14 Repos
Security scanning for infrastructure configuration files.
Distinguishing note: Focuses on automated configuration analysis.
Explore 14 awesome GitHub repositories matching security & cryptography · Infrastructure as Code Security. Refine with filters or upvote what's useful.
The OWASP Cheat Sheet Series is a comprehensive, community-driven repository of concise security best practices and defensive coding patterns. It serves as a centralized knowledge base for developers and security professionals, providing actionable guidance to secure applications across the entire software development lifecycle. The project covers a vast array of security domains, ranging from fundamental web application hardening and authentication protocols to specialized controls for modern infrastructure and artificial intelligence systems. What distinguishes this project is its decentral
Scans configuration files to protect cloud environments from misconfigurations.
Subfinder is a security reconnaissance framework designed for subdomain enumeration and attack surface management. It functions as a discovery engine that identifies and maps internet-exposed infrastructure, cloud-hosted assets, and network ranges to maintain a comprehensive inventory of an organization's digital footprint. The project distinguishes itself through a modular, template-driven scanning engine that executes security checks against discovered assets. It leverages cloud-native asset discovery to query provider APIs and infrastructure metadata, while supporting distributed agent orc
Identifies security findings such as dangling DNS records or exposed origin IP addresses during asset enumeration.
Kubescape is a Kubernetes security posture management platform designed to scan clusters, manifests, and images for misconfigurations, vulnerabilities, and compliance risks. It functions as a comprehensive security suite incorporating a compliance scanner, a container image vulnerability scanner, an admission controller for policy enforcement, and a runtime security monitor. The platform distinguishes itself through runtime-aware vulnerability filtering, which maps libraries loaded in memory to determine if vulnerabilities are actually reachable. It also integrates with AI assistants via a Mo
Performs automated security scanning of infrastructure configuration files and manifests.
Kubescape is a security platform for Kubernetes that provides tools for scanning clusters, configurations, and container images against industry compliance and security benchmarks. It functions as a suite of security utilities, including a compliance auditor, a misconfiguration scanner, and a container vulnerability scanner. The project differentiates itself through automated remediation and active enforcement. It can automatically patch operating system vulnerabilities in images and fix security errors within manifest files. It also utilizes an admission controller to block the deployment of
Analyzes Kubernetes manifests and cluster states to identify and remediate security risks and misconfigurations.
Nikto is an open-source HTTP security auditing tool and web server vulnerability scanner. It functions as a reconnaissance engine designed to identify insecure server options, outdated software, and common vulnerabilities by analyzing HTTP responses. The project differentiates itself through capabilities for intrusion detection evasion and web server fingerprinting. It uses request-level encoding and timing spacers to bypass security filters and employs signature-based identification to determine specific server software versions and misconfigurations. The scanner covers broad capability are
Identifies insecure server options and configuration errors that could expose the system to attack.
Checkov is a static analysis tool and security scanner designed to identify misconfigurations in infrastructure as code, container images, and Kubernetes configurations. It functions as a cloud security posture tool, an SCA vulnerability scanner, and a secret scanning utility to prevent security breaches and version control leaks. The project distinguishes itself through deep graph analysis and variable resolution, allowing it to map relationships between interconnected resources and evaluate the final state of infrastructure attributes. It provides extensibility for defining custom security
Provides automated security scanning for infrastructure configuration files across various cloud providers.
tfsec is a static analysis tool and infrastructure as code linter designed to detect security misconfigurations and compliance violations in Terraform infrastructure code. It functions as a cloud security posture tool and policy enforcement engine that evaluates configurations against established security benchmarks. The tool provides multi-cloud security auditing for providers including AWS, Azure, Google Cloud, and Kubernetes, as well as specialized scanning for DigitalOcean, OpenStack, CloudStack, and GitHub configurations. It identifies insecure settings such as public access or unencrypt
Provides automated security scanning and misconfiguration detection for infrastructure-as-code configuration files.
tfsec is a static analysis tool and security scanner for Terraform configuration files. It functions as an infrastructure as code security scanner and compliance linter designed to detect misconfigurations and vulnerabilities across multiple cloud providers before resources are deployed. The tool identifies security risks by analyzing infrastructure code and variable files to evaluate the final state of the environment. It supports custom policy enforcement and allows for the suppression of specific security warnings through inline comments. Its capabilities cover cloud security posture mana
Performs automated security scanning of infrastructure configuration files to ensure compliance.
tfsec is a static analysis tool and security scanner for infrastructure as code, specifically designed to detect misconfigurations and compliance violations in Terraform and cloud infrastructure definitions before deployment. It functions as a cloud security policy engine that identifies vulnerabilities across multiple cloud platforms. The tool provides capabilities for cloud compliance auditing and scanning of Cloud Development Kit code. It supports custom security policy enforcement and allows for the definition of organization-specific security requirements. The scanner includes features
Scans Terraform and cloud configuration files to identify security misconfigurations before deployment.
Cloud Custodian ist eine Multi-Cloud-Governance-Engine und ein Richtliniendurchsetzungstool, das dazu entwickelt wurde, Sicherheit, Compliance und Kostenoptimierung über verschiedene Cloud-Anbieter hinweg zu automatisieren. Es fungiert als Regel-Engine, die eine deklarative, domänenspezifische Sprache verwendet, um Cloud-Ressourcen abzufragen und korrigierende Maßnahmen basierend auf vordefinierten Filtern auszuführen. Das System arbeitet als serverloser Richtlinien-Orchestrator, der anbieterspezifische Funktionen bereitstellt, um eine Echtzeit-Durchsetzung als Reaktion auf Änderungen an Cloud-Ressourcen auszulösen. Es bietet eine anbieterunabhängige Ressourcenabstraktion, um konsistente operative Richtlinien über mehrere Konten, Abonnements und Projekte hinweg aufrechtzuerhalten. Die Funktionen decken die Prüfung der Cloud-Infrastruktur ab, einschließlich der Analyse von Assets innerhalb von Continuous-Integration-Pipelines und der Generierung von Compliance-Berichten. Das Tool unterstützt zudem die Kostenoptimierung, um ungenutzte Ressourcen zu identifizieren und zu entfernen, und enthält einen Simulationsmodus, um betroffene Ressourcen zu identifizieren, ohne tatsächliche Änderungen anzuwenden.
Performs security scanning on infrastructure configuration files within development and CI pipelines.
Naabu is a port scanner library and tool that probes hosts for open ports using SYN, CONNECT, and UDP methods to identify active services. It functions as a Go library for embedding port scanning into programs, and as a standalone tool that accepts targets as hostnames, IP addresses, CIDR ranges, or ASN numbers. The tool discovers live hosts before scanning, filters ports by range or top lists, and can integrate with Nmap for service version detection. The project distinguishes itself through its SYN-based port probing approach that sends TCP SYN packets and analyzes responses without complet
Retrieves infrastructure misconfiguration findings such as dangling DNS and origin IP exposure.
Snyk is an application security testing platform designed to identify and remediate vulnerabilities across source code, open-source dependencies, container images, and infrastructure-as-code configurations. It functions as a comprehensive security workflow automation tool, utilizing a static analysis engine and dependency graph mapping to detect security flaws and license compliance issues throughout the software development lifecycle. The platform distinguishes itself through agentic workflow orchestration and an automated remediation pipeline that generates and submits pull requests to patc
Scans configuration files and container images to detect security misconfigurations and vulnerabilities before deployment to production environments.
Terrascan ist ein statisches Analysetool, das entwickelt wurde, um Infrastructure-as-Code-Konfigurationsdateien auf Sicherheitslücken und Compliance-Verstöße zu prüfen. Durch das Parsen dieser Dateien in eine Zwischenrepräsentation identifiziert es Risiken, bevor Cloud-Ressourcen bereitgestellt werden, und dient als Compliance-Auditor für Cloud-native Umgebungen. Das Tool fungiert als Policy-as-Code-Engine, die es Benutzern ermöglicht, benutzerdefinierte Sicherheitsregeln und Industriestandards mithilfe einer spezialisierten Abfragesprache zu definieren und durchzusetzen. Es zeichnet sich durch seine Fähigkeit aus, sich direkt in Entwicklungs- und Deployment-Workflows zu integrieren und automatisierte Sicherheitsleitplanken bereitzustellen, die nicht konforme Deployments über Exit-Code-basiertes Reporting blockieren können. Über die statische Analyse hinaus unterstützt die Plattform das Scannen von Container-Registries auf Schwachstellen, um bildbasierte Risiken mit Infrastrukturkonfigurationen zu korrelieren. Sie bietet zudem Monitoring für Konfigurationsabweichungen (Configuration Drift), um bereitgestellte Ressourcen gegen etablierte Sicherheits-Baselines zu verfolgen, sowie konfigurationsgesteuerte Unterdrückungsmechanismen zur Verwaltung von Richtlinien-Overrides und False Positives. Die Software bietet sowohl ein Command-Line-Interface für die lokale Entwicklungsvalidierung als auch eine netzwerkzugängliche Scanning-API für die Remote-Integration mit Drittsystemen und automatisierten Pipelines.
Scans infrastructure-as-code files for security vulnerabilities and misconfigurations before provisioning.
RBAC Manager is a Kubernetes operator that automates the management of role-based access control and service account permissions. It functions as a controller that synchronizes cluster authorization resources with user-defined configuration files, ensuring that security settings remain consistent with established requirements. The system operates by monitoring the cluster API for changes and reconciling the current state against declarative manifests. By treating authorization as infrastructure as code, it enables teams to manage permissions through version-controlled files rather than manual
Automates the deployment of security policies and role bindings as infrastructure-as-code.