119 repositorios
Platforms for monitoring, auditing, and securing cloud infrastructure.
Explore 119 awesome GitHub repositories matching part of an awesome list · Cloud Security. Refine with filters or upvote what's useful.
Dive is a command-line tool designed for the analysis and optimization of container images. It functions as a layered storage inspector, allowing users to decompose image manifests to examine individual filesystem layers and identify opportunities to reduce total image size. The tool features a filesystem diffing engine that calculates net changes between sequential layers to highlight redundant data and storage inefficiencies. Users interact with this data through a terminal-based dashboard that provides keyboard-driven navigation of complex file structures and layer metadata. By abstracting
Analyzes Docker image layers for security and size.
etcd is a distributed, strongly consistent key-value store designed to provide reliable storage for critical system metadata and coordination primitives. It functions as a distributed consensus engine, utilizing a replicated log and leader-based state machine to ensure that all nodes in a cluster maintain a synchronized view of data. By providing atomic operations and linearizable reads and writes, it serves as a foundational component for distributed systems requiring high availability and fault tolerance. The system distinguishes itself through its multi-version concurrency control, which e
Distributed key-value store used in Kubernetes.
This project is a terminal-based dashboard for managing Kubernetes clusters. It provides a character-based interface that enables real-time monitoring and interactive control of containerized workloads, allowing users to perform administrative tasks such as scaling deployments, viewing logs, and managing port forwarding directly from the command line. The interface is designed for high-speed navigation, utilizing a keyboard-driven command system that maps input sequences to specific operational actions. It maintains an accurate view of the cluster state through asynchronous event polling, ens
Terminal-based UI for managing Kubernetes clusters.
Minikube is a command-line tool designed for local Kubernetes development, enabling users to provision and manage full-featured container clusters directly on a workstation. It serves as a local orchestrator that automates the lifecycle of isolated environments, allowing developers to start, stop, pause, and delete clusters to support testing and integration workflows. The project distinguishes itself through its flexible architecture, which supports multiple virtualization drivers and container runtimes to accommodate diverse host environments. It provides deep integration between the host a
Tool for running local Kubernetes clusters.
This project is a local Kubernetes cluster manager and tool that runs control plane and worker nodes as containers on a host machine. It provides an environment for local development and automated testing by emulating a full Kubernetes cluster within a container runtime. The tool enables the creation of multi-node topologies and high-availability control planes through configuration files. It supports image sideloading to transfer container images directly from the host to nodes, bypassing remote registries, and allows for offline deployments using pre-built node images. Capabilities include
Runs local Kubernetes clusters using Docker containers.
Prowler is a multi-cloud security scanner and security posture management tool. It automates security and compliance assessments across multiple cloud environments to identify misconfigurations and vulnerabilities. The project provides a multi-cloud security analysis engine that operates as an automated auditor, evaluating infrastructure against industry-standard regulatory frameworks and security benchmarks. It features a cloud security visualization dashboard that uses a graph database to map cloud inventory and visualize potential attack paths. Capabilities include automated cloud infrast
Security best practices assessment tool for AWS environments.
Prowler is a multi-cloud security posture management platform and vulnerability scanner. It provides tools for automating security audits, evaluating cloud infrastructure against regulatory compliance frameworks, and managing security assessments through a dedicated analysis dashboard. The project distinguishes itself by providing an AI-driven security context server that feeds structured data to AI assistants for automated risk analysis. It also employs graph-based attack path mapping to visualize potential lateral movement and exploitation routes across cloud inventories. The platform cove
Audits AWS security against CIS benchmarks.
Canopy is the official Go implementation of a blockchain node that runs a recursive network architecture, enabling new blockchains to launch as dependent layers that can later graduate into fully independent security roots. The project provides a hybrid consensus mechanism that combines Byzantine fault-tolerant Proof-of-Stake with Verifiable-Delay Functions, delivering instant finality while protecting against long-range attacks through trustless chain age verification. Validators secure multiple chains simultaneously through restaking, where a single bonded stake serves as collateral across t
Sets economic barriers for chains to obtain security from a root based on market demand.
This project is a security compliance tool and configuration auditor designed to evaluate Docker deployments against industry security benchmarks. It functions as a script-based scanner that identifies misconfigurations and vulnerabilities within both the host operating system and container settings. The tool specifically implements the Center for Internet Security standards for Docker to verify host and container configurations. It enables a hardening workflow by comparing system states against these standards to identify security gaps and document compliance status. The audit engine suppor
Checks Docker containers against CIS security benchmarks.
Firezone is a zero trust network access platform that uses WireGuard to provide identity-based connectivity to internal network resources. It functions as a virtual private network that synchronizes authentication and user groups via OpenID Connect providers. The system implements a group-based access control engine to enforce least privilege by restricting network resources to specific user groups. It utilizes holepunching and relay protocols for NAT traversal to establish encrypted tunnels through firewalls without requiring inbound ports. The platform includes a control plane for managing
VPN server and firewall management for teams.
kube-bench is a Kubernetes security benchmark scanner and configuration auditor. It verifies if a cluster adheres to the Center for Internet Security standards and other hardening guides to identify security misconfigurations and vulnerabilities. The tool operates as a containerized security scanner, utilizing host namespaces to analyze nodes and control plane components without requiring the installation of binaries directly on the host. It supports multiple Kubernetes distributions, applying environment-specific benchmarks to ensure auditing accuracy for managed services. The project cover
Audits Kubernetes clusters against CIS benchmarks.
ScoutSuite is a multi-cloud security audit and configuration tool designed to identify security risks and misconfigurations across cloud environments. It functions as a security posture manager and compliance auditor, gathering resource metadata from cloud APIs to evaluate infrastructure against security benchmarks. The tool provides auditing capabilities for AWS, Google Cloud, DigitalOcean, and Kubernetes clusters and control planes. It distinguishes itself by decoupling data collection from analysis, allowing users to cache cloud configurations locally for offline auditing and iterative rul
Multi-cloud security auditing tool for configuration assessment.
The CNCF Curriculum is an open-source repository that organizes exam domains and learning paths for CNCF certification courses covering Kubernetes and cloud-native technologies. It structures certification content into weighted domains that reflect exam question distribution, providing a structured study guide for candidates preparing for CNCF certifications. The curriculum is organized around multiple cloud-native domains including networking, security, GitOps, platform engineering, and certification preparation. It teaches cloud-native concepts through the lens of building and operating int
Teaches fundamental security concepts for securing container-based applications in cloud native environments.
CloudQuery is a cloud infrastructure ETL tool and multi-cloud data pipeline designed to collect, synchronize, and normalize resource metadata from various cloud providers and SaaS platforms. It functions as a centralized asset inventory manager and security posture manager, extracting configuration and state data into relational databases, data lakes, or data warehouses. The system distinguishes itself by transforming complex, nested cloud API responses into flat relational tables, enabling the use of standard SQL for asset querying and analysis. It employs a modular plugin system for data ex
Transforms cloud infrastructure into queryable SQL tables.
Analyzes AWS environments for security posture.
Security-101 is a vendor-agnostic, foundational cybersecurity learning curriculum organized into modular, framework-aligned modules. It is designed to build core knowledge across multiple security domains without tying content to specific products or platforms, making it suitable for both beginners and professionals seeking a structured introduction to the field. The curriculum is built around established security frameworks, including the MITRE ATT&CK framework for standardized threat analysis and the NIST Cybersecurity Framework for incident response workflows. It covers a broad range of do
Covers cloud-based security services that combine network security and wide-area networking.
A courseware built on the belief that anyone can learn foundational cloud engineering skills with the right guide and discipline
Provides curriculum on IAM, secrets management, network controls, and incident response for cloud apps.
ThreatMapper es una plataforma de protección de aplicaciones nativas de la nube y escáner de seguridad de infraestructura. Funciona como un sistema de gestión de vulnerabilidades y recolector de telemetría de cargas de trabajo en la nube diseñado para monitorear cargas de trabajo y detectar riesgos de seguridad en entornos de nube y contenedores. La plataforma se distingue por un visualizador de tráfico de red que utiliza aprendizaje automático para clasificar patrones de comunicación y un sistema de mapeo de ataques basado en grafos para identificar rutas de alto riesgo entre vulnerabilidades y dependencias de red. Sus capacidades más amplias cubren la auditoría de cumplimiento de infraestructura en la nube frente a benchmarks de seguridad, detección de amenazas en producción para malware y secretos expuestos, y la recolección de paquetes de red y telemetría de cargas de trabajo a través de sensores distribuidos. El despliegue de componentes de escaneo a través de entornos de nube, clústeres y máquinas virtuales se gestiona mediante herramientas de contenedores e infraestructura como código.
Runtime vulnerability and compliance scanner for cloud environments.
Pacu es un framework de explotación diseñado para auditar y probar la seguridad de entornos de Amazon Web Services. Sirve como herramienta de pruebas de penetración en la nube y enumerador de recursos utilizado para identificar configuraciones erróneas, mapear superficies de ataque y ejecutar rutas de escalada de privilegios. El framework proporciona capacidades especializadas para operaciones de post-explotación y equipos rojos (red team), incluyendo el establecimiento de persistencia mediante la creación de puertas traseras en la gestión de identidad y acceso. Se distingue por un sistema de módulos basado en plugins que permite el desarrollo de tareas personalizadas y la orquestación de solicitudes de API en múltiples regiones geográficas. El proyecto cubre una amplia gama de actividades de auditoría de seguridad, incluyendo enumeración de infraestructura, exfiltración de datos de servicios de almacenamiento y auditoría de identidad. Incluye herramientas para la ejecución remota de código mediante inyección de carga útil y scripts de inicio, así como capacidades para interrumpir servicios de detección y analizar el movimiento lateral en la red. Pacu gestiona claves de autenticación específicas del objetivo y metadatos de sesión utilizando contenedores aislados y una base de datos local para mantener el estado y reducir las llamadas a la API.
Exploitation framework for testing AWS security.
Kube-hunter es un escáner de seguridad y cazador de vulnerabilidades para clústeres de Kubernetes. Opera como una herramienta de penetración nativa de la nube diseñada para identificar debilidades de seguridad, configuraciones erróneas de infraestructura y brechas explotables mediante la simulación de técnicas de atacantes. La herramienta se distingue por un motor de escaneo de modo dual que ejecuta tanto sondas externas remotas como escaneos de red internos. Cuenta con suplantación de identidad basada en roles, lo que le permite utilizar tokens de cuentas de servicio e identidades de pod para simular el acceso de seguridad desde roles de clúster específicos y determinar el radio de explosión potencial de un compromiso de contenedor. El proyecto cubre una amplia superficie de capacidades de evaluación de seguridad, incluyendo escaneo de vulnerabilidades de clúster, mapeo de topología de red interna y verificación de cumplimiento. Puede detectar secretos expuestos, analizar plantillas de infraestructura en busca de configuraciones erróneas y realizar intentos de explotación activa para verificar que las vulnerabilidades descubiertas sean aprovechables. La aplicación se empaqueta como un ejecutable independiente para eliminar dependencias de tiempo de ejecución durante el despliegue.
Scans Kubernetes clusters for security weaknesses.