awesome-repositories.com
Blog
awesome-repositories.com

Descoperă cele mai bune repository-uri open source cu căutare AI.

ExploreazăCăutări recomandateAlternative open-sourceSoftware self-hostedBlogHartă site
ProiectDespreCum realizăm clasamentulPresăServer MCP
LegalConfidențialitateTermeni
© 2026 Bringes Technology SRL·VAT RO45896025·hello@awesome-repositories.com
·

14 repository-uri

Awesome GitHub RepositoriesInfrastructure as Code Security

Security scanning for infrastructure configuration files.

Distinguishing note: Focuses on automated configuration analysis.

Explore 14 awesome GitHub repositories matching security & cryptography · Infrastructure as Code Security. Refine with filters or upvote what's useful.

Awesome Infrastructure as Code Security GitHub Repositories

Găsește cele mai bune repo-uri cu AI.Vom căuta cele mai potrivite repository-uri folosind AI.
  • owasp/cheatsheetseriesAvatar OWASP

    OWASP/CheatSheetSeries

    32,298Vezi pe GitHub↗

    The OWASP Cheat Sheet Series is a comprehensive, community-driven repository of concise security best practices and defensive coding patterns. It serves as a centralized knowledge base for developers and security professionals, providing actionable guidance to secure applications across the entire software development lifecycle. The project covers a vast array of security domains, ranging from fundamental web application hardening and authentication protocols to specialized controls for modern infrastructure and artificial intelligence systems. What distinguishes this project is its decentral

    Scans configuration files to protect cloud environments from misconfigurations.

    Pythonapplication-securityappsecbest-practices
    Vezi pe GitHub↗32,298
  • projectdiscovery/subfinderAvatar projectdiscovery

    projectdiscovery/subfinder

    13,105Vezi pe GitHub↗

    Subfinder is a security reconnaissance framework designed for subdomain enumeration and attack surface management. It functions as a discovery engine that identifies and maps internet-exposed infrastructure, cloud-hosted assets, and network ranges to maintain a comprehensive inventory of an organization's digital footprint. The project distinguishes itself through a modular, template-driven scanning engine that executes security checks against discovered assets. It leverages cloud-native asset discovery to query provider APIs and infrastructure metadata, while supporting distributed agent orc

    Identifies security findings such as dangling DNS records or exposed origin IP addresses during asset enumeration.

    Gobugbountyhackinghacktoberfest
    Vezi pe GitHub↗13,105
  • kubescape/kubescapeAvatar kubescape

    kubescape/kubescape

    11,489Vezi pe GitHub↗

    Kubescape is a Kubernetes security posture management platform designed to scan clusters, manifests, and images for misconfigurations, vulnerabilities, and compliance risks. It functions as a comprehensive security suite incorporating a compliance scanner, a container image vulnerability scanner, an admission controller for policy enforcement, and a runtime security monitor. The platform distinguishes itself through runtime-aware vulnerability filtering, which maps libraries loaded in memory to determine if vulnerabilities are actually reachable. It also integrates with AI assistants via a Mo

    Performs automated security scanning of infrastructure configuration files and manifests.

    Gobest-practicedevopskubernetes
    Vezi pe GitHub↗11,489
  • armosec/kubescapeAvatar armosec

    armosec/kubescape

    11,482Vezi pe GitHub↗

    Kubescape is a security platform for Kubernetes that provides tools for scanning clusters, configurations, and container images against industry compliance and security benchmarks. It functions as a suite of security utilities, including a compliance auditor, a misconfiguration scanner, and a container vulnerability scanner. The project differentiates itself through automated remediation and active enforcement. It can automatically patch operating system vulnerabilities in images and fix security errors within manifest files. It also utilizes an admission controller to block the deployment of

    Analyzes Kubernetes manifests and cluster states to identify and remediate security risks and misconfigurations.

    Go
    Vezi pe GitHub↗11,482
  • sullo/niktoAvatar sullo

    sullo/nikto

    10,104Vezi pe GitHub↗

    Nikto is an open-source HTTP security auditing tool and web server vulnerability scanner. It functions as a reconnaissance engine designed to identify insecure server options, outdated software, and common vulnerabilities by analyzing HTTP responses. The project differentiates itself through capabilities for intrusion detection evasion and web server fingerprinting. It uses request-level encoding and timing spacers to bypass security filters and employs signature-based identification to determine specific server software versions and misconfigurations. The scanner covers broad capability are

    Identifies insecure server options and configuration errors that could expose the system to attack.

    Perl
    Vezi pe GitHub↗10,104
  • bridgecrewio/checkovAvatar bridgecrewio

    bridgecrewio/checkov

    8,798Vezi pe GitHub↗

    Checkov is a static analysis tool and security scanner designed to identify misconfigurations in infrastructure as code, container images, and Kubernetes configurations. It functions as a cloud security posture tool, an SCA vulnerability scanner, and a secret scanning utility to prevent security breaches and version control leaks. The project distinguishes itself through deep graph analysis and variable resolution, allowing it to map relationships between interconnected resources and evaluate the final state of infrastructure attributes. It provides extensibility for defining custom security

    Provides automated security scanning for infrastructure configuration files across various cloud providers.

    Python
    Vezi pe GitHub↗8,798
  • aquasecurity/tfsecAvatar aquasecurity

    aquasecurity/tfsec

    7,013Vezi pe GitHub↗

    tfsec is a static analysis tool and infrastructure as code linter designed to detect security misconfigurations and compliance violations in Terraform infrastructure code. It functions as a cloud security posture tool and policy enforcement engine that evaluates configurations against established security benchmarks. The tool provides multi-cloud security auditing for providers including AWS, Azure, Google Cloud, and Kubernetes, as well as specialized scanning for DigitalOcean, OpenStack, CloudStack, and GitHub configurations. It identifies insecure settings such as public access or unencrypt

    Provides automated security scanning and misconfiguration detection for infrastructure-as-code configuration files.

    Go
    Vezi pe GitHub↗7,013
  • tfsec/tfsecAvatar tfsec

    tfsec/tfsec

    7,013Vezi pe GitHub↗

    tfsec is a static analysis tool and security scanner for infrastructure as code, specifically designed to detect misconfigurations and compliance violations in Terraform and cloud infrastructure definitions before deployment. It functions as a cloud security policy engine that identifies vulnerabilities across multiple cloud platforms. The tool provides capabilities for cloud compliance auditing and scanning of Cloud Development Kit code. It supports custom security policy enforcement and allows for the definition of organization-specific security requirements. The scanner includes features

    Scans Terraform and cloud configuration files to identify security misconfigurations before deployment.

    Go
    Vezi pe GitHub↗7,013
  • liamg/tfsecAvatar liamg

    liamg/tfsec

    7,013Vezi pe GitHub↗

    tfsec is a static analysis tool and security scanner for Terraform configuration files. It functions as an infrastructure as code security scanner and compliance linter designed to detect misconfigurations and vulnerabilities across multiple cloud providers before resources are deployed. The tool identifies security risks by analyzing infrastructure code and variable files to evaluate the final state of the environment. It supports custom policy enforcement and allows for the suppression of specific security warnings through inline comments. Its capabilities cover cloud security posture mana

    Performs automated security scanning of infrastructure configuration files to ensure compliance.

    Go
    Vezi pe GitHub↗7,013
  • capitalone/cloud-custodianAvatar capitalone

    capitalone/cloud-custodian

    6,016Vezi pe GitHub↗

    Cloud Custodian is a multi-cloud governance engine and policy enforcement tool designed to automate security, compliance, and cost optimization across various cloud providers. It functions as a rules engine that uses a declarative domain specific language to query cloud resources and execute corrective actions based on predefined filters. The system operates as a serverless policy orchestrator, deploying provider-specific functions to trigger real-time enforcement in response to cloud resource changes. It provides a provider-agnostic resource abstraction to maintain consistent operational pol

    Performs security scanning on infrastructure configuration files within development and CI pipelines.

    Python
    Vezi pe GitHub↗6,016
  • projectdiscovery/naabuAvatar projectdiscovery

    projectdiscovery/naabu

    5,766Vezi pe GitHub↗

    Naabu is a port scanner library and tool that probes hosts for open ports using SYN, CONNECT, and UDP methods to identify active services. It functions as a Go library for embedding port scanning into programs, and as a standalone tool that accepts targets as hostnames, IP addresses, CIDR ranges, or ASN numbers. The tool discovers live hosts before scanning, filters ports by range or top lists, and can integrate with Nmap for service version detection. The project distinguishes itself through its SYN-based port probing approach that sends TCP SYN packets and analyzes responses without complet

    Retrieves infrastructure misconfiguration findings such as dangling DNS and origin IP exposure.

    Gocdn-exclusionhacktoberfestnmap
    Vezi pe GitHub↗5,766
  • snyk/snykAvatar snyk

    snyk/snyk

    5,586Vezi pe GitHub↗

    Snyk is an application security testing platform designed to identify and remediate vulnerabilities across source code, open-source dependencies, container images, and infrastructure-as-code configurations. It functions as a comprehensive security workflow automation tool, utilizing a static analysis engine and dependency graph mapping to detect security flaws and license compliance issues throughout the software development lifecycle. The platform distinguishes itself through agentic workflow orchestration and an automated remediation pipeline that generates and submits pull requests to patc

    Scans configuration files and container images to detect security misconfigurations and vulnerabilities before deployment to production environments.

    TypeScript
    Vezi pe GitHub↗5,586
  • tenable/terrascanAvatar tenable

    tenable/terrascan

    5,210Vezi pe GitHub↗

    Terrascan este un instrument de analiză statică conceput pentru a evalua fișierele de configurare de tip infrastructură-ca-cod pentru vulnerabilități de securitate și încălcări ale conformității. Prin parsarea acestor fișiere într-o reprezentare intermediară, identifică riscurile înainte ca resursele cloud să fie provizionate, servind drept auditor de conformitate pentru mediile cloud-native. Instrumentul funcționează ca un motor de politică-ca-cod, permițând utilizatorilor să definească și să aplice reguli de securitate personalizate și benchmark-uri din industrie folosind un limbaj de interogare specializat. Se distinge prin capacitatea sa de a se integra direct în fluxurile de lucru de dezvoltare și implementare, oferind bariere de securitate automatizate care pot bloca implementările neconforme prin raportare bazată pe exit-code. Dincolo de analiza statică, platforma suportă scanarea vulnerabilităților din registry-ul de containere pentru a corela riscurile bazate pe imagini cu configurațiile infrastructurii. De asemenea, oferă monitorizarea derivei de configurare (configuration drift) pentru a urmări resursele provizionate în raport cu liniile de bază de securitate stabilite, alături de mecanisme de suprimare bazate pe configurare pentru a gestiona override-urile de politică și alarmele false. Software-ul oferă atât o interfață în linie de comandă pentru validarea dezvoltării locale, cât și un API de scanare accesibil prin rețea pentru integrarea remote cu sisteme terțe și pipeline-uri automatizate.

    Scans infrastructure-as-code files for security vulnerabilities and misconfigurations before provisioning.

    Go
    Vezi pe GitHub↗5,210
  • fairwindsops/rbac-managerAvatar FairwindsOps

    FairwindsOps/rbac-manager

    1,654Vezi pe GitHub↗

    RBAC Manager is a Kubernetes operator that automates the management of role-based access control and service account permissions. It functions as a controller that synchronizes cluster authorization resources with user-defined configuration files, ensuring that security settings remain consistent with established requirements. The system operates by monitoring the cluster API for changes and reconciling the current state against declarative manifests. By treating authorization as infrastructure as code, it enables teams to manage permissions through version-controlled files rather than manual

    Automates the deployment of security policies and role bindings as infrastructure-as-code.

    Goauthorizationclustercrd
    Vezi pe GitHub↗1,654
  1. Home
  2. Security & Cryptography
  3. Infrastructure as Code Security

Explorează sub-etichetele

  • Infrastructure Misconfiguration DetectorsTools that identify dangling DNS records, exposed origin IPs, and other infrastructure-level security weaknesses. **Distinct from Infrastructure as Code Security:** Distinct from general IaC security: focuses on live infrastructure discovery and runtime misconfiguration detection rather than static file analysis.