Prowler is an Open Source security tool to perform AWS, GCP and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
Testssl
is a free command line tool which checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Distroless Container Images
https://github.com/GoogleContainerTools/distroless
Less is more.
“Distroless” images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution.
Semgrep
Semgrep helps security engineers and developers find and fix the issues that matter before production.
php security
https://github.com/FloeDesignTechnologies/phpcs-security-audit
phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code.
nodejsscan – Static security code scanner (SAST) for Node.js
Bandit – A security linter from PyCQA
OWASP Docker Top 10
https://owasp.org/www-project-docker-top-10/
The OWASP Docker Top 10 project is giving you ten bullet points to plan and implement a secure docker-based container environment.
OWASP API Security Project
https://owasp.org/www-project-api-security/
API Security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs).
OWASP Top 10
https://owasp.org/www-project-top-ten/
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
OWASP Cheat Sheet Series
https://cheatsheetseries.owasp.org/
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
Threagile
Threagile enables teams to execute Agile Threat Modeling as seamless as possible, even highly-integrated into DevSecOps environments.
kube-bench
https://github.com/aquasecurity/kube-bench
kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
Docker Bench for Security
https://github.com/docker/docker-bench-security
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the CIS Docker Benchmark v1.6.0.
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and Docker containers against this benchmark.
The 18 CIS Critical Security Controls
CIS Benchmarks List
The CIS Benchmarks are prescriptive configuration recommendations for more than 25+ vendor product families. They represent the consensus-based effort of cybersecurity experts globally to help you protect your systems against threats more confidently.
LicenseFinder
https://github.com/pivotal/LicenseFinder
LicenseFinder works with your package managers to find dependencies, detect the licenses of the packages in them, compare those licenses against a user-defined list of permitted licenses, and give you an actionable exception report.
CVEDetails
Retire.js
Retire.js has these parts:
- A command line scanner
- A grunt plugin
- A Chrome extension
- A Firefox extension
- Burp and ZAP plugin
Trivy
https://github.com/aquasecurity/trivy
Trivy (pronunciation) is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues.