Post-Quantum Cryptography Libraries

The OWASP Cheat Sheet Series is a comprehensive, community-driven repository of concise security best practices and defensive coding patterns. It serves as a centralized knowledge base for developers and security professionals, providing actionable guidance to secure applications across the entire software development lifecycle. The project covers a vast array of security domains, ranging from fundamental web application hardening and authentication protocols to specialized controls for modern infrastructure and artificial intelligence systems. What distinguishes this project is its decentralized, collaborative editorial process. By utilizing a version-controlled, markdown-based workflow, the series ensures that security guidance remains vendor-neutral, peer-reviewed, and universally accessible. This structure allows the community to rapidly evolve and maintain technical documentation, ensuring that defensive strategies keep pace with emerging threats and shifting technology stacks. The project provides extensive coverage of critical security areas, including robust input validation, access control enforcement, and supply chain risk management. It offers detailed implementation guides for securing cloud-native architectures, containerized environments, and various language-specific frameworks. Furthermore, the series addresses advanced topics such as artificial intelligence agent safety, prompt injection prevention, and zero-trust architectural principles. The documentation is maintained as an open-source repository, with content transformed into a navigable web format through automated static site generation.

libsignal is a cryptographic library that implements the Signal Protocol, providing the core primitives for end-to-end encrypted messaging with forward secrecy and deniable authentication. It includes the Double Ratchet algorithm for iteratively deriving fresh encryption keys per message, and the X3DH key agreement protocol for establishing shared secrets between parties asynchronously. A session state machine maintains cryptographic state across message exchanges, supporting recovery and out-of-order delivery. The library extends beyond basic messaging encryption with capabilities such as zero-knowledge proof group membership verification, which allows confirming a user's group membership without revealing the full group roster. It also supports hardware attestation verification to validate the identity and integrity of remote hardware security modules, and provides for secure device migration—transferring account data from one device to another while preserving encryption keys. Additional scope includes a Rust C FFI bridge that exposes cryptographic functions as a cross-platform API, enabling integration from multiple programming languages without rewriting core logic. The library covers end-to-end encryption, group membership verification, and device migration security as distinct capability areas.

Trivy is a comprehensive security scanner designed to identify vulnerabilities and misconfigurations across container images, filesystems, and infrastructure as code files. It functions as a software composition analysis tool and an infrastructure security scanner, providing automated checks for CI/CD pipelines and cloud environments to ensure the integrity of the software supply chain. The tool distinguishes itself through a modular, plugin-based architecture that allows for the independent inspection of diverse targets. It utilizes a declarative policy engine to evaluate configurations against compliance standards and relies on a remote, periodically updated vulnerability database to maintain current detection logic without requiring binary updates. By employing static analysis pattern matching, it maps disparate scan results into a unified output schema for consistent reporting. Beyond its core scanning capabilities, the project supports cloud infrastructure auditing and deep inspection of local and remote environments. It is distributed as a single cross-platform executable, and comprehensive configuration and usage details are available in the project's official user guide.

jetson-inference is a set of libraries and tools for executing optimized deep learning models on embedded GPU hardware. Its primary purpose is to enable real-time computer vision and AI inference at the edge with low latency and high throughput. The project distinguishes itself through high-performance streaming analytics and the ability to execute concurrent AI pipelines on auto-grade silicon. It provides specialized support for multi-sensor stream processing, utilizing zero-copy data transport to load camera frames directly into GPU memory. The codebase covers a broad surface of capabilities, including real-time video analytics, object detection and tracking, and image segmentation. It also integrates hardware-accelerated decoding and TensorRT-based inference to optimize model execution on embedded platforms. The project provides a TensorRT inference wrapper and an embedded vision SDK to facilitate the deployment of neural network primitives.

CyberChef is a web-based application designed for performing complex data encoding, decoding, encryption, and analysis tasks. It provides a visual interface where users construct data transformation pipelines by chaining modular operations together, allowing raw input to be processed into a desired output format entirely within the local browser environment. The tool functions as a client-side cryptographic workbench, ensuring that all data processing logic remains local to the user's machine to maintain privacy and eliminate server-side overhead. By utilizing functional pipeline composition and state-driven synchronization, the application automatically updates its output as users modify their transformation sequences. To maintain responsiveness during intensive operations, the platform employs background thread processing and loads transformation modules on demand. The suite covers a broad range of capabilities for security incident investigation, cryptographic protocol analysis, and automated data parsing. Users can serialize their entire transformation state into a URL fragment, facilitating the sharing of complex workflows for security tool prototyping and technical research.

Vault is a centralized secrets management platform designed to secure, store, and control access to sensitive credentials such as API keys, passwords, certificates, and encryption keys. At its core, the system employs a barrier-based cryptographic sealing mechanism that requires an unseal process to decrypt internal storage, ensuring that sensitive data remains protected. It provides identity-based access control to manage granular permissions across distributed infrastructure, effectively centralizing security policies and authentication for both human and machine workloads. What distinguishes Vault is its ability to generate dynamic, short-lived credentials on-demand for databases and cloud providers, which are automatically revoked upon lease expiration to minimize security exposure. The platform also functions as an encryption-as-a-service provider, allowing applications to offload data protection, tokenization, and key management tasks to a centralized interface. Its modular architecture is supported by an extensible plugin system that uses remote procedure calls to integrate new functionality without requiring modifications to the primary codebase. Beyond core secret handling, the platform offers comprehensive certificate lifecycle automation, including the generation, storage, and rotation of security certificates to maintain encrypted communication channels. It supports high-availability deployments through a distributed consensus protocol that synchronizes state across clusters and automatically forwards requests to the active leader node. The system also integrates with hardware security modules for enhanced key protection and maintains detailed audit logs to support regulatory compliance requirements. Users interact with the platform through a command-line interface that supports API endpoint invocation, environment variable configuration, and shell autocompletion for operational tasks.

This project is a privacy-focused VPN manager and WireGuard client application designed to establish encrypted tunnels that mask user IP addresses and activity. It focuses on maintaining anonymity through a system that supports account creation without personal identifying information. The application distinguishes itself with advanced privacy tools, including a multi-hop orchestrator for routing traffic through multiple sequential servers and a network traffic obfuscator that uses Shadowsocks, TCP, and QUIC to bypass deep packet inspection and censorship. It also implements quantum-resistant tunneling to secure traffic against future decryption. Broad capabilities include the management of secure DNS queries via HTTPS or TLS, split tunneling for application-specific routing, and a strict-firewall kill switch to prevent internet traffic leaks during connection failures. The system also provides a command-line interface for programmatic administration of network tunnels and application settings.

GoodbyeDPI is a censorship circumvention utility designed to bypass deep packet inspection and restrictive network filtering. It functions as a background engine that intercepts and modifies network traffic at the kernel level, allowing users to maintain connectivity in environments where specific protocols or web content are blocked. The tool employs active manipulation techniques to confuse inspection hardware, including TCP stream fragmentation, HTTP header obfuscation, and the injection of out-of-order packets. By altering packet structures and dropping specific redirection patterns, it masks browsing activity and prevents automated systems from identifying or blocking outgoing requests. The application operates as a persistent system service, ensuring that traffic filtering remains active across reboots. Users manage these operations through a command-line interface, which provides granular control over packet modification strategies, DNS redirection, and various bypass parameters.

WeChatMsg is a database forensic parser and local data processor designed to extract and reconstruct structured message data from raw binary files. By operating entirely on the host machine, the tool ensures data sovereignty and privacy, performing all decryption and transformation tasks without requiring network access or external dependencies. The project distinguishes itself through a static analysis-based extraction method that reconstructs message threads by matching unique identifiers and timestamps across fragmented database tables. Its decoupled architecture separates low-level binary reading from high-level data formatting, utilizing a schema-driven engine to translate proprietary records into human-readable formats. This approach allows for consistent data migration and preservation across different software versions. Beyond its core utility, the repository includes a comprehensive governance framework and engineering standards. These documents establish operational principles and technical guidelines to maintain codebase quality and facilitate collaborative stewardship among contributors.

Trufflehog is a security tool designed to continuously monitor code repositories and cloud environments to detect, verify, and remediate exposed sensitive credentials and API keys. It functions as a comprehensive secret scanning engine that integrates directly into deployment pipelines and version control systems to intercept sensitive data before it is committed or pushed. By utilizing read-only operations and volatile memory processing, the system ensures that discovered credentials are never stored persistently, maintaining strict data privacy throughout the scanning lifecycle. The platform distinguishes itself through a privacy-focused architecture that relies on cryptographic fingerprinting to track and deduplicate findings without ever transmitting or storing raw sensitive values. It supports distributed scanning via independent agents that connect to a central dashboard, allowing for localized analysis while maintaining network isolation. Furthermore, the system provides automated incident response capabilities, including secret rotation and revocation, which help organizations minimize the window of vulnerability for compromised credentials. Beyond core detection, the project offers a broad capability surface for enterprise-wide access governance and security compliance. It includes modular detection logic for custom rule definitions, integration with external identity providers for role-based access control, and extensive monitoring across cloud storage, container infrastructure, and collaboration platforms. The system also provides detailed metadata tracing to link findings to specific users, pipelines, or commits, facilitating efficient remediation and auditability across large-scale development environments.