and Travis CI pipelines to GitHub Actions.
Secrets
Mozilla SOPS: Simple and flexible tool for managing secrets.
GitGuardian: Scan Github repositories for secrets, CLI, CI/CD, PaaS.
git-secrets: Prevents you from committing secrets and credentials into git repositories.
git-hound: Reconnaissance tool for GitHub code search. Finds exposed API keys using pattern matching, commit history searching, and a unique result scoring system.
repo-supervisor: Scans GitHub repositories for security misconfigurations, passwords, and secrets.
TruffleHog: A tool to find credentials all over the place.
S3cret Scanner: A tool designed to provide a complementary layer for the Amazon S3 Security Best Practices by proactively hunting secrets in public S3 buckets.
Platform Security
Sysdig: Linux system exploration and troubleshooting tool with first class support for containers.
Syft: CLI tool and library for generating a Software Bill of Materials from container images and filesystems.
checkov: Static code analysis tool with coverage for Terraform, CloudFormation, Kubernetes/Helm, Dockerfiles, Serverless, and ARM templates.
terrascan: Static code analysis tool with coverage for Terraform, Kubernetes/Helm, and Dockerfiles.
Azure Terrafy: A tool to bring existing Azure resources under Terraform's management.
Terraform IAM Policy Validator: A command line tool that validates AWS IAM Policies in a Terraform template against AWS IAM best practice.
Cloud Security
Cartography: A Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
Cloud Custodian: Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources.
Amazon Web Services
Prowler: Open source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
AWS Security Toolbox: Single Docker container combining several popular security tools.
Quiet Riot: Unauthenticated enumeration of services, roles, and users in an AWS account or in every AWS account in existence.
CloudMapper: Helps analyze your AWS environments, including auditing for security issues.
aws-sso-reporter: Uses the AWS SSO API to list all users, accounts, permission sets etc. and dumps it into a CSV file for additional parsing or viewing.
Sustainable Personal Accounts: Adds custom maintenance windows for AWS accounts, allowing automatic resource preparation and purging.
Disposable Cloud Environment: Allows users to "lease" an AWS account for a defined period of time and with a limited budget. At the end of the lease, or if the lease's budget is reached, the account is wiped clean and returned to the account pool so it may be leased again.
superwerker: A free, open-source solution that lets you quickly set up an AWS Cloud environment following best practices for security and efficiency.
Microsoft Azure
Azucar: Security auditing tool for Azure environments.
Google Cloud Platform
remora: A tool that automates the lifecycle management of unused projects in an organization.
Stratus Red Team: Granular, actionable adversary emulation for the cloud.
PurplePanda: Identify privilege escalation paths within and across different clouds (currently supports GCP, GitHub, and Kubernetes)
Observability
DefectDojo: DevSecOps and vulnerability management tool.
AWS CloudSaga: Test security controls and alerts within AWS, using generated alerts based on security events seen by the AWS Customer Incident Response Team (CIRT).
Cloud Security Orienteering Checklist: How to orienteer in a cloud environment, dig in to identify the risks that matter, and put together actionable plans that address short, medium, and long term goals.
KustomizeGoat: Vulnerable Kustomize Kubernetes templates for training and education.
CI/CD Goat: A deliberately vulnerable CI/CD environment.
DevOps The Hard Way: Free labs for setting up an entire workflow and DevOps environment from a real-world perspective in AWS.
Container.Training: Slides and code samples for training, tutorials, and workshops about Docker, containers, and Kubernetes.
S3 Game Galaxy: A series of challenges to learn S3 features.
TerraGoat: A terraformed learning and training environment that demonstrates how common configuration errors can find their way into production cloud environments. Covers AWS, Azure, and GCP.
SadServers: A SaaS where users can test their Linux troubleshooting skills on real Linux servers in a "Capture the Flag" fashion.
News & Social
tl;dr sec: Best newsletter source for tools, blog posts, conference talks, and original research. By Clint Gibler.
CloudSecList: A low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape. By Marco Lancini.
This Week in Security: A weekly tl;dr cybersecurity newsletter of all the major stuff you missed, but really need to know. By Zach Whitaker.
Awesome Security Newsletters: Newsletters and Twitter lists that capture the latest news, summaries of conference talks, research, best practices, tools, events, vulnerabilities, and analysis of trending threats and attacks.