14 repository-uri
Security scanning for infrastructure configuration files.
Distinguishing note: Focuses on automated configuration analysis.
Explore 14 awesome GitHub repositories matching security & cryptography · Infrastructure as Code Security. Refine with filters or upvote what's useful.
The OWASP Cheat Sheet Series is a comprehensive, community-driven repository of concise security best practices and defensive coding patterns. It serves as a centralized knowledge base for developers and security professionals, providing actionable guidance to secure applications across the entire software development lifecycle. The project covers a vast array of security domains, ranging from fundamental web application hardening and authentication protocols to specialized controls for modern infrastructure and artificial intelligence systems. What distinguishes this project is its decentral
Scans configuration files to protect cloud environments from misconfigurations.
Subfinder is a security reconnaissance framework designed for subdomain enumeration and attack surface management. It functions as a discovery engine that identifies and maps internet-exposed infrastructure, cloud-hosted assets, and network ranges to maintain a comprehensive inventory of an organization's digital footprint. The project distinguishes itself through a modular, template-driven scanning engine that executes security checks against discovered assets. It leverages cloud-native asset discovery to query provider APIs and infrastructure metadata, while supporting distributed agent orc
Identifies security findings such as dangling DNS records or exposed origin IP addresses during asset enumeration.
Kubescape is a Kubernetes security posture management platform designed to scan clusters, manifests, and images for misconfigurations, vulnerabilities, and compliance risks. It functions as a comprehensive security suite incorporating a compliance scanner, a container image vulnerability scanner, an admission controller for policy enforcement, and a runtime security monitor. The platform distinguishes itself through runtime-aware vulnerability filtering, which maps libraries loaded in memory to determine if vulnerabilities are actually reachable. It also integrates with AI assistants via a Mo
Performs automated security scanning of infrastructure configuration files and manifests.
Kubescape is a security platform for Kubernetes that provides tools for scanning clusters, configurations, and container images against industry compliance and security benchmarks. It functions as a suite of security utilities, including a compliance auditor, a misconfiguration scanner, and a container vulnerability scanner. The project differentiates itself through automated remediation and active enforcement. It can automatically patch operating system vulnerabilities in images and fix security errors within manifest files. It also utilizes an admission controller to block the deployment of
Analyzes Kubernetes manifests and cluster states to identify and remediate security risks and misconfigurations.
Nikto is an open-source HTTP security auditing tool and web server vulnerability scanner. It functions as a reconnaissance engine designed to identify insecure server options, outdated software, and common vulnerabilities by analyzing HTTP responses. The project differentiates itself through capabilities for intrusion detection evasion and web server fingerprinting. It uses request-level encoding and timing spacers to bypass security filters and employs signature-based identification to determine specific server software versions and misconfigurations. The scanner covers broad capability are
Identifies insecure server options and configuration errors that could expose the system to attack.
Checkov is a static analysis tool and security scanner designed to identify misconfigurations in infrastructure as code, container images, and Kubernetes configurations. It functions as a cloud security posture tool, an SCA vulnerability scanner, and a secret scanning utility to prevent security breaches and version control leaks. The project distinguishes itself through deep graph analysis and variable resolution, allowing it to map relationships between interconnected resources and evaluate the final state of infrastructure attributes. It provides extensibility for defining custom security
Provides automated security scanning for infrastructure configuration files across various cloud providers.
tfsec is a static analysis tool and infrastructure as code linter designed to detect security misconfigurations and compliance violations in Terraform infrastructure code. It functions as a cloud security posture tool and policy enforcement engine that evaluates configurations against established security benchmarks. The tool provides multi-cloud security auditing for providers including AWS, Azure, Google Cloud, and Kubernetes, as well as specialized scanning for DigitalOcean, OpenStack, CloudStack, and GitHub configurations. It identifies insecure settings such as public access or unencrypt
Provides automated security scanning and misconfiguration detection for infrastructure-as-code configuration files.
tfsec is a static analysis tool and security scanner for infrastructure as code, specifically designed to detect misconfigurations and compliance violations in Terraform and cloud infrastructure definitions before deployment. It functions as a cloud security policy engine that identifies vulnerabilities across multiple cloud platforms. The tool provides capabilities for cloud compliance auditing and scanning of Cloud Development Kit code. It supports custom security policy enforcement and allows for the definition of organization-specific security requirements. The scanner includes features
Scans Terraform and cloud configuration files to identify security misconfigurations before deployment.
tfsec is a static analysis tool and security scanner for Terraform configuration files. It functions as an infrastructure as code security scanner and compliance linter designed to detect misconfigurations and vulnerabilities across multiple cloud providers before resources are deployed. The tool identifies security risks by analyzing infrastructure code and variable files to evaluate the final state of the environment. It supports custom policy enforcement and allows for the suppression of specific security warnings through inline comments. Its capabilities cover cloud security posture mana
Performs automated security scanning of infrastructure configuration files to ensure compliance.
Cloud Custodian is a multi-cloud governance engine and policy enforcement tool designed to automate security, compliance, and cost optimization across various cloud providers. It functions as a rules engine that uses a declarative domain specific language to query cloud resources and execute corrective actions based on predefined filters. The system operates as a serverless policy orchestrator, deploying provider-specific functions to trigger real-time enforcement in response to cloud resource changes. It provides a provider-agnostic resource abstraction to maintain consistent operational pol
Performs security scanning on infrastructure configuration files within development and CI pipelines.
Naabu is a port scanner library and tool that probes hosts for open ports using SYN, CONNECT, and UDP methods to identify active services. It functions as a Go library for embedding port scanning into programs, and as a standalone tool that accepts targets as hostnames, IP addresses, CIDR ranges, or ASN numbers. The tool discovers live hosts before scanning, filters ports by range or top lists, and can integrate with Nmap for service version detection. The project distinguishes itself through its SYN-based port probing approach that sends TCP SYN packets and analyzes responses without complet
Retrieves infrastructure misconfiguration findings such as dangling DNS and origin IP exposure.
Snyk is an application security testing platform designed to identify and remediate vulnerabilities across source code, open-source dependencies, container images, and infrastructure-as-code configurations. It functions as a comprehensive security workflow automation tool, utilizing a static analysis engine and dependency graph mapping to detect security flaws and license compliance issues throughout the software development lifecycle. The platform distinguishes itself through agentic workflow orchestration and an automated remediation pipeline that generates and submits pull requests to patc
Scans configuration files and container images to detect security misconfigurations and vulnerabilities before deployment to production environments.
Terrascan este un instrument de analiză statică conceput pentru a evalua fișierele de configurare de tip infrastructură-ca-cod pentru vulnerabilități de securitate și încălcări ale conformității. Prin parsarea acestor fișiere într-o reprezentare intermediară, identifică riscurile înainte ca resursele cloud să fie provizionate, servind drept auditor de conformitate pentru mediile cloud-native. Instrumentul funcționează ca un motor de politică-ca-cod, permițând utilizatorilor să definească și să aplice reguli de securitate personalizate și benchmark-uri din industrie folosind un limbaj de interogare specializat. Se distinge prin capacitatea sa de a se integra direct în fluxurile de lucru de dezvoltare și implementare, oferind bariere de securitate automatizate care pot bloca implementările neconforme prin raportare bazată pe exit-code. Dincolo de analiza statică, platforma suportă scanarea vulnerabilităților din registry-ul de containere pentru a corela riscurile bazate pe imagini cu configurațiile infrastructurii. De asemenea, oferă monitorizarea derivei de configurare (configuration drift) pentru a urmări resursele provizionate în raport cu liniile de bază de securitate stabilite, alături de mecanisme de suprimare bazate pe configurare pentru a gestiona override-urile de politică și alarmele false. Software-ul oferă atât o interfață în linie de comandă pentru validarea dezvoltării locale, cât și un API de scanare accesibil prin rețea pentru integrarea remote cu sisteme terțe și pipeline-uri automatizate.
Scans infrastructure-as-code files for security vulnerabilities and misconfigurations before provisioning.
RBAC Manager is a Kubernetes operator that automates the management of role-based access control and service account permissions. It functions as a controller that synchronizes cluster authorization resources with user-defined configuration files, ensuring that security settings remain consistent with established requirements. The system operates by monitoring the cluster API for changes and reconciling the current state against declarative manifests. By treating authorization as infrastructure as code, it enables teams to manage permissions through version-controlled files rather than manual
Automates the deployment of security policies and role bindings as infrastructure-as-code.