14 repositorios
Security scanning for infrastructure configuration files.
Distinguishing note: Focuses on automated configuration analysis.
Explore 14 awesome GitHub repositories matching security & cryptography · Infrastructure as Code Security. Refine with filters or upvote what's useful.
The OWASP Cheat Sheet Series is a comprehensive, community-driven repository of concise security best practices and defensive coding patterns. It serves as a centralized knowledge base for developers and security professionals, providing actionable guidance to secure applications across the entire software development lifecycle. The project covers a vast array of security domains, ranging from fundamental web application hardening and authentication protocols to specialized controls for modern infrastructure and artificial intelligence systems. What distinguishes this project is its decentral
Scans configuration files to protect cloud environments from misconfigurations.
Subfinder is a security reconnaissance framework designed for subdomain enumeration and attack surface management. It functions as a discovery engine that identifies and maps internet-exposed infrastructure, cloud-hosted assets, and network ranges to maintain a comprehensive inventory of an organization's digital footprint. The project distinguishes itself through a modular, template-driven scanning engine that executes security checks against discovered assets. It leverages cloud-native asset discovery to query provider APIs and infrastructure metadata, while supporting distributed agent orc
Identifies security findings such as dangling DNS records or exposed origin IP addresses during asset enumeration.
Kubescape is a Kubernetes security posture management platform designed to scan clusters, manifests, and images for misconfigurations, vulnerabilities, and compliance risks. It functions as a comprehensive security suite incorporating a compliance scanner, a container image vulnerability scanner, an admission controller for policy enforcement, and a runtime security monitor. The platform distinguishes itself through runtime-aware vulnerability filtering, which maps libraries loaded in memory to determine if vulnerabilities are actually reachable. It also integrates with AI assistants via a Mo
Performs automated security scanning of infrastructure configuration files and manifests.
Kubescape is a security platform for Kubernetes that provides tools for scanning clusters, configurations, and container images against industry compliance and security benchmarks. It functions as a suite of security utilities, including a compliance auditor, a misconfiguration scanner, and a container vulnerability scanner. The project differentiates itself through automated remediation and active enforcement. It can automatically patch operating system vulnerabilities in images and fix security errors within manifest files. It also utilizes an admission controller to block the deployment of
Analyzes Kubernetes manifests and cluster states to identify and remediate security risks and misconfigurations.
Nikto is an open-source HTTP security auditing tool and web server vulnerability scanner. It functions as a reconnaissance engine designed to identify insecure server options, outdated software, and common vulnerabilities by analyzing HTTP responses. The project differentiates itself through capabilities for intrusion detection evasion and web server fingerprinting. It uses request-level encoding and timing spacers to bypass security filters and employs signature-based identification to determine specific server software versions and misconfigurations. The scanner covers broad capability are
Identifies insecure server options and configuration errors that could expose the system to attack.
Checkov is a static analysis tool and security scanner designed to identify misconfigurations in infrastructure as code, container images, and Kubernetes configurations. It functions as a cloud security posture tool, an SCA vulnerability scanner, and a secret scanning utility to prevent security breaches and version control leaks. The project distinguishes itself through deep graph analysis and variable resolution, allowing it to map relationships between interconnected resources and evaluate the final state of infrastructure attributes. It provides extensibility for defining custom security
Provides automated security scanning for infrastructure configuration files across various cloud providers.
tfsec is a static analysis tool and infrastructure as code linter designed to detect security misconfigurations and compliance violations in Terraform infrastructure code. It functions as a cloud security posture tool and policy enforcement engine that evaluates configurations against established security benchmarks. The tool provides multi-cloud security auditing for providers including AWS, Azure, Google Cloud, and Kubernetes, as well as specialized scanning for DigitalOcean, OpenStack, CloudStack, and GitHub configurations. It identifies insecure settings such as public access or unencrypt
Provides automated security scanning and misconfiguration detection for infrastructure-as-code configuration files.
tfsec is a static analysis tool and security scanner for infrastructure as code, specifically designed to detect misconfigurations and compliance violations in Terraform and cloud infrastructure definitions before deployment. It functions as a cloud security policy engine that identifies vulnerabilities across multiple cloud platforms. The tool provides capabilities for cloud compliance auditing and scanning of Cloud Development Kit code. It supports custom security policy enforcement and allows for the definition of organization-specific security requirements. The scanner includes features
Scans Terraform and cloud configuration files to identify security misconfigurations before deployment.
tfsec is a static analysis tool and security scanner for Terraform configuration files. It functions as an infrastructure as code security scanner and compliance linter designed to detect misconfigurations and vulnerabilities across multiple cloud providers before resources are deployed. The tool identifies security risks by analyzing infrastructure code and variable files to evaluate the final state of the environment. It supports custom policy enforcement and allows for the suppression of specific security warnings through inline comments. Its capabilities cover cloud security posture mana
Performs automated security scanning of infrastructure configuration files to ensure compliance.
Cloud Custodian es un motor de gobernanza multinube y herramienta de cumplimiento de políticas diseñado para automatizar la seguridad, el cumplimiento y la optimización de costos en varios proveedores de nube. Funciona como un motor de reglas que utiliza un lenguaje de dominio específico declarativo para consultar recursos en la nube y ejecutar acciones correctivas basadas en filtros predefinidos. El sistema opera como un orquestador de políticas sin servidor (serverless), desplegando funciones específicas del proveedor para activar la aplicación en tiempo real en respuesta a cambios en los recursos de la nube. Proporciona una abstracción de recursos agnóstica del proveedor para mantener políticas operativas consistentes en múltiples cuentas, suscripciones y proyectos. Sus capacidades cubren la auditoría de infraestructura en la nube, incluido el análisis de activos dentro de pipelines de integración continua y la generación de informes de cumplimiento. La herramienta también admite la optimización de costos para identificar y eliminar recursos no utilizados e incluye un modo de simulación para identificar los recursos afectados sin aplicar cambios reales.
Performs security scanning on infrastructure configuration files within development and CI pipelines.
Naabu is a port scanner library and tool that probes hosts for open ports using SYN, CONNECT, and UDP methods to identify active services. It functions as a Go library for embedding port scanning into programs, and as a standalone tool that accepts targets as hostnames, IP addresses, CIDR ranges, or ASN numbers. The tool discovers live hosts before scanning, filters ports by range or top lists, and can integrate with Nmap for service version detection. The project distinguishes itself through its SYN-based port probing approach that sends TCP SYN packets and analyzes responses without complet
Retrieves infrastructure misconfiguration findings such as dangling DNS and origin IP exposure.
Snyk is an application security testing platform designed to identify and remediate vulnerabilities across source code, open-source dependencies, container images, and infrastructure-as-code configurations. It functions as a comprehensive security workflow automation tool, utilizing a static analysis engine and dependency graph mapping to detect security flaws and license compliance issues throughout the software development lifecycle. The platform distinguishes itself through agentic workflow orchestration and an automated remediation pipeline that generates and submits pull requests to patc
Scans configuration files and container images to detect security misconfigurations and vulnerabilities before deployment to production environments.
Terrascan es una herramienta de análisis estático diseñada para evaluar archivos de configuración de infraestructura como código en busca de vulnerabilidades de seguridad y violaciones de cumplimiento. Al analizar estos archivos en una representación intermedia, identifica riesgos antes de que se aprovisionen los recursos en la nube, sirviendo como auditor de cumplimiento para entornos nativos de la nube. La herramienta funciona como un motor de política como código, permitiendo a los usuarios definir y hacer cumplir reglas de seguridad personalizadas y puntos de referencia de la industria utilizando un lenguaje de consulta especializado. Se distingue por su capacidad para integrarse directamente en los flujos de trabajo de desarrollo y despliegue, proporcionando barreras de seguridad automatizadas que pueden bloquear despliegues no conformes mediante informes basados en códigos de salida. Más allá del análisis estático, la plataforma soporta el escaneo de vulnerabilidades de registro de contenedores para correlacionar riesgos basados en imágenes con configuraciones de infraestructura. También proporciona monitoreo de deriva de configuración para rastrear los recursos aprovisionados frente a las líneas base de seguridad establecidas, junto con mecanismos de supresión basados en configuración para gestionar anulaciones de políticas y falsos positivos. El software ofrece tanto una interfaz de línea de comandos para la validación de desarrollo local como una API de escaneo accesible por red para la integración remota con sistemas de terceros y pipelines automatizados.
Scans infrastructure-as-code files for security vulnerabilities and misconfigurations before provisioning.
RBAC Manager is a Kubernetes operator that automates the management of role-based access control and service account permissions. It functions as a controller that synchronizes cluster authorization resources with user-defined configuration files, ensuring that security settings remain consistent with established requirements. The system operates by monitoring the cluster API for changes and reconciling the current state against declarative manifests. By treating authorization as infrastructure as code, it enables teams to manage permissions through version-controlled files rather than manual
Automates the deployment of security policies and role bindings as infrastructure-as-code.