14 Repos
Security and compliance scanning for infrastructure configuration files.
Explore 14 awesome GitHub repositories matching part of an awesome list · Infrastructure as Code Analysis. Refine with filters or upvote what's useful.
Trivy is a comprehensive security scanner designed to identify vulnerabilities and misconfigurations across container images, filesystems, and infrastructure as code files. It functions as a software composition analysis tool and an infrastructure security scanner, providing automated checks for CI/CD pipelines and cloud environments to ensure the integrity of the software supply chain. The tool distinguishes itself through a modular, plugin-based architecture that allows for the independent inspection of diverse targets. It utilizes a declarative policy engine to evaluate configurations agai
Comprehensive vulnerability scanner for container environments.
Grype is a command-line security scanner designed to identify known vulnerabilities within container images, filesystems, and software manifests. It functions as a software composition analysis tool that detects security flaws in application components and open-source libraries to support supply chain security. The tool distinguishes itself by reconstructing the final state of container images through layered filesystem inspection and normalizing diverse package formats into a unified dependency graph. It maintains a local cache of security advisories synchronized from multiple upstream sourc
Vulnerability scanner for container images and filesystems.
Hadolint ist ein statisches Analysetool zur Validierung von Container-Build-Konfigurationen. Es fungiert als Sicherheitsscanner und Konfigurationsprüfer, der Build-Anweisungen in ein strukturiertes Format parst, um Abweichungen von Sicherheits- und Effizienzstandards zu identifizieren. Das Tool zeichnet sich durch eine tiefgehende Inspektion eingebetteter Shell-Befehle aus. Durch das Tokenisieren und Analysieren dieser Skripte erkennt es häufige Skriptfehler und Sicherheitslücken, die ansonsten innerhalb eines Container-Images bestehen bleiben könnten. Es integriert externe Analysetools, um eine spezialisierte Validierung für diese Inline-Befehle bereitzustellen und sicherzustellen, dass sowohl die Containerstruktur als auch die Ausführungslogik bewertet werden. Über die grundlegende Syntaxprüfung hinaus unterstützt das Dienstprogramm automatisierte Workflows durch die Identifizierung ineffizienter Layer-Erstellung und unsicherer Konfigurationseinstellungen. Es ist für die Integration in Continuous-Integration- und Deployment-Pipelines konzipiert, um Konfigurationsprobleme zu erkennen, bevor Images gebaut werden. Das Projekt bietet eine Befehlszeilenschnittstelle zur Ausführung dieser Audits über Container-Definitionen hinweg.
Validates Dockerfiles against best-practice rules.
Clair is a container image vulnerability scanner and security analyzer. It performs static analysis of container images by matching package contents against vulnerability databases to identify security risks across different package formats and architectures. The project functions as both an image indexer and a vulnerability database manager. It processes container layers into intermediate representations to enable fast security lookups and synchronizes security metadata from multiple external sources to maintain a local registry. Capability areas include continuous security monitoring, whic
Scans container images for known vulnerabilities.
This project is a security compliance tool and configuration auditor designed to evaluate Docker deployments against industry security benchmarks. It functions as a script-based scanner that identifies misconfigurations and vulnerabilities within both the host operating system and container settings. The tool specifically implements the Center for Internet Security standards for Docker to verify host and container configurations. It enables a hardening workflow by comparing system states against these standards to identify security gaps and document compliance status. The audit engine suppor
Checks container deployments against security best practices.
Checkov is a static analysis tool and security scanner designed to identify misconfigurations in infrastructure as code, container images, and Kubernetes configurations. It functions as a cloud security posture tool, an SCA vulnerability scanner, and a secret scanning utility to prevent security breaches and version control leaks. The project distinguishes itself through deep graph analysis and variable resolution, allowing it to map relationships between interconnected resources and evaluate the final state of infrastructure attributes. It provides extensibility for defining custom security
Scans Terraform, CloudFormation, and Kubernetes for insecure configurations.
tfsec is a static analysis tool and security scanner for Terraform configuration files. It functions as an infrastructure as code security scanner and compliance linter designed to detect misconfigurations and vulnerabilities across multiple cloud providers before resources are deployed. The tool identifies security risks by analyzing infrastructure code and variable files to evaluate the final state of the environment. It supports custom policy enforcement and allows for the suppression of specific security warnings through inline comments. Its capabilities cover cloud security posture mana
Scans Terraform templates for security misconfigurations.
Terrascan ist ein Security-Scanner für Infrastructure-as-Code und ein Cloud-Konfigurations-Auditor, der entwickelt wurde, um Sicherheitsverletzungen und Compliance-Risiken in Cloud-Templates und Dockerfiles vor der Bereitstellung zu erkennen. Es nutzt den Open Policy Agent, um Infrastruktur-Templates sowohl gegen Standard-Sicherheitsrichtlinien als auch gegen benutzerdefinierte organisatorische Regeln zu evaluieren. Das Projekt fungiert als Sicherheitsleitplanke innerhalb von Build-Pipelines und blockiert riskante Deployments, indem es die Scanning-Logik direkt in CI/CD-Workflows integriert. Es enthält zudem einen Container-Registry-Vulnerability-Scanner, der Schwachstellendaten aus Registries sammelt, um Sicherheitsberichte für die Infrastruktur zu ergänzen. Das Toolset deckt Cloud-Compliance-Auditing, lokale Sicherheits-Tests während der Entwicklung und Policy-Enforcement ab. Es bietet eine Abfragesprache zur Definition benutzerdefinierter Sicherheitsanforderungen und unterstützt die Unterdrückung von Ergebnissen über Konfigurationsdateien, um Richtlinienverstöße zu verwalten. Scanning-Funktionen können über ein Command-Line-Interface oder einen Hintergrund-API-Server für externe Orchestrierung aufgerufen werden.
Identifies security violations in cloud-native infrastructure code.
Ansible-lint is a static analysis tool and YAML scanner designed to enforce coding standards and best practices for Ansible playbooks. It functions as a linter and automated fixer that identifies suboptimal patterns and behavioral errors within infrastructure-as-code configuration files. The project provides capabilities for automated linting correction, allowing it to programmatically fix common styling and behavioral issues. It also includes pre-configured pipeline actions for integrating these validation checks into continuous integration workflows. The tool utilizes abstract syntax tree
Checks Ansible playbooks for best practices and potential issues.
Kubernetes object analysis with recommendations for improved reliability and security. kube-score actively prevents downtime and bugs in your Kubernetes YAML and Charts. Static code analysis for Kubernetes.
Analyzes Kubernetes object definitions for security issues.
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
Detects security and compliance issues in infrastructure code.
a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
Analyzes container OS and dependencies for vulnerabilities and viruses.
Regula checks infrastructure as code templates (Terraform, CloudFormation, k8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy Agent/Rego
Evaluates Terraform code for security and compliance before deployment.
This is a kubectl plugin for scanning Kubernetes pods, deployments, daemonsets and statefulsets with kubesec.io. By default the plugin will send scan requests to the hosted version of kubesec.io. However, it is also possible to self host the scanning service and use that for scanning instead.
Plugin for performing security risk analysis on Kubernetes resources.