Over the past two weeks, I built 20 open-source security scanning tools in Python.
Each one solves a specific problem. Each one is a single file. And together, they form a complete DevSecOps toolkit.
Here's what I learned building them — and the full list so you can use them.
Why I Built 20 Tools Instead of 1
The security industry loves monolithic platforms. $50K/year SaaS tools that do everything, badly.
I took the Unix philosophy approach: each tool does one thing well. Chain them together for comprehensive security coverage.
The Complete Toolkit
Code & Secrets Scanning
1. Git Secrets Audit — Scan entire git history for leaked credentials. Catches what .gitignore missed — secrets already committed.
2. Env Secrets Checker — Find .env files accidentally committed to repos. Even deleted ones still exist in git history.
3. API Secrets Scanner — Grep source code for exposed API keys using 30+ regex patterns.
Dependency Security
4. GitHub Security Scanner — Cross-repo vulnerability dashboard using GitHub's Advisory Database API.
5. npm Audit Dashboard — Scan all your Node.js projects at once. One unified report.
6. NVD Vulnerability Scanner — Check Python dependencies against 250K+ CVEs from the National Vulnerability Database.
7. npm Security Scanner — Deep npm package analysis for known vulnerabilities.
Supply Chain Security
8. npm Typosquat Scanner — Detect malicious npm packages using typosquatting (e.g., lodsh instead of lodash).
9. PyPI Supply Chain Scanner — Same for Python packages on PyPI.
API Security
10. API Vulnerability Scanner — Test APIs against OWASP Top 10 API security risks.
11. API Rate Limit Tester — Find actual rate limits (not just documented ones).
CI/CD Security
12. GitHub Actions Scanner — Detect script injection, unpinned actions, over-broad permissions in workflows.
13. Dockerfile Linter — Security and best-practice checks for Dockerfiles.
Web Security
14. Security Headers Checker — Check any website for missing CSP, HSTS, X-Frame-Options, and more.
15. CORS Misconfiguration Scanner — Test for origin reflection, null origin, and other CORS issues.
Network Security
16. SSL Certificate Checker — Check certificates for expiration, weak ciphers, and TLS version.
17. DNS Zone Transfer Checker — Test if DNS servers allow unauthorized zone transfers.
18. Subdomain Scanner — Discover subdomains via CT logs, DNS brute-force, and web archives.
OSINT
19. HIBP Password Checker — Check passwords against 14 billion+ breached credentials.
20. VirusTotal Scanner — Scan files and URLs against 70+ antivirus engines.
5 Lessons from Building 20 Security Tools
1. Most Security Issues Are Embarrassingly Simple
90% of the vulnerabilities these tools find are not sophisticated attacks. They're:
- Forgotten .env files in git history
- Default CORS settings
- Missing security headers
- Unpinned CI/CD actions
2. Python Is Perfect for Security Tools
Single-file scripts. Readable. Easy to modify. requests + socket + standard library covers 95% of use cases.
3. Zero Dependencies = Zero Supply Chain Risk
Most of these tools use only Python's standard library. The irony of a security tool having dependency vulnerabilities is real.
4. Automation Beats Awareness
Developers know they should check for secrets in git history. They just don't. Automated pre-commit hooks and CI checks catch what knowledge alone can't.
5. Open Source Security Tools Get Used
Since publishing these tools, I've seen them forked, starred, and integrated into CI pipelines. The security community actively looks for lightweight, focused tools.
The Meta-Repo
All 20 tools are indexed in one place:
awesome-devsec-tools — Curated collection with descriptions and links.
What's Next
I'm working on:
- A unified CLI that wraps all 20 tools
- GitHub Action that runs the full suite on every PR
- Coverage for more languages (Go, Rust, Java)
Which of these tools would be most useful for your workflow? Let me know in the comments — I'll prioritize improvements based on demand.
Follow for weekly security tools and research.
Top comments (0)