explaingit

sottlmarek/devsecops

6,726Audience · ops devopsComplexity · 1/5Setup · easy

TLDR

A curated library of open-source tools for building security into every stage of software development, from pre-commit secret scanning to container, Kubernetes, and cloud security, organized by pipeline phase.

Mindmap

mindmap
  root((devsecops tools))
    Pre-Commit
      Secret scanning
      Code linting
    Code Analysis
      Static analysis
      Dependency scanning
    Runtime Security
      Container security
      Kubernetes security
    Cloud Platforms
      AWS tools
      GCP tools
      Azure tools
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Find the right open-source tool for scanning code for accidentally committed secrets before they reach a shared repository.

USE CASE 2

Discover container and Kubernetes security tools to integrate into a CI/CD pipeline.

USE CASE 3

Look up cloud-specific security tools for AWS, GCP, or Azure deployments.

USE CASE 4

Use the methodology and whitepaper section to build a DevSecOps strategy from scratch for a team.

Getting it running

Difficulty · easy Time to first run · 5min

In plain English

This repository is a reference library of open-source tools and resources for DevSecOps, which is the practice of integrating security into every stage of software development and deployment rather than treating it as a final step. The collection is organized as a structured list covering tools for different phases of the development pipeline, from writing code to running it in production. DevSecOps, as the README explains, connects development, security, and operations teams. The idea is that security checks happen continuously throughout the build and release process rather than only at the end. The library covers the cloud and DevOps scope specifically, not general security. The tools are grouped by category. Pre-commit tools scan code for accidentally committed secrets like API keys and passwords before they reach a shared repository. Separate sections cover static analysis (scanning code for vulnerabilities without running it), dynamic analysis (testing a running application), dependency and open-source component scanning, container security, Kubernetes security, infrastructure-as-code checks, secrets management, policy enforcement, chaos engineering, and CI/CD pipeline security. Each section lists tools with their GitHub link and a brief description. Cloud platform coverage is split into AWS, Google Cloud, and Azure sections, each with tools specific to those environments. There are also sections on methodologies, whitepapers, and architecture patterns for teams looking for context beyond individual tools. Contributions are accepted through pull requests following posted guidelines: only active open-source security tools, no duplicates, and factual descriptions over personal opinions. The full README is longer than what was shown.

Copy-paste prompts

Prompt 1
I want to add secret scanning to my GitHub Actions pipeline. Which tools from the sottlmarek/devsecops list should I use and how do I integrate them?
Prompt 2
Help me build a DevSecOps checklist for a Kubernetes-based deployment using tools from this repository.
Prompt 3
What are the best open-source tools for static analysis of Python code listed in the devsecops repository?
Prompt 4
I need to scan Docker containers for vulnerabilities before deploying. Which tools in this list cover container security?
Open on GitHub → Explain another repo

← sottlmarek on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.