# Infrastructure as Code Security Scanners > Search results for `scan infrastructure-as-code for misconfigurations before deploy` on awesome-repositories.com. 115 total matches; showing the first 50. Explore on the web: https://awesome-repositories.com/q/scan-infrastructure-as-code-for-misconfigurations-before-deploy **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [this search on awesome-repositories.com](https://awesome-repositories.com/q/scan-infrastructure-as-code-for-misconfigurations-before-deploy).** ## Results - [aquasecurity/trivy](https://awesome-repositories.com/repository/aquasecurity-trivy.md) (36,462 ⭐) — Trivy is a comprehensive security scanner designed to identify vulnerabilities and misconfigurations across container images, filesystems, and infrastructure as code files. It functions as a software composition analysis tool and an infrastructure security scanner, providing automated checks for CI/CD pipelines and cloud environments to ensure the integrity of the software supply chain. The tool distinguishes itself through a modular, plugin-based architecture that allows for the independent inspection of diverse targets. It utilizes a declarative policy engine to evaluate configurations against compliance standards and relies on a remote, periodically updated vulnerability database to maintain current detection logic without requiring binary updates. By employing static analysis pattern matching, it maps disparate scan results into a unified output schema for consistent reporting. Beyond its core scanning capabilities, the project supports cloud infrastructure auditing and deep inspection of local and remote environments. It is distributed as a single cross-platform executable, and comprehensive configuration and usage details are available in the project's official user guide. - [keygraphhq/shannon](https://awesome-repositories.com/repository/keygraphhq-shannon.md) (44,672 ⭐) — Shannon is an integrated security platform designed for autonomous penetration testing, static and dynamic analysis, and automated vulnerability remediation within self-hosted, private infrastructure. It functions as a unified security suite that orchestrates the entire lifecycle of vulnerability management, from initial discovery and reachability prioritization to the generation and verification of code-level patches. The platform distinguishes itself through its agentic approach to security, deploying autonomous agents to execute both black-box and white-box exploits against running applications to confirm vulnerabilities. It utilizes graph-based data flow analysis to trace execution paths from user inputs to sensitive sinks, ensuring that security findings are based on reachable threats rather than raw scan results. By operating in isolated or air-gapped environments, the system maintains strict data sovereignty and residency, ensuring that source code and sensitive analysis data remain within the local perimeter. Beyond core testing, the platform provides comprehensive security observability and supply chain auditing. It correlates static code analysis with dynamic runtime exploitation to provide a unified view of risk, while automatically deduplicating findings to reduce alert noise. The system also supports the software supply chain by generating compliant manifests and inspecting container images without requiring a local container runtime. The platform integrates directly into existing development workflows, delivering verified patches to source control and synchronizing remediation status with external project management tools. It includes robust support for compliance reporting, audit trails, and risk acceptance management to meet regulatory requirements. - [owasp/cheatsheetseries](https://awesome-repositories.com/repository/owasp-cheatsheetseries.md) (32,298 ⭐) — The OWASP Cheat Sheet Series is a comprehensive, community-driven repository of concise security best practices and defensive coding patterns. It serves as a centralized knowledge base for developers and security professionals, providing actionable guidance to secure applications across the entire software development lifecycle. The project covers a vast array of security domains, ranging from fundamental web application hardening and authentication protocols to specialized controls for modern infrastructure and artificial intelligence systems. What distinguishes this project is its decentralized, collaborative editorial process. By utilizing a version-controlled, markdown-based workflow, the series ensures that security guidance remains vendor-neutral, peer-reviewed, and universally accessible. This structure allows the community to rapidly evolve and maintain technical documentation, ensuring that defensive strategies keep pace with emerging threats and shifting technology stacks. The project provides extensive coverage of critical security areas, including robust input validation, access control enforcement, and supply chain risk management. It offers detailed implementation guides for securing cloud-native architectures, containerized environments, and various language-specific frameworks. Furthermore, the series addresses advanced topics such as artificial intelligence agent safety, prompt injection prevention, and zero-trust architectural principles. The documentation is maintained as an open-source repository, with content transformed into a navigable web format through automated static site generation. - [kubescape/kubescape](https://awesome-repositories.com/repository/kubescape-kubescape.md) (11,489 ⭐) — Kubescape is a Kubernetes security posture management platform designed to scan clusters, manifests, and images for misconfigurations, vulnerabilities, and compliance risks. It functions as a comprehensive security suite incorporating a compliance scanner, a container image vulnerability scanner, an admission controller for policy enforcement, and a runtime security monitor. The platform distinguishes itself through runtime-aware vulnerability filtering, which maps libraries loaded in memory to determine if vulnerabilities are actually reachable. It also integrates with AI assistants via a Model Context Protocol server to enable natural language security querying and real-time streaming of findings. The system covers a broad range of security domains, including compliance auditing against industry benchmarks, runtime threat detection using eBPF and system probes, and the automated generation of network policies. It further provides risk quantification for prioritization, infrastructure-as-code auditing, and automated remediation through image patching and manifest fixes. The project is deployed using a Kubernetes operator to automate the lifecycle of its security components and provides specific support for air-gapped environments through offline scanning and manual framework provisioning. - [kilo-org/kilocode](https://awesome-repositories.com/repository/kilo-org-kilocode.md) (15,616 ⭐) — Kilocode is an autonomous engineering platform designed to orchestrate AI agents for complex software development tasks. It functions as a comprehensive system for automating coding, testing, and repository management by integrating directly with your codebase and terminal. The platform provides a unified gateway for model orchestration, allowing for the management of agentic workflows, event-driven automation, and persistent session state across distributed development environments. The platform distinguishes itself through its federated task management and policy-based access control, which enable secure, collaborative development across independent instances. By maintaining semantic codebase indexing and a centralized model gateway, it ensures that AI agents have context-aware retrieval of project structures while managing authentication, rate limits, and automatic service failover across multiple AI providers. Beyond its core orchestration capabilities, the platform supports a wide range of functional areas including automated code review, security vulnerability triage, and multi-stage workflow planning. It provides granular control over agent permissions and tool execution, allowing teams to define custom operational modes and integrate external services through standardized protocols. The system is designed for extensibility, offering a framework to register custom tools and manage environment configurations through natural language commands. It includes robust monitoring and observability features to track agent performance, token consumption, and organizational adoption metrics. - [security-code-scan/security-code-scan](https://awesome-repositories.com/repository/security-code-scan-security-code-scan.md) (975 ⭐) — Vulnerability Patterns Detector for C# and VB.NET - [liamg/tfsec](https://awesome-repositories.com/repository/liamg-tfsec.md) (7,013 ⭐) — tfsec is a static analysis tool and security scanner for Terraform configuration files. It functions as an infrastructure as code security scanner and compliance linter designed to detect misconfigurations and vulnerabilities across multiple cloud providers before resources are deployed. The tool identifies security risks by analyzing infrastructure code and variable files to evaluate the final state of the environment. It supports custom policy enforcement and allows for the suppression of specific security warnings through inline comments. Its capabilities cover cloud security posture management, infrastructure as code compliance, and integration into DevSecOps pipelines. The system also provides scan result export and security alert synchronization for centralized vulnerability management. - [aquasecurity/tfsec](https://awesome-repositories.com/repository/aquasecurity-tfsec.md) (7,013 ⭐) — tfsec is a static analysis tool and infrastructure as code linter designed to detect security misconfigurations and compliance violations in Terraform infrastructure code. It functions as a cloud security posture tool and policy enforcement engine that evaluates configurations against established security benchmarks. The tool provides multi-cloud security auditing for providers including AWS, Azure, Google Cloud, and Kubernetes, as well as specialized scanning for DigitalOcean, OpenStack, CloudStack, and GitHub configurations. It identifies insecure settings such as public access or unencrypted storage across compute, networking, and identity services. The engine includes capabilities for complex expression evaluation to resolve functional expressions and resource relationships, ensuring misconfigurations are detected beyond literal string values. It supports custom policy definitions for organization-specific standards and allows for security warning suppression via source code comments or command-line flags. The scanner is designed for CI/CD security integration as a standalone binary or container, with the ability to export findings in structured formats such as JSON, SARIF, and CSV. - [code-scan/dzscan](https://awesome-repositories.com/repository/code-scan-dzscan.md) (0 ⭐) — ##新版本刚发布 可能存在一些bug,正在修复中,若有问题请提交issue带上图是最好不过辣 关注的人们啊, 被关注不是目的, 要来贡献代码或者反馈bug哦(●'◡'●)ノ♥ ##扫描的漏洞路径如下: - deafult admin & uc_server login page - develop.php - X3 - X3 tools/tools.php ~ Deafult password 188281MWWxjk - X3.1 utility/convert/index.php ~ Remote code execute - 6.x - 6.x my.php ~ SQL -… - [anasoid/jmeter-as-code](https://awesome-repositories.com/repository/anasoid-jmeter-as-code.md) (0 ⭐) — An API that give access to full Jmeter feature as code, All designed object in GUI can be written as code. - [cube-js/cube](https://awesome-repositories.com/repository/cube-js-cube.md) (20,251 ⭐) — Cube is a semantic data layer that provides a unified framework for defining business metrics, dimensions, and relationships across diverse data sources. By acting as a headless business intelligence engine, it transforms raw data into a governed model that can be queried via SQL, REST, and GraphQL interfaces. This architecture ensures consistent data definitions and logic across all downstream analytical applications and reporting tools. The platform distinguishes itself through its integrated conversational AI capabilities, which allow users to explore data using natural language. It orchestrates these interactions by mapping questions to the underlying semantic model, ensuring that AI-generated insights remain accurate and context-aware. Furthermore, Cube is designed for multi-tenant environments, offering robust infrastructure isolation, row-level security, and dynamic context injection to ensure that data access is strictly governed and personalized for every user or tenant. Beyond its core modeling and AI features, the platform includes a comprehensive suite of tools for performance optimization, including automated pre-aggregation caching and asynchronous query queuing. It supports a wide range of data sources and deployment models, from self-hosted containers to managed cloud environments. The system also provides extensive programmatic control over report management, dashboard publishing, and user identity synchronization, making it suitable for embedding interactive analytics directly into custom software applications. - [code-scan/brodomain](https://awesome-repositories.com/repository/code-scan-brodomain.md) (0 ⭐) — `` python brodomain.py baidu.com `` - [yandex/gixy](https://awesome-repositories.com/repository/yandex-gixy.md) (8,570 ⭐) — Gixy is a static configuration analyzer and security auditor for Nginx. It functions as an infrastructure-as-code security scanner and web server configuration linter designed to identify vulnerabilities and misconfigurations in server definitions before deployment. The tool focuses on detecting high-risk security flaws, including host header spoofing, server-side request forgery, and path traversal. It specifically audits Nginx configurations for risks such as HTTP splitting, multiline header issues, and unauthorized third-party access resulting from incorrect Referer or Origin header patterns. The analysis surface covers configuration dependency auditing through the resolution of include directives and the detection of header redefinition errors caused by block inheritance. Findings are assigned severity levels and can be exported as JSON or text reports for integration with external security tooling. - [nis2shield/infrastructure](https://awesome-repositories.com/repository/nis2shield-infrastructure.md) (2 ⭐) — 🐳 Secure Docker infrastructure for NIS2 compliance - Hardened containers, log segregation, automated backups - [bridgecrewio/checkov](https://awesome-repositories.com/repository/bridgecrewio-checkov.md) (8,798 ⭐) — Checkov is a static analysis tool and security scanner designed to identify misconfigurations in infrastructure as code, container images, and Kubernetes configurations. It functions as a cloud security posture tool, an SCA vulnerability scanner, and a secret scanning utility to prevent security breaches and version control leaks. The project distinguishes itself through deep graph analysis and variable resolution, allowing it to map relationships between interconnected resources and evaluate the final state of infrastructure attributes. It provides extensibility for defining custom security policies using Python or YAML and includes a policy generation utility to create new static analysis checks. The tool's capability surface covers a wide range of cloud templates, including Terraform plans, AWS SAM, CloudFormation, Azure ARM, and Bicep files. It also handles container security via Dockerfile and image auditing, and Kubernetes auditing through the analysis of manifests, Helm charts, and Kustomize files. Additionally, it performs software composition analysis to identify known CVEs in package dependencies and uses regex and entropy to detect hardcoded secrets. Automation is supported via native integrations for CI/CD pipelines, git hooks, and IDEs, with results exportable in formats such as JSON, JUnit XML, SARIF, and Markdown. - [insforge/insforge](https://awesome-repositories.com/repository/insforge-insforge.md) (11,794 ⭐) — InsForge is a backend-as-a-service platform that provides an integrated suite of tools for managing relational databases, identity provision, object storage, and serverless compute. It functions as an open-source identity provider and a PostgreSQL database manager featuring integrated vector storage and row-level security. The platform serves as an LLM orchestration gateway, offering a unified endpoint to route requests across various AI providers through an OpenAI-compatible interface. It enables AI-driven application generation and connects AI agents to backend resources using a standardized context protocol. Broad capabilities include comprehensive OAuth and OIDC identity management, an S3-compatible object storage gateway, and a real-time pub-sub engine for database synchronization. The system also covers automated billing and subscription lifecycles with mirrored payment data, as well as serverless function runtimes triggered by HTTP requests or database events. Infrastructure is managed via a backend command-line interface and declarative configuration files. - [baato/before-after](https://awesome-repositories.com/repository/baato-before-after.md) (0 ⭐) — Technical stack for generating before-after map (with vector tiles), which allows users to understand how map data in OSM has changed over time. - [tfsec/tfsec](https://awesome-repositories.com/repository/tfsec-tfsec.md) (7,013 ⭐) — tfsec is a static analysis tool and security scanner for infrastructure as code, specifically designed to detect misconfigurations and compliance violations in Terraform and cloud infrastructure definitions before deployment. It functions as a cloud security policy engine that identifies vulnerabilities across multiple cloud platforms. The tool provides capabilities for cloud compliance auditing and scanning of Cloud Development Kit code. It supports custom security policy enforcement and allows for the definition of organization-specific security requirements. The scanner includes features for automating analysis within DevSecOps pipelines and exporting results to security dashboards. It manages analysis noise through check filtering and the suppression of security warnings via inline comments with expiration dates. - [actions/starter-workflows](https://awesome-repositories.com/repository/actions-starter-workflows.md) (11,694 ⭐) — This project provides a comprehensive library of standardized workflow templates designed to automate continuous integration, deployment, and repository maintenance tasks. By offering a collection of pre-configured blueprints, it enables developers to initialize and manage automated pipelines for diverse programming languages and platforms using declarative configuration files. The repository functions as a centralized resource for bootstrapping automation, allowing teams to inject repository-specific metadata and dynamic variables into standardized templates. This approach ensures consistent development practices across projects while reducing the manual effort required to set up complex build, test, and delivery sequences. Beyond core integration and deployment capabilities, the library includes templates for managing pull requests, automating security vulnerability scanning, and maintaining project backlogs. These tools facilitate the automation of routine administrative tasks and help enforce organizational standards throughout the software development lifecycle. - [davila7/claude-code-templates](https://awesome-repositories.com/repository/davila7-claude-code-templates.md) (20,933 ⭐) — Claude Code Templates is a comprehensive framework for orchestrating specialized AI agents and automating development workflows within local environments. It provides a structured system for defining, configuring, and deploying AI personas that handle specific technical tasks, ranging from backend architecture and frontend implementation to security auditing and infrastructure management. The project distinguishes itself through a configuration-driven approach that allows teams to standardize development environments and share reusable agent definitions across projects. It includes a robust CLI toolkit for managing the entire agent lifecycle, from discovery and installation to execution and performance monitoring. By utilizing standardized protocols and modular function definitions, it enables seamless integration of external services and local tools into the assistant's capabilities. Beyond core agent management, the platform offers extensive support for workflow automation, including event-driven hooks, custom slash commands, and automated testing pipelines. It incorporates security-focused features such as granular permission enforcement, sandbox execution environments, and automated secret scanning to ensure safe operation. The system also provides observability tools, including real-time dashboards for tracking agent performance, token usage, and conversation history. - [prowler-cloud/prowler](https://awesome-repositories.com/repository/prowler-cloud-prowler.md) (13,049 ⭐) — Prowler is an automated cloud infrastructure security scanner and posture management tool. It evaluates cloud environments and infrastructure-as-code templates against security benchmarks to identify misconfigurations, vulnerabilities, and compliance gaps that could compromise system integrity. The platform distinguishes itself through graph-based attack path analysis, which identifies chains of misconfigurations that create exploitable routes for unauthorized access. It utilizes a plugin-based execution model to perform state-based assessments of live environments and static analysis of configuration files, ensuring security coverage across the entire development lifecycle. The tool provides comprehensive capabilities for continuous security integration, allowing teams to automate compliance reporting by mapping findings to regulatory frameworks. It supports risk prioritization and provides actionable remediation guidance, while enabling the integration of security data into external incident management and monitoring systems through automated reporting pipelines. - [diet103/claude-code-infrastructure-showcase](https://awesome-repositories.com/repository/diet103-claude-code-infrastructure-showcase.md) (9,707 ⭐) — This project is a collection of patterns and configurations for deploying AI agents with specialized technical skills and personas. It provides a framework for agentic software engineering, defining standards for AI-driven development workflows and the management of modular technical capabilities. The system features a skill framework that activates technical guidelines based on prompt intent and a context management system that preserves project state using persistent plans and checklists across session resets. It employs a modular organization of guidelines to prevent context window overflow and utilizes custom lifecycle hooks to extend AI functionality. The project covers a broad range of capabilities including automated technical debt reduction, full-stack architecture standardization, and the generation of technical documentation. It also includes utilities for resolving TypeScript compilation errors, validating authenticated API endpoints, and enforcing development guardrails to prevent breaking changes. - [goldbergyoni/nodebestpractices](https://awesome-repositories.com/repository/goldbergyoni-nodebestpractices.md) (105,356 ⭐) — This project provides a comprehensive collection of industry-standard guidelines for developing, testing, and deploying Node.js applications. It covers the entire software lifecycle, offering actionable advice on code style, architectural patterns, and security measures to ensure maintainability and consistency across large-scale codebases. The documentation details strategies for robust error management, containerization, and production readiness. It addresses operational requirements such as observability, scalability, and infrastructure configuration, while providing specific methodologies for validating software quality through automated testing and dependency management. - [18f/domain-scan](https://awesome-repositories.com/repository/18f-domain-scan.md) (0 ⭐) — A lightweight scan pipeline for orchestrating third party tools, at scale and (optionally) using serverless infrastructure. - [activepieces/activepieces](https://awesome-repositories.com/repository/activepieces-activepieces.md) (20,887 ⭐) — Activepieces is an open-source, self-hosted workflow automation platform designed to connect third-party applications through modular triggers and actions. It provides a low-code integration framework that allows users to build, manage, and execute complex business logic sequences within isolated, sandboxed environments. The platform distinguishes itself through its focus on embeddability and enterprise-grade security. It features an embedded automation builder that can be integrated into external applications via iframes, supported by comprehensive identity and access management tools such as single sign-on, SCIM provisioning, and granular role-based access control. These capabilities allow organizations to maintain programmatic control over their automation infrastructure while ensuring secure user provisioning and centralized credential management. Beyond its core automation engine, the system includes robust lifecycle management tools for versioning, deploying, and promoting workflows across different environments. It supports advanced operational requirements through distributed worker scaling, event queuing, and detailed observability features, including execution history inspection and telemetry exports. Developers can extend the platform by creating custom connectors using TypeScript, which can be validated, packaged, and synchronized with version control systems. The project is built with TypeScript and provides a comprehensive CLI for managing database migrations, integration testing, and infrastructure provisioning. - [open-policy-agent/conftest](https://awesome-repositories.com/repository/open-policy-agent-conftest.md) (3,128 ⭐) — Conftest is a suite of tools designed for validating structured configurations, testing policy logic, and generating policy documentation. It serves as a configuration file validator that checks YAML, JSON, and Helm charts for security violations and compliance issues using declarative rules. The project functions as an Open Policy Agent testing tool, allowing structured configuration files to be validated against custom policies written in Rego. It includes a policy-as-code testing framework to ensure policy logic is correct and a utility to extract metadata from Rego code to create static markdown reference files. The tool provides capabilities for infrastructure-as-code testing, configuration compliance auditing, and integration into CI/CD pipelines to block non-compliant changes. It supports executing policy validations within containerized environments to maintain consistency across different host operating systems. - [jam3/math-as-code](https://awesome-repositories.com/repository/jam3-math-as-code.md) (0 ⭐) - [blacklanternsecurity/bbot](https://awesome-repositories.com/repository/blacklanternsecurity-bbot.md) (9,929 ⭐) — This project is an open-source intelligence reconnaissance framework and recursive attack surface mapper. It functions as a containerized security scanner designed to map public-facing infrastructure, perform subdomain enumeration, and automate the gathering of open-source intelligence. The system employs a recursive discovery engine to iteratively explore target infrastructure, utilizing a plugin-based module architecture to extend scanning capabilities. It integrates third-party APIs for data enrichment and applies YARA rules across discovered assets to identify specific vulnerability patterns. The framework covers a broad range of reconnaissance activities, including web application scanning, email address enumeration, and public infrastructure mapping. It maintains a state-persistent asset inventory and provides capabilities for web screenshot capture, parameter extraction, and real-time event streaming. Data is managed through an event-driven pipeline that supports external data export to databases and logging platforms, as well as notification delivery via webhooks to chat platforms. - [pumasecurity/puma-scan](https://awesome-repositories.com/repository/pumasecurity-puma-scan.md) (0 ⭐) — Puma Scan is a .NET software secure code analysis tool providing real time, continuous source code analysis as development teams write code. In Visual Studio, vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs… - [crewaiinc/crewai](https://awesome-repositories.com/repository/crewaiinc-crewai.md) (53,687 ⭐) — CrewAI is a multi-agent orchestration framework designed for building autonomous systems that execute complex, multi-step workflows. It provides a development platform where specialized agents are defined with specific roles, goals, and tool sets to perform tasks collaboratively. By leveraging a declarative workflow engine, the system manages task dependencies, state transitions, and execution logic, allowing for the creation of structured, stateful sequences of operations. The framework distinguishes itself through its hierarchical management capabilities, which utilize manager agents to coordinate specialist teams, delegate tasks, and oversee project execution. It incorporates a persistent memory architecture that enables agents to retain context and perform semantic searches across long-running operations. Furthermore, the system supports robust production-ready applications by enforcing schema-based output validation and providing execution checkpointing, which allows for mid-flight resumption and the replaying of specific tasks to debug or refine processes. Beyond its core orchestration, the project offers a comprehensive suite of developer utilities for managing agent performance and workflow reliability. This includes tools for training agents through iterative cycles, monitoring system events via a central execution bus, and visualizing workflow structures. The platform also features a provider-agnostic interface for integrating external APIs and utilities, ensuring that agents can interact with diverse real-world services while maintaining consistent data structures throughout the execution lifecycle. - [tencent/ai-infra-guard](https://awesome-repositories.com/repository/tencent-ai-infra-guard.md) (2,971 ⭐) — AI-Infra-Guard is a security scanning platform designed to detect vulnerabilities across large language model deployments, AI agent skills, and the underlying infrastructure. It functions as a security toolset for auditing source code, evaluating model robustness, and identifying insecure network configurations. The project provides a red teaming framework that uses curated attack datasets to test for jailbreak vulnerabilities and prompt injections. It also includes an infrastructure auditor that employs network fingerprinting and asset discovery to match running components against known common vulnerabilities and exposures databases. The system covers a broad range of security assessment capabilities, including agent workflow auditing, remote source code scanning, and automated security pipelines. These processes are accessible via programmatic interfaces for triggering audits and system integrity checks. - [experience-monks/math-as-code](https://awesome-repositories.com/repository/experience-monks-math-as-code.md) (15,482 ⭐) — This project is a mathematics programming pattern library and translation guide designed to map academic mathematical symbols and formulas into programmable logic. It serves as a reference for converting complex notations into software implementations. The resource provides mapping guides for translating calculus, linear algebra, and set theory into iterative loops, functional code, and boolean expressions. It includes specific patterns for implementing piecewise functions, matrix operations, and standard mathematical operators using conditional logic and built-in language functions. The library covers a broad range of capabilities including the conversion of summation and derivative symbols into loops, the translation of vector and matrix notations for dot products and Euclidean norms, and the mapping of set membership constraints to data structures. - [rcourtman/pulse](https://awesome-repositories.com/repository/rcourtman-pulse.md) (4,672 ⭐) — Pulse is an AI-driven infrastructure monitoring platform that unifies observation of Docker, Kubernetes, and Proxmox environments. It uses historical baselines and anomaly detection to scan infrastructure for actionable issues, and offers a natural language interface for querying system state. The platform distinguishes itself with agent-based auto-discovery—a single binary automatically detects container and virtualization hosts without manual setup. It supports approval-based remediation workflows, where AI-proposed fix commands are presented to the user and executed only after explicit authorization. Multi-tenant isolated workspaces give each client independent dashboards, alerts, users, and audit logs under one account. Role-based access control with SSO (OIDC, SAML) enforces permissions, and every action is recorded with HMAC-signed tamper-proof audit logging for compliance. Additional capabilities include scheduled health patrols that periodically analyze infrastructure state, alert correlation with root cause analysis, metrics storage with configurable retention, and multi-channel notification delivery via Discord, Slack, Telegram, email, and other channels. Deployment involves installing a single agent binary that self-updates, with license activation via email verification. - [encoredev/encore](https://awesome-repositories.com/repository/encoredev-encore.md) (12,049 ⭐) — Encore is a distributed systems framework designed to unify backend development, infrastructure provisioning, and observability. It functions as an infrastructure-as-code platform that allows developers to define cloud resources, databases, and messaging topics directly within their application code. By analyzing these declarations at compile-time, the system automatically manages the deployment of cloud resources and security policies, ensuring parity between local development and production environments. The platform distinguishes itself through its integrated development experience, which includes a local workspace that mirrors production infrastructure to facilitate testing and debugging. It provides automated AI-assisted development tools that leverage application metadata and runtime telemetry to aid in code generation and performance analysis. Furthermore, the framework enforces architectural standards and automates the creation of ephemeral, production-like environments for every pull request, streamlining the validation process before deployment. Beyond its core orchestration capabilities, the framework includes a comprehensive suite for building type-safe APIs and event-driven services. It handles the complexities of service communication, including automated client library generation, request validation, and distributed tracing instrumentation. The system also incorporates robust security primitives, such as identity token validation, secret management, and automated traffic control, to support the development of secure, scalable backend architectures. - [deployphp/deployer](https://awesome-repositories.com/repository/deployphp-deployer.md) (11,077 ⭐) — Deployer is a PHP deployment tool and SSH-based deployment automator used to push applications to remote servers and automate the provisioning of hosting environments. It functions as a zero-downtime deployment manager that utilizes symbolic links to switch between application versions, ensuring continuous site availability. The system employs pre-defined deployment recipes tailored to the specific requirements of popular PHP web frameworks. This framework-specific automation allows for the execution of task sequences designed for particular software environments. The tool covers remote server provisioning, host-based target mapping, and stateful release versioning to allow for rollbacks. It includes a plugin-based extension system for integrating external monitoring and notification tools into the deployment pipeline. - [infisical/infisical](https://awesome-repositories.com/repository/infisical-infisical.md) (27,374 ⭐) — Infisical is a centralized secrets management platform designed to store, synchronize, and control access to sensitive credentials and configuration data across distributed development, staging, and production environments. It employs client-side encryption to ensure that secrets remain unreadable to the underlying storage infrastructure, while providing a hierarchical permission model to govern both user and machine access. The platform distinguishes itself through dynamic credential provisioning, which generates short-lived access tokens that are automatically revoked after use. It supports complex security workflows by integrating with external identity providers for federated authentication and offering a reverse tunneling gateway that allows secure access to private network resources without exposing inbound ports. Additionally, the system includes an event-driven audit engine that maintains an immutable record of all configuration changes and access requests to support compliance requirements. Beyond core secret storage, the platform provides comprehensive orchestration capabilities, including automated secret injection into containerized environments and infrastructure pipelines. It also features integrated public key infrastructure management for the lifecycle of digital certificates and automated scanning to detect hardcoded secrets in source code and CI pipelines. The platform supports flexible deployment models, allowing teams to either utilize managed cloud services or self-host the infrastructure within their own private networks. It provides a broad ecosystem of SDKs and a command-line interface to facilitate integration across various programming languages and deployment workflows. - [assertible/deployments](https://awesome-repositories.com/repository/assertible-deployments.md) (13 ⭐) — Configurations for GitHub post-deployment testing with Assertible via CI - [trufflesecurity/trufflehog](https://awesome-repositories.com/repository/trufflesecurity-trufflehog.md) (24,630 ⭐) — Trufflehog is a security tool designed to continuously monitor code repositories and cloud environments to detect, verify, and remediate exposed sensitive credentials and API keys. It functions as a comprehensive secret scanning engine that integrates directly into deployment pipelines and version control systems to intercept sensitive data before it is committed or pushed. By utilizing read-only operations and volatile memory processing, the system ensures that discovered credentials are never stored persistently, maintaining strict data privacy throughout the scanning lifecycle. The platform distinguishes itself through a privacy-focused architecture that relies on cryptographic fingerprinting to track and deduplicate findings without ever transmitting or storing raw sensitive values. It supports distributed scanning via independent agents that connect to a central dashboard, allowing for localized analysis while maintaining network isolation. Furthermore, the system provides automated incident response capabilities, including secret rotation and revocation, which help organizations minimize the window of vulnerability for compromised credentials. Beyond core detection, the project offers a broad capability surface for enterprise-wide access governance and security compliance. It includes modular detection logic for custom rule definitions, integration with external identity providers for role-based access control, and extensive monitoring across cloud storage, container infrastructure, and collaboration platforms. The system also provides detailed metadata tracing to link findings to specific users, pipelines, or commits, facilitating efficient remediation and auditability across large-scale development environments. - [upstash/context7](https://awesome-repositories.com/repository/upstash-context7.md) (57,490 ⭐) — Context7 is an AI-powered documentation retrieval engine designed to provide developers and AI agents with real-time, context-aware access to technical documentation and code snippets. By integrating external library documentation as callable tools, the platform equips AI coding assistants with project-specific knowledge, helping to improve generation accuracy and reduce hallucinations during inference. The platform distinguishes itself through a robust security and governance framework that manages documentation as a centralized knowledge base. It employs a multi-source ingestion pipeline to normalize diverse formats—including repositories, websites, and specifications—into a unified, searchable index. To ensure high-quality retrieval, the system utilizes semantic reranking algorithms and version-aware parsing, allowing agents to query specific library versions and receive the most relevant context for their development tasks. Beyond retrieval, the project provides comprehensive administrative controls for enterprise environments, including policy-driven access management, single sign-on integration, and automated documentation governance. It supports secure deployment through containerized infrastructure and enforces strict data privacy by excluding user source code from its databases while implementing layered classifiers to detect and block malicious content or prompt injection attempts. Developers can interact with the service through dedicated command-line interfaces, IDE plugins, and TypeScript client libraries. The platform is documented through comprehensive developer guides that cover environment configuration, server transport setup, and administrative workflows for managing teamspaces and library ownership. - [rebelinblue/deployer](https://awesome-repositories.com/repository/rebelinblue-deployer.md) (907 ⭐) — Deployer is a free and open source deployment tool. - [aidenybai/react-scan](https://awesome-repositories.com/repository/aidenybai-react-scan.md) (21,370 ⭐) — React Scan is a diagnostic utility and performance auditor designed to monitor the rendering lifecycle of components within user interfaces. It functions as an automated analysis tool that tracks component re-render cycles and execution timing to identify performance bottlenecks in real time. The tool distinguishes itself by providing visual feedback through a persistent overlay injected directly into the application. By instrumenting the reconciliation process and observing component state and props, it highlights specific rendering patterns that contribute to performance degradation. This utility covers a broad range of observability and debugging capabilities, focusing on the analysis of component update behavior. It is intended for use during development to troubleshoot and optimize the execution speed of complex component trees. - [spaceraccoon/npm-scan](https://awesome-repositories.com/repository/spaceraccoon-npm-scan.md) (50 ⭐) — An extensible, heuristic-based vulnerability scanning tool for installed npm packages - [hashicorp/terraform](https://awesome-repositories.com/repository/hashicorp-terraform.md) (48,720 ⭐) — Terraform is a declarative infrastructure-as-code tool designed to manage the lifecycle of cloud and on-premises resources. It functions as a workflow engine that reconciles a defined desired state against real-world infrastructure, using a persistent state-tracking layer to maintain consistency and visibility across distributed environments. By mapping infrastructure components into a directed acyclic graph, the system calculates the optimal order for provisioning, updating, or destroying resources. The platform is distinguished by its extensible plugin-based architecture, which decouples core orchestration logic from vendor-specific service APIs. This allows users to manage diverse infrastructure across multiple providers through a unified workflow. The system enforces predictability by separating operations into a three-stage lifecycle—planning, applying, and state-updating—and supports policy-as-code evaluation to validate changes against security and compliance rules before any modifications are executed. Beyond core orchestration, the tool provides robust support for collaborative management, including workspace isolation for environment separation and module sharing for distributing standardized infrastructure patterns. It integrates into broader development ecosystems through support for programmatic definition in various languages, external system hooks, and comprehensive tooling for configuration debugging and editor assistance. - [owasp/top10](https://awesome-repositories.com/repository/owasp-top10.md) (5,273 ⭐) — This project is a web application security standard and vulnerability framework. It provides a comprehensive list of the most critical security risks facing web applications, paired with technical guidance and a structured methodology for identifying and mitigating these flaws. The framework functions as a secure coding guide and a risk assessment methodology, offering a standardized approach to prioritizing vulnerabilities based on their potential impact and likelihood of exploitation. It defines architectural patterns and technical recommendations to help developers implement defense in depth across the entire software lifecycle. The project covers a broad surface of security capabilities, including identity and access management, API security hardening, and software supply chain security. It also provides guidance on secure software development, security compliance auditing, and the integration of threat modeling and code reviews into the development process. - [moradotai/cms-scan](https://awesome-repositories.com/repository/moradotai-cms-scan.md) (0 ⭐) — An active scan extension for Burp that provides supplemental coverage when testing popular content management systems. - [musistudio/claude-code-router](https://awesome-repositories.com/repository/musistudio-claude-code-router.md) (35,016 ⭐) — This project is an AI-focused API gateway and proxy system designed to intercept, standardize, and route requests across heterogeneous language model providers. It functions as a middleware layer that normalizes incoming traffic and manages authentication, ensuring consistent integration across diverse service interfaces. The system features a programmable routing engine that executes user-defined scripts to evaluate request content in real-time. This allows for dynamic traffic management, where requests are inspected, transformed, and redirected to specific model endpoints based on custom logic rather than static configurations. Beyond core routing, the project provides a comprehensive suite of tools for configuration and observability. Users can manage gateway settings and environment variables through a command-line interface, export and import configuration presets for consistent environment replication, and monitor operational performance through real-time logging and status indicators. - [zaproxy/zaproxy](https://awesome-repositories.com/repository/zaproxy-zaproxy.md) (15,293 ⭐) — OWASP ZAP is a dynamic application security testing tool and intercepting HTTP proxy used to find vulnerabilities in web applications. It functions as a penetration testing framework that enables both automated security scanning and manual security testing of running web services. The tool provides a suite of capabilities for analyzing web applications from the outside in, including the ability to capture and modify traffic between a browser and a target application. It is designed to integrate into DevSecOps pipelines to provide consistent security checks across different environments. - [juspay/hyperswitch](https://awesome-repositories.com/repository/juspay-hyperswitch.md) (43,019 ⭐) — Hyperswitch is a payment orchestration platform designed to manage complex transaction lifecycles through a centralized control layer. It functions as a processor-agnostic integration hub that standardizes disparate external payment APIs, allowing businesses to route transactions across multiple providers to optimize for authorization rates and cost efficiency. The platform utilizes a state-machine-based architecture to track every payment from initial authentication to final settlement, ensuring consistent processing and reliable error recovery. What distinguishes the platform is its intelligent, rule-based traffic routing engine, which dynamically selects the most performant or cost-effective processor in real time. It includes automated recovery mechanisms that execute background retries for failed payments and payouts without requiring additional customer interaction. Furthermore, the platform provides a secure tokenization vault that replaces sensitive card data with non-sensitive tokens, which minimizes regulatory compliance scope and simplifies security audits. The platform offers a comprehensive suite of financial operations tools, including automated reconciliation pipelines that match transaction records across multiple banks and processors. It also provides centralized management for disputes, refunds, and global payouts, alongside detailed analytics for monitoring payment costs, interchange fees, and provider markups. Security is managed through adaptive authentication workflows and integrated fraud risk management modules that can be configured via a no-code interface. - [xsahil03x/before_after](https://awesome-repositories.com/repository/xsahil03x-before-after.md) (1,026 ⭐) - [conda-forge/miniforge](https://awesome-repositories.com/repository/conda-forge-miniforge.md) (9,899 ⭐) — Miniforge is a minimal installer for the Conda package management system that provides access to community-maintained software channels. It serves as a lightweight tool for setting up isolated software environments and distributing pre-compiled binary packages to ensure cross-platform compatibility. The project enables the installation of a minimal environment and facilitates the migration of package channels from vendor repositories to community-driven distributions. It allows users to retrieve and manage software packages built by a community to extend the available tools in a local environment. The system covers a broad range of package maintenance and distribution capabilities, including cross-platform build automation, global software dependency pinning, and the management of package feedstocks. It also supports the creation of package recipes and the automation of version tracking and pipeline distributions.