A curated list of open-source security tools organized by CI/CD pipeline stage.
Security shouldn't be an afterthought. This list organizes battle-tested security tools by where they fit in your pipeline, making it easy to build defense-in-depth from commit to production.
- Pre-commit & Secrets Detection
- SBOM Generation
- Artifact Signing & Verification
- Supply Chain Compliance
- Software Composition Analysis (SCA)
- Static Application Security Testing (SAST)
- Infrastructure as Code Security
- Container Security
- Kubernetes Security
- Policy as Code
- Secret Management
- API & Dynamic Testing (DAST)
- Cloud Security
- Reading the Badges
- Contributing
- License
Catch secrets and credentials before they enter your repository.
- gitleaks - Detect and prevent secrets in git repos.
- trufflehog - Find credentials in git history and live systems.
- detect-secrets - Prevent secrets from entering codebases.
- git-secrets - Prevent committing AWS credentials and secrets.
- talisman - Pre-push and pre-commit hooks for secrets detection.
- whispers - Identify hardcoded secrets in static code analysis.
- pre-commit - Framework to manage multi-language pre-commit hooks.
Generate Software Bill of Materials for supply chain visibility.
- syft - Generate SBOMs from container images and filesystems.
- cdxgen - Create CycloneDX SBOMs for various languages.
- cyclonedx-cli - CLI for working with CycloneDX SBOMs.
- spdx-sbom-generator - Generate SPDX format SBOMs from source code.
- tern - Software composition analysis for container images.
- sbom-tool - Microsoft's scalable SBOM generation tool.
- sbomlyze - SBOM diff and analysis tool for supply chain drift detection.
Sign and verify container images and artifacts for supply chain security.
- cosign - Sign and verify container images.
- notation - CNCF signing and verification standard (Notary Project).
Audit and verify supply chain security against industry benchmarks.
- chain-bench - Audit supply chain against CIS benchmarks.
Scan dependencies for known vulnerabilities.
- grype - Vulnerability scanner for container images and filesystems.
- trivy - All-in-one security scanner for vulnerabilities and misconfigurations.
- osv-scanner - Vulnerability scanner using the OSV database.
- dependency-track - Intelligent component analysis platform.
- snyk-cli - Find and fix vulnerabilities in dependencies.
- bomber - Scan SBOMs for vulnerabilities.
- vet - Policy-driven dependency vetting tool.
- deps.dev - Google's dependency insights service (API/Website).
- safe-chain - Block malicious packages during npm/pip install.
Analyze source code for security vulnerabilities.
Tools that support multiple programming languages.
- semgrep - Lightweight static analysis for many languages.
- bearer - Code security scanner for data flows.
- horusec - Multi-language security analysis tool.
- codeql - Semantic code analysis engine by GitHub.
- sonarqube - Continuous inspection of code quality and security.
- spotbugs - Static analysis tool for finding bugs in Java.
Specialized tools for individual programming languages.
- bandit - Security linter for Python code.
- safety - Check Python dependencies for vulnerabilities.
- pyre-check - Performant type checker with security analysis.
- njsscan - Semantic SAST tool for Node.js applications.
- eslint-plugin-security - ESLint rules for Node.js security.
- gosec - Security checker for Go source code.
- brakeman - Static analysis for Ruby on Rails applications.
- cargo-audit - Audit Cargo.lock for crates with security vulnerabilities.
Scan infrastructure configurations for security misconfigurations.
- checkov - Scan cloud infrastructure configurations.
- tfsec - Security scanner for Terraform code.
- terrascan - Detect compliance and security violations in IaC.
- kics - Find security vulnerabilities and compliance issues in IaC.
- trivy - Also scans IaC misconfigurations (Terraform, CloudFormation, etc.).
- snyk-iac - Infrastructure as Code security scanning.
- cfn-lint - AWS CloudFormation linter with security rules.
- zizmor - Static analysis for GitHub Actions workflows.
Secure container images and runtime environments.
Scan container images for vulnerabilities before deployment.
- trivy - Comprehensive vulnerability scanner for containers.
- grype - Vulnerability scanner for container images.
- clair - Vulnerability static analysis for containers.
- anchore-engine - Container analysis and policy evaluation.
(Migrate to Syft + Grype)
- docker-bench-security - Check Docker deployment against CIS benchmarks.
- dockle - Container image linter for security best practices.
Monitor and protect containers at runtime.
- falco - Cloud-native runtime security and threat detection.
- tracee - Linux runtime security and forensics using eBPF.
- tetragon - eBPF-based security observability and runtime enforcement.
- sysdig-inspect - System call visualization and container analysis.
Secure Kubernetes clusters, manifests, and workloads.
- kube-bench - Check Kubernetes against CIS benchmarks.
- kubescape - Kubernetes security risk analysis and compliance.
- kube-linter - Static analysis for Kubernetes YAML and Helm charts.
- kyverno - Kubernetes native policy management.
- polaris - Validate Kubernetes best practices and policies.
- trivy-operator - Kubernetes-native security reports.
- kubiscan - Scan Kubernetes RBAC for risky permissions.
- kube-hunter - Hunt for security weaknesses in Kubernetes clusters.
Define and enforce security policies as code across your infrastructure.
- opa - Open Policy Agent, industry standard for policy as code.
- gatekeeper - OPA for Kubernetes admission control.
- datree - Prevent Kubernetes misconfigurations.
Securely manage and distribute secrets in Kubernetes and GitOps workflows.
- sealed-secrets - Encrypt secrets locally, decrypt only in cluster.
- external-secrets - Sync secrets from AWS/Vault/Azure into Kubernetes.
- sops - Editor-transparent encryption for Git files.
Test running applications for vulnerabilities.
- zap - OWASP ZAP web application security scanner.
- nuclei - Fast and customizable vulnerability scanner.
- nikto - Web server scanner for dangerous files and vulnerabilities.
- arachni - Feature-rich web application security scanner.
(Consider ZAP or Nuclei instead)
- wapiti - Web application vulnerability scanner.
- sqlmap - Automatic SQL injection detection and exploitation.
Assess and audit cloud infrastructure security posture.
- prowler - AWS, Azure, and GCP security assessments.
- cloudsplaining - AWS IAM security assessment tool.
- ScoutSuite - Multi-cloud security auditing tool.
- steampipe - Query cloud resources using SQL.
Each tool displays status and activity badges for transparency.
Status badges are automatically updated every week by our GitHub Action to reflect current maintenance status.
| Badge | Meaning |
|---|---|
 |
Active - Updated within the last 6 months |
 |
Stale - No updates in 6-12 months; use with caution |
 |
Unmaintained - No updates in 12+ months; consider alternatives |
 |
Archived - Repository has been archived by owner |
 |
Deprecated - Officially superseded; migration recommended |
| Badge | Meaning |
|---|---|
 |
GitHub star count - indicates community adoption |
 |
Last commit date - shows exact update time |
Tip: While we update status badges weekly, always verify the "Last Commit" badge for the most current information before adopting a tool.
Contributions are welcome! Please read the contribution guidelines first.
Before submitting:
- Repository must be at least 1 month old (anti-spam requirement)
- Repository must have at least 5 stars
- Tool must have been updated within the last 12 months
- You must disclose any affiliation with the tool
See CONTRIBUTING.md for full details.
To the extent possible under law, the contributors have waived all copyright and related or neighboring rights to this work.