Top open source security devtools you need to know about

TL;DR

Open source is great for many things, but in particular for security devtools. In this article, we'll look at some of the best Open Source Security tools on GitHub that you can use to easily boost security of your apps. This list of 5 tools was curated from the Open Source Security Index which contains 100 different projects in total.

Why?

Oftentimes, security is not the first thing developers think about when developing their apps. In fact, almost always, speed and execution take a priority over great security practices. This sometimes goes unnoticed, but, increasingly often, we see even large companies like Uber, CircleCI, and Atlassian getting hacked.

Why is this so? Mostly, because traditionally security tools have been very hard to set up and maintain - in addition they required a lot of expertise from the engineer using them. But this is no longer true! And the following is the list of 5 devtools that are changing this narrative.

1. Infisical - #17

GitHub: https://github.com/Infisical/infisical
Website: https://infisical.com/

Infisical is the youngest project on this list, and yet it's already #17. It is an open source end-to-end secret management platform.

What does this mean? Infisical provides tools to distribute secrets and environment variables across your infrastructure (e.g., Vercel, AWS, GitHub Actions, Circle CI, etc) and across your team (using a CLI or SDKs to automatically pull the environments with latest secrets). Next to that, it also does automatic secret scanning and secret leak prevention.

2. Snyk CLI - #39

GitHub: https://github.com/snyk/cli
Website: https://snyk.io/

Snyk CLI brings the functionality of Snyk into your development workflow. It can be run locally or in your CI/CD pipeline to scan your projects for security issues. It supports many languages and tools, including Java, .NET, JavaScript, Python, Golang, PHP, C/C++, Ruby, Scala and more.

3. Kubeshark - #53

GitHub: https://github.com/kubeshark/kubeshark
Website: https://kubeshark.co/

Kubeshark is the the API traffic analyzer for Kubernetes providing real-time K8s protocol-level visibility, capturing and monitoring all traffic and payloads going in, out and across containers, pods, nodes and clusters. You can think of it as TCPDump and Wireshark re-invented for Kubernetes.

4. Supertokens - #60

GitHub: https://github.com/supertokens/supertokens-core
Website: https://supertokens.com/

Supertokens is an open source alternative to Auth0, Firebase Auth, and AWS Cognito. Supertokens architecture is optimized to add secure authentication for your users without compromising on user and developer experience.

It is an end-to-end solution with login, sign ups, user and session management – and, most importantly, you can use it without all the complexities of OAuth protocols.

5. Metlo - #95

GitHub: https://github.com/metlo-labs/metlo
Website: https://www.metlo.com/

Metlo allows you to find API vulnerabilities before they make it into production. It scans your mirrored network traffic to create a catalog of all your APIs - even the undocumented, legacy, and shadow APIs. After that, each endpoint is scanned for sensitive data and given a risk score.

‍In addition, Metlo alerts you as soon as anomalous API usage patterns are detected and gives you full context around any attack to help quickly fix the vulnerability.

Wrapping up and getting started

As we have seen, each of the above tools provides an (almost) automatic way to make sure that your apps are as secure as possible – thereby making your users safe. Everyone can benefit from trying and learning about these tools, no matter how experienced you are.

The fact that these projects are open source provides a unique advantage because every developer can try them out, while at the same they are much easier for large enterprises to adopt – given how stringent their security and complaince policies may be.

Please, add to comments if you think some other open source security dev tools should be on this list but were missed. Looking forward to the discussion!

Comments

[adriens]

Adding grype may also be interesting :

anchore / grype

A vulnerability scanner for container images and filesystems

A vulnerability scanner for container images and filesystems. Easily install the binary to try it out. Works with Syft, the powerful SBOM (software bill of materials) tool for container images and filesystems.

Join our community meetings!

• Calendar: calendar.google.com/calendar/u/0/r...
• Agenda: docs.google.com/document/d/1ZtSAa6... (join this group for write access)
• All are welcome!

For commercial support options with Syft or Grype, please contact Anchore

Features

• Scan the contents of a container image or filesystem to find known vulnerabilities.
• Find vulnerabilities for major operating system packages
  • Alpine
  • Amazon Linux
  • BusyBox
  • CentOS
  • Debian
  • Distroless
  • Oracle Linux
  • Red Hat (RHEL)
  • Ubuntu
• Find vulnerabilities for language-specific packages
  • Ruby (Gems)
  • Java (JAR, WAR, EAR, JPI, HPI)
  • JavaScript (NPM, Yarn)
  • Python (Egg, Wheel, Poetry, requirements.txt/setup.py files)
  • Dotnet (deps.json)
  • Golang (go.mod)
  • PHP (Composer)
  • Rust (Cargo)
• Supports Docker, OCI and Singularity image formats.

If you encounter an issue, please let us know using the issue tracker.

Installation

Recommended

curl -sSfL

…

View on GitHub

[mv-turtle]

Indeed! Grype looks great, looks like it's #70 in the index.

[Rodrigo Isaias Calix]

In fact, it looks very interesting!