Free DevSecOps Tools
Integrate security into your development pipeline with free and open source DevSecOps tools. Browse CI/CD security, secrets scanning, SAST, container scanning, and policy-as-code tools.
Showing 24 of 99 tools
earthly
earthly/earthly
Super simple build framework with fast, repeatable builds and an instantly familiar syntax β like Dockerfile and Makefile had a baby.
pull
wei/pull
π€ Keep your forks up-to-date via automated PRs
jx
jenkins-x/jx
Jenkins X provides automated CI+CD for Kubernetes with Preview Environments on Pull Requests using Cloud Native pipelines from Tekton
zizmor
zizmorcore/zizmor
Static analysis for GitHub Actions
garden
garden-io/garden
Automation for Kubernetes development and testing. Spin up production-like environments for development, testing, and CI on demand. Use the same configuration and workflows at every step of the process. Speed up your builds and test runs via shared result caching
okteto
okteto/okteto
Develop your applications directly in your Kubernetes Cluster
kargo
akuity/kargo
Application lifecycle orchestration
DevSecOps
hahwul/DevSecOps
βΎοΈ Collection and Roadmap for everyone who wants DevSecOps. Hope your DevOps are more safe π
DevSecOps-Playbook
6mile/DevSecOps-Playbook
This is a step-by-step guide to implementing a DevSecOps program for any size organization
nocalhost
nocalhost/nocalhost
Nocalhost is Cloud Native Dev Environment.
awesome-devsecops
JakobTheDev/awesome-devsecops
Curating the best DevSecOps resources and tooling.
dyrectorio
dyrector-io/dyrectorio
dyrector.io is a self-hosted continuous delivery & deployment platform with version management.
DevSecOpsGuideline
OWASP/DevSecOpsGuideline
The OWASP DevSecOps Guideline can help us to embedding security as a part of the development pipeline.
ratchet
sethvargo/ratchet
A tool for securing CI/CD workflows with version pinning.
chart-releaser
helm/chart-releaser
Hosting Helm Charts via GitHub Pages and Releases
argocd-operator
argoproj-labs/argocd-operator
A Kubernetes operator for managing Argo CD clusters.
kool
kool-dev/kool
From local development to the cloud: web apps development with containers made easy.
raven
CycodeLabs/raven
CI/CD Security Analyzer
chart-releaser-action
helm/chart-releaser-action
A GitHub Action to turn a GitHub project into a self-hosted Helm chart repo, using helm/chart-releaser CLI tool
secure-repo
step-security/secure-repo
Orchestrate GitHub Actions Security
frizbee
stacklok/frizbee
Throw a tag at it and it comes back with a checksum.
Flow
Mixeway/Flow
Repository containing source code of MixewayFlow service that is Swiss army knife for DevSecOps Teams
devsecops-engine-tools
bancolombia/devsecops-engine-tools
Toolchain for the evaluation of different devsecops practices
secure-pipeline-java-demo
rmkanda/secure-pipeline-java-demo
No description available
Related Security Domains
Frequently Asked Questions
What is DevSecOps?
DevSecOps integrates security practices into the DevOps workflow β shifting security left so vulnerabilities are found and fixed during development rather than after deployment. It involves automating security testing in CI/CD pipelines, treating security as code, and fostering shared responsibility between development, operations, and security teams.
What is secrets scanning and why is it important?
Secrets scanning detects accidentally committed credentials (API keys, passwords, tokens) in source code and git history. Tools like Gitleaks, TruffleHog, and detect-secrets prevent credential exposure before it reaches production. GitHub's push protection and GitLab's secret detection provide native secrets scanning.
How do I add security to my CI/CD pipeline?
A typical DevSecOps pipeline includes: pre-commit hooks (secrets scanning, linting), SAST on every commit (Semgrep, Bandit), SCA for dependency vulnerabilities (OWASP Dependency-Check, Grype), container scanning (Trivy), DAST against staging environments (OWASP ZAP), and IaC scanning (Checkov, tfsec).
What is policy-as-code?
Policy-as-code defines security and compliance rules as machine-readable code that can be version-controlled, tested, and automatically enforced. Tools like Open Policy Agent (OPA), Kyverno, and Conftest allow teams to write policies that gate deployments, enforce Kubernetes configurations, and validate infrastructure changes.