rezmoss/awesome-security-pipeline

GitHub: rezmoss/awesome-security-pipeline

按 CI/CD 流水线阶段组织的开源安全工具精选清单，覆盖从密钥检测、SBOM、SAST/SCA、容器安全到运行时防护的全链路 DevSecOps 工具选型参考。

Stars: 8 | Forks: 1

# Awesome 安全流水线 [![Awesome](https://awesome.re/badge.svg)](https://awesome.re) [![License: CC0-1.0](https://img.shields.io/badge/License-CC0_1.0-lightgrey.svg)](http://creativecommons.org/publicdomain/zero/1.0/) 安全不应是事后诸葛亮。本列表根据经过实战检验的安全工具在流水线中的位置进行分类，便于您构建从提交到生产的纵深防御体系。 ## 目录 - [Pre-commit & Secrets Detection](#pre-commit--secrets-detection) - [SBOM Generation](#sbom-generation) - [Artifact Signing & Verification](#artifact-signing--verification) - [Supply Chain Compliance](#supply-chain-compliance) - [Software Composition Analysis (SCA)](#software-composition-analysis-sca) - [Static Application Security Testing (SAST)](#static-application-security-testing-sast) - [Multi-language](#multi-language) - [Language Specific](#language-specific) - [Infrastructure as Code Security](#infrastructure-as-code-security) - [Container Security](#container-security) - [Image Scanning](#image-scanning) - [Runtime Security](#runtime-security) - [Kubernetes Security](#kubernetes-security) - [Policy as Code](#policy-as-code) - [Secret Management](#secret-management) - [API & Dynamic Testing (DAST)](#api--dynamic-testing-dast) - [Cloud Security](#cloud-security) - [Reading the Badges](#reading-the-badges) - [Contributing](#contributing) - [License](#license) ## Pre-commit & Secrets Detection 在敏感信息和凭证进入仓库前将其拦截。 - [gitleaks](https://github.com/gitleaks/gitleaks) - 检测并防止 git 仓库中的敏感信息泄露。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/gitleaks/gitleaks) ![Last Commit](https://img.shields.io/github/last-commit/gitleaks/gitleaks) - [trufflehog](https://github.com/trufflesecurity/trufflehog) - 在 git 历史和实时系统中查找凭证。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/trufflesecurity/trufflehog) ![Last Commit](https://img.shields.io/github/last-commit/trufflesecurity/trufflehog) - [detect-secrets](https://github.com/Yelp/detect-secrets) - 防止敏感信息进入代码库。 ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/Yelp/detect-secrets) ![Last Commit](https://img.shields.io/github/last-commit/Yelp/detect-secrets) - [git-secrets](https://github.com/awslabs/git-secrets) - 防止提交 AWS 凭证和敏感信息。 ![Stale](https://img.shields.io/badge/status-stale-yellow) ![Stars](https://img.shields.io/github/stars/awslabs/git-secrets) ![Last Commit](https://img.shields.io/github/last-commit/awslabs/git-secrets) - [talisman](https://github.com/thoughtworks/talisman) - 用于检测敏感信息的 pre-push 和 pre-commit 钩子。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/thoughtworks/talisman) ![Last Commit](https://img.shields.io/github/last-commit/thoughtworks/talisman) - [whispers](https://github.com/Skyscanner/whispers) - 在静态代码分析中识别硬编码的敏感信息。 ![Archived](https://img.shields.io/badge/status-archived-lightgrey) ![Stars](https://img.shields.io/github/stars/Skyscanner/whispers) ![Last Commit](https://img.shields.io/github/last-commit/Skyscanner/whispers) - [pre-commit](https://github.com/pre-commit/pre-commit) - 用于管理多语言 pre-commit 钩子的框架。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/pre-commit/pre-commit) ![Last Commit](https://img.shields.io/github/last-commit/pre-commit/pre-commit) ## SBOM 生成生成软件物料清单 (SBOM) 以实现供应链可见性。 - [syft](https://github.com/anchore/syft) - 从容器镜像和文件系统生成 SBOM。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/anchore/syft) ![Last Commit](https://img.shields.io/github/last-commit/anchore/syft) - [cdxgen](https://github.com/CycloneDX/cdxgen) - 为各种语言创建 CycloneDX SBOM。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/CycloneDX/cdxgen) ![Last Commit](https://img.shields.io/github/last-commit/CycloneDX/cdxgen) - [cyclonedx-cli](https://github.com/CycloneDX/cyclonedx-cli) - 用于处理 CycloneDX SBOM 的 CLI 工具。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/CycloneDX/cyclonedx-cli) ![Last Commit](https://img.shields.io/github/last-commit/CycloneDX/cyclonedx-cli) - [spdx-sbom-generator](https://github.com/opensbom-generator/spdx-sbom-generator) - 从源代码生成 SPDX 格式的 SBOM。 ![Archived](https://img.shields.io/badge/status-archived-lightgrey) ![Stars](https://img.shields.io/github/stars/opensbom-generator/spdx-sbom-generator) ![Last Commit](https://img.shields.io/github/last-commit/opensbom-generator/spdx-sbom-generator) - [tern](https://github.com/tern-tools/tern) - 针对容器镜像的软件成分分析工具。 ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/tern-tools/tern) ![Last Commit](https://img.shields.io/github/last-commit/tern-tools/tern) - [sbom-tool](https://github.com/microsoft/sbom-tool) - Microsoft 的可扩展 SBOM 生成工具。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/microsoft/sbom-tool) ![Last Commit](https://img.shields.io/github/last-commit/microsoft/sbom-tool) - [sbomlyze](https://github.com/rezmoss/sbomlyze) - 用于供应链漂移检测的 SBOM 对比和分析工具。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/rezmoss/sbomlyze) ![Last Commit](https://img.shields.io/github/last-commit/rezmoss/sbomlyze) ## Artifact Signing & Verification 对容器镜像和制品进行签名及验证，以保障供应链安全。 - [cosign](https://github.com/sigstore/cosign) - 对容器镜像进行签名和验证。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/sigstore/cosign) ![Last Commit](https://img.shields.io/github/last-commit/sigstore/cosign) - [notation](https://github.com/notaryproject/notation) - CNCF 签名和验证标准 (Notary Project)。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/notaryproject/notation) ![Last Commit](https://img.shields.io/github/last-commit/notaryproject/notation) - [rekor](https://github.com/sigstore/rekor) - 用于已签名制品的不可篡改透明度日志。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/sigstore/rekor) ![Last Commit](https://img.shields.io/github/last-commit/sigstore/rekor) ## Supply Chain Compliance 根据行业标准审计和验证供应链安全。 - [scorecard](https://github.com/ossf/scorecard) - 开源项目的 OpenSSF 安全健康度指标。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/ossf/scorecard) ![Last Commit](https://img.shields.io/github/last-commit/ossf/scorecard) - [in-toto](https://github.com/in-toto/in-toto) - 保护供应链完整性的框架。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/in-toto/in-toto) ![Last Commit](https://img.shields.io/github/last-commit/in-toto/in-toto) - [slsa-verifier](https://github.com/slsa-framework/slsa-verifier) - 验证 SLSA 来源以保障供应链安全。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/slsa-framework/slsa-verifier) ![Last Commit](https://img.shields.io/github/last-commit/slsa-framework/slsa-verifier) - [chain-bench](https://github.com/aquasecurity/chain-bench) - 根据 CIS 基准审计供应链。 ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/aquasecurity/chain-bench) ![Last Commit](https://img.shields.io/github/last-commit/aquasecurity/chain-bench) ## Software Composition Analysis (SCA) 扫描依赖项中的已知漏洞。 - [grype](https://github.com/anchore/grype) - 针对容器镜像和文件系统的漏洞扫描器。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/anchore/grype) ![Last Commit](https://img.shields.io/github/last-commit/anchore/grype) - [trivy](https://github.com/aquasecurity/trivy) - 集漏洞和错误配置扫描于一体的全能安全扫描器。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/aquasecurity/trivy) ![Last Commit](https://img.shields.io/github/last-commit/aquasecurity/trivy) - [osv-scanner](https://github.com/google/osv-scanner) - 使用 OSV 数据库的漏洞扫描器。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/google/osv-scanner) ![Last Commit](https://img.shields.io/github/last-commit/google/osv-scanner) - [dependency-track](https://github.com/DependencyTrack/dependency-track) - 智能组件分析平台。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/DependencyTrack/dependency-track) ![Last Commit](https://img.shields.io/github/last-commit/DependencyTrack/dependency-track) - [snyk-cli](https://github.com/snyk/cli) - 查找并修复依赖项中的漏洞。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/snyk/cli) ![Last Commit](https://img.shields.io/github/last-commit/snyk/cli) - [bomber](https://github.com/devops-kung-fu/bomber) - 扫描 SBOM 中的漏洞。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/devops-kung-fu/bomber) ![Last Commit](https://img.shields.io/github/last-commit/devops-kung-fu/bomber) - [vet](https://github.com/safedep/vet) - 策略驱动的依赖项审查工具。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/safedep/vet) ![Last Commit](https://img.shields.io/github/last-commit/safedep/vet) - [deps.dev](https://deps.dev) - Google 的依赖项洞察服务 (API/网站)。 - [safe-chain](https://github.com/AikidoSec/safe-chain) - 在 npm/pip install 期间拦截恶意包。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/AikidoSec/safe-chain) ![Last Commit](https://img.shields.io/github/last-commit/AikidoSec/safe-chain) ## Static Application Security Testing (SAST) 分析源代码中的安全漏洞。 ### 多语言支持多种编程语言的工具。 - [semgrep](https://github.com/semgrep/semgrep) - 适用于多种语言的轻量级静态分析工具。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/semgrep/semgrep) ![Last Commit](https://img.shields.io/github/last-commit/semgrep/sem) - [bearer](https://github.com/Bearer/bearer) - 针对数据流的代码安全扫描器。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/Bearer/bearer) ![Last Commit](https://img.shields.io/github/last-commit/Bearer/bearer) - [horusec](https://github.com/ZupIT/horusec) - 多语言安全分析工具。 ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/ZupIT/horusec) ![Last Commit](https://img.shields.io/github/last-commit/ZupIT/horusec) - [codeql](https://github.com/github/codeql) - GitHub 开发的语义代码分析引擎。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/github/codeql) ![Last Commit](https://img.shields.io/github/last-commit/github/codeql) - [sonarqube](https://github.com/SonarSource/sonarqube) - 持续进行代码质量和安全审查。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/SonarSource/sonarqube) ![Last Commit](https://img.shields.io/github/last-commit/SonarSource/sonarqube) - [spotbugs](https://github.com/spotbugs/spotbugs) - 用于查找 Java 代码错误的静态分析工具。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/spotbugs/spotbugs) ![Last Commit](https://img.shields.io/github/last-commit/spotbugs/spotbugs) ### 特定语言针对特定编程语言的专用工具。 #### Python - [bandit](https://github.com/PyCQA/bandit) - Python 代码的安全 Linter。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/PyCQA/bandit) ![Last Commit](https://img.shields.io/github/last-commit/PyCQA/bandit) - [safety](https://github.com/pyupio/safety) - 检查 Python 依赖项中的漏洞。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/pyupio/safety) ![Last Commit](https://img.shields.io/github/last-commit/pyupio/safety) - [pyre-check](https://github.com/facebook/pyre-check) - 具备安全分析功能的高性能类型检查器。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/facebook/pyre-check) ![Last Commit](https://img.shields.io/github/last-commit/facebook/pyre-check) #### JavaScript/Node.js - [njsscan](https://github.com/ajinabraham/njsscan) - 针对 Node.js 应用的语义 SAST 工具。 ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/ajinabraham/njsscan) ![Last Commit](https://img.shields.io/github/last-commit/ajinabraham/njsscan) - [eslint-plugin-security](https://github.com/eslint-community/eslint-plugin-security) - 用于 Node.js 安全的 ESLint 规则。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/eslint-community/eslint-plugin-security) ![Last Commit](https://img.shields.io/github/last-commit/eslint-community/eslint-plugin-security) #### Go - [gosec](https://github.com/securego/gosec) - Go 源代码安全检查器。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/securego/gosec) ![Last Commit](https://img.shields.io/github/last-commit/securego/gosec) - [govulncheck](https://github.com/golang/vuln) - 官方 Go 依赖项和二进制文件漏洞扫描器。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/golang/vuln) ![Last Commit](https://img.shields.io/github/last-commit/golang/vuln) #### Ruby - [brakeman](https://github.com/presidentbeef/brakeman) - 针对 Ruby on Rails 应用的静态分析工具。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/presidentbeef/brakeman) ![Last Commit](https://img.shields.io/github/last-commit/presidentbeef/brakeman) #### PHP - [phpstan](https://github.com/phpstan/phpstan) - PHP 静态分析工具。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/phpstan/phpstan) ![Last Commit](https://img.shields.io/github/last-commit/phpstan/phpstan) - [psalm](https://github.com/vimeo/psalm) - 侧重于安全性的 PHP 静态分析工具。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/vimeo/psalm) ![Last Commit](https://img.shields.io/github/last-commit/vimeo/psalm) #### Rust - [cargo-audit](https://github.com/RustSec/rustsec) - 审计 Cargo.lock 中存在安全漏洞的 crates。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/RustSec/rustsec) ![Last Commit](https://img.shields.io/github/last-commit/RustSec/rustsec) ## Infrastructure as Code Security 扫描基础设施配置中的安全错误配置。 - [checkov](https://github.com/bridgecrewio/checkov) - 扫描云基础设施配置。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/bridgecrewio/checkov) ![Last Commit](https://img.shields.io/github/last-commit/bridgecrewio/checkov) - [tfsec](https://github.com/aquasecurity/tfsec) - Terraform 代码安全扫描器。 ![Stale](https://img.shields.io/badge/status-stale-yellow) ![Stars](https://img.shields.io/github/stars/aquasecurity/tfsec) ![Last Commit](https://img.shields.io/github/last-commit/aquasecurity/tfsec) - [terrascan](https://github.com/tenable/terrascan) - 检测 IaC 中的合规和安全违规行为。 ![Archived](https://img.shields.io/badge/status-archived-lightgrey) ![Stars](https://img.shields.io/github/stars/tenable/terrascan) ![Last Commit](https://img.shields.io/github/last-commit/tenable/terrascan) - [kics](https://github.com/Checkmarx/kics) - 发现 IaC 中的安全漏洞和合规问题。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/Checkmarx/kics) ![Last Commit](https://img.shields.io/github/last-commit/Checkmarx/kics) - [trivy](https://github.com/aquasecurity/trivy) - 也可扫描 IaC 错误配置（Terraform、CloudFormation 等）。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/aquasecurity/trivy) ![Last Commit](https://img.shields.io/github/last-commit/aquasecurity/trivy) - [snyk-iac](https://github.com/snyk/cli) - 基础设施即代码安全扫描。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/snyk/cli) ![Last Commit](https://img.shields.io/github/last-commit/snyk/cli) - [cfn-lint](https://github.com/aws-cloudformation/cfn-lint) - 带有安全规则的 AWS CloudFormation Linter。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/aws-cloudformation/cfn-lint) ![Last Commit](https://img.shields.io/github/last-commit/aws-cloudformation/cfn-lint) - [zizmor](https://github.com/zizmorcore/zizmor) - 针对 GitHub Actions 工作流的静态分析工具。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/zizmorcore/zizmor) ![Last Commit](https://img.shields.io/github/last-commit/zizmorcore/zizmor) ## Container Security 保护容器镜像和运行时环境安全。 ### Image Scanning 在部署前扫描容器镜像中的漏洞。 - [trivy](https://github.com/aquasecurity/trivy) - 全面的容器漏洞扫描器。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/aquasecurity/trivy) ![Last Commit](https://img.shields.io/github/last-commit/aquasecurity/trivy) - [grype](https://github.com/anchore/grype) - 容器镜像漏洞扫描器。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/anchore/grype) ![Last Commit](https://img.shields.io/github/last-commit/anchore/grype) - [clair](https://github.com/quay/clair) - 容器漏洞静态分析工具。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/quay/clair) ![Last Commit](https://img.shields.io/github/last-commit/quay/clair) - [anchore-engine](https://github.com/anchore/anchore-engine) - 容器分析和策略评估。 ![Archived](https://img.shields.io/badge/status-archived-lightgrey) ![Stars](https://img.shields.io/github/stars/anchore/anchore-engine) ![Last Commit](https://img.shields.io/github/last-commit/anchore/anchore-engine) *（请迁移至 [Syft](https://github.com/anchore/syft) + [Grype](https://github.com/anchore/grype)）* - [docker-bench-security](https://github.com/docker/docker-bench-security) - 根据 CIS 基准检查 Docker 部署。 ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/docker/docker-bench-security) ![Last Commit](https://img.shields.io/github/last-commit/docker/docker-bench-security) - [dockle](https://github.com/goodwithtech/dockle) - 针对安全最佳实践的容器镜像 Linter。 ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/goodwithtech/dockle) ![Last Commit](https://img.shields.io/github/last-commit/goodwithtech/dockle) - [hadolint](https://github.com/hadolint/hadolint) - 针对最佳实践和安全规则的 Dockerfile Linter（不执行漏洞库扫描）。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/hadolint/hadolint) ![Last Commit](https://img.shields.io/github/last-commit/hadolint/hadolint) - [dive](https://github.com/wagoodman/dive) - 探索和分析 Docker 镜像层效率及内容（用于分析/检查，而非漏洞扫描）。 ![Stale](https://img.shields.io/badge/status-stale-yellow) ![Stars](https://img.shields.io/github/stars/wagoodman/dive) ![Last Commit](https://img.shields.io/github/last-commit/wagoodman/dive) ### Runtime Security 在运行时监控和保护容器。 - [falco](https://github.com/falcosecurity/falco) - 云原生运行时安全和威胁检测。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/falcosecurity/falco) ![Last Commit](https://img.shields.io/github/last-commit/falcosecurity/falco) - [tracee](https://github.com/aquasecurity/tracee) - 使用 eBPF 进行 Linux 运行时安全和取证。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/aquasecurity/tracee) ![Last Commit](https://img.shields.io/github/last-commit/aquasecurity/tracee) - [tetragon](https://github.com/cilium/tetragon) - 基于 eBPF 的安全可观测性和运行时强制执行。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/cilium/tetragon) ![Last](https://img.shields.io/github/last-commit/cilium/tetragon) - [sysdig-inspect](https://github.com/draios/sysdig-inspect) - 系统调用可视化和容器分析。 ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/draios/sysdig-inspect) ![Last Commit](https://img.shields.io/github/last-commit/draios/sysdig-inspect) ## Kubernetes Security 保护 Kubernetes 集群、清单和工作负载的安全。 - [kube-bench](https://github.com/aquasecurity/kube-bench) - 根据 CIS 基准检查 Kubernetes。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/aquasecurity/kube-bench) ![Last Commit](https://img.shields.io/github/last-commit/aquasecurity/kube-bench) - [kubescape](https://github.com/kubescape/kubescape) - Kubernetes 安全风险分析和合规性检查。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/kubescape/kubescape) ![Last Commit](https://img.shields.io/github/last-commit/kubescape/kubescape) - [kube-linter](https://github.com/stackrox/kube-linter) - Kubernetes YAML 和 Helm Charts 的静态分析工具。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/stackrox/kube-linter) ![Last Commit](https://img.shields.io/github/last-commit/stackrox/kube-linter) - [kyverno](https://github.com/kyverno/kyverno) - Kubernetes 原生策略管理。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/kyverno/kyverno) ![Last Commit](https://img.shields.io/github/last-commit/kyverno/kyverno) - [polaris](https://github.com/FairwindsOps/polaris) - 验证 Kubernetes 最佳实践和策略。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/FairwindsOps/polaris) ![Last Commit](https://img.shields.io/github/last-commit/FairwindsOps/polaris) - [trivy-operator](https://github.com/aquasecurity/trivy-operator) - Kubernetes 原生安全报告。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/aquasecurity/trivy-operator) ![Last Commit](https://img.shields.io/github/last-commit/aquasecurity/trivy-operator) - [kubiscan](https://github.com/cyberark/KubiScan) - 扫描 Kubernetes RBAC 中的风险权限。 ![Stale](https://img.shields.io/badge/status-stale-yellow) ![Stars](https://img.shields.io/github/stars/cyberark/KubiScan) ![Last Commit](https://img.shields.io/github/last-commit/cyberark/KubiScan) - [kube-hunter](https://github.com/aquasecurity/kube-hunter) - 主动发现 Kubernetes 集群中的安全弱点。 ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/aquasecurity/kube-hunter) ![Last Commit](https://img.shields.io/github/last-commit/aquasecurity/kube-hunter) ## Policy as Code 以代码形式定义并执行基础设施的安全策略。 - [opa](https://github.com/open-policy-agent/opa) - Open Policy Agent，策略即代码的行业标准。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/open-policy-agent/opa) ![Last Commit](https://img.shields.io/github/last-commit/open-policy-agent/opa) - [gatekeeper](https://github.com/open-policy-agent/gatekeeper) - 用于 Kubernetes 准入控制的 OPA。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/open-policy-agent/gatekeeper) ![Last Commit](https://img.shields.io/github/last-commit/open-policy-agent/gatekeeper) - [datree](https://github.com/datreeio/datree) - 防止 Kubernetes 错误配置。 ![Archived](https://img.shields.io/badge/status-archived-lightgrey) ![Stars](https://img.shields.io/github/stars/datreeio/datree) ![Last Commit](https://img.shields.io/github/last-commit/datreeio/datree) - [conftest](https://github.com/open-policy-agent/conftest) - 根据 OPA 策略测试配置文件。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/open-policy-agent/conftest) ![Last Commit](https://img.shields.io/github/last-commit/open-policy-agent/conftest) ## Secret Management 在 Kubernetes 和 GitOps 工作流中安全地管理和分发 Secrets。 - [sealed-secrets](https://github.com/bitnami-labs/sealed-secrets) - 本地加密 Secrets，仅在集群内解密。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/bitnami-labs/sealed-secrets) ![Last Commit](https://img.shields.io/github/last-commit/bitnami-labs/sealed-secrets) - [external-secrets](https://github.com/external-secrets/external-secrets) - 将 Secrets 从 AWS/Vault/Azure 同步到 Kubernetes。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/external-secrets/external-secrets) ![Last Commit](https://img.shields.io/github/last-commit/external-secrets/external-secrets) - [sops](https://github.com/getsops/sops) - 对编辑器透明的 Git 文件加密工具。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/getsops/sops) ![Last Commit](https://img.shields.io/github/last-commit/getsops/sops) - [vault](https://github.com/hashicorp/vault) - 密钥管理、加密即服务和特权访问管理。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/hashicorp/vault) ![Last Commit](https://img.shields.io/github/last-commit/hashicorp/vault) - [infisical](https://github.com/Infisical/infisical) - 具有原生集成能力的开源密钥管理平台。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/Infisical/infisical) ![Last Commit](https://img.shields.io/github/last-commit/Infisical/infisical) ## API & Dynamic Testing (DAST) 测试运行中的应用程序是否存在漏洞。 - [zap](https://github.com/zaproxy/zaproxy) - OWASP ZAP Web 应用程序安全扫描器。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/zaproxy/zaproxy) ![Last Commit](https://img.shields.io/github/last-commit/zaproxy/zaproxy) - [nuclei](https://github.com/projectdiscovery/nuclei) - 快速且可定制的漏洞扫描器。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/projectdiscovery/nuclei) ![Last Commit](https://img.shields.io/github/last-commit/projectdiscovery/nuclei) - [nikto](https://github.com/sullo/nikto) - Web 服务器扫描器，用于检测危险文件和漏洞。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/sullo/nikto) ![Last Commit](https://img.shields.io/github/last-commit/sullo/nikto) - [arachni](https://github.com/Arachni/arachni) - 功能丰富的 Web 应用程序安全扫描器。 ![Stale](https://img.shields.io/badge/status-stale-yellow) ![Stars](https://img.shields.io/github/stars/Arachni/arachni) ![Last Commit](https://img.shields.io/github/last-commit/Arachni/arachni) *（建议改用 [ZAP](https://github.com/zaproxy/zaproxy) 或 [Nuclei](https://github.com/projectdiscovery/nuclei)）* - [wapiti](https://github.com/wapiti-scanner/wapiti) - Web 应用程序漏洞扫描器。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/wapiti-scanner/wapiti) ![Last Commit](https://img.shields.io/github/last-commit/wapiti-scanner/wapiti) - [sqlmap](https://github.com/sqlmapproject/sqlmap) - 自动 SQL 注入检测和利用工具。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/sqlmapproject/sqlmap) ![Last Commit](https://img.shields.io/github/last-commit/sqlmapproject/sqlmap) ## Cloud Security 评估和审计云基础设施的安全态势。 - [prowler](https://github.com/prowler-cloud/prowler) - AWS、Azure 和 GCP 安全评估工具。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/prowler-cloud/prowler) ![Last Commit](https://img.shields.io/github/last-commit/prowler-cloud/prowler) - [cloudsplaining](https://github.com/salesforce/cloudsplaining) - AWS IAM 安全评估工具。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/salesforce/cloudsplaining) ![Last Commit](https://img.shields.io/github/last-commit/salesforce/cloudsplaining) - [ScoutSuite](https://github.com/nccgroup/ScoutSuite) - 多云安全审计工具。 ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) ![Stars](https://img.shields.io/github/stars/nccgroup/ScoutSuite) ![Last Commit](https://img.shields.io/github/last-commit/nccgroup/ScoutSuite) - [steampipe](https://github.com/turbot/steampipe) - 使用 SQL 查询云资源。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/turbot/steampipe) ![Last Commit](https://img.shields.io/github/last-commit/turbot/steampipe) - [cloudquery](https://github.com/cloudquery/cloudquery) - 使用 SQL 进行云资产清单和安全分析。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/cloudquery/cloudquery) ![Last Commit](https://img.shields.io/github/last-commit/cloudquery/cloudquery) - [cartography](https://github.com/lyft/cartography) - 映射基础设施关系和攻击面。 ![Active](https://img.shields.io/badge/status-active-brightgreen) ![Stars](https://img.shields.io/github/stars/lyft/cartography) ![Last Commit](https://img.shields.io/github/last-commit/lyft/cartography) ## 阅读徽章每个工具都显示状态和活跃度徽章，以保持透明度。 ### 维护状态 (每周更新) 状态徽章由我们的 GitHub Action **每周自动更新**，以反映当前的维护状态。 | Badge | Meaning | |-------|---------| | ![Active](https://img.shields.io/badge/status-active-brightgreen) | **Active** - 6 个月内有更新 | | ![Stale](https://img.shields.io/badge/status-stale-yellow) | **Stale** - 6-12 个月无更新；请谨慎使用 | | ![Unmaintained](https://img.shields.io/badge/status-unmaintained-red) | **Unmaintained** - 超过 12 个月无更新；建议考虑替代方案 | | ![Archived](https://img.shields.io/badge/status-archived-lightgrey) | **Archived** - 仓库已被所有者归档 | | ![Deprecated](https://img.shields.io/badge/status-deprecated-lightgrey) | **Deprecated** - 已被官方取代；建议迁移 | ### 活跃度徽章 | Badge | Meaning | |-------|---------| | ![Stars](https://img.shields.io/badge/stars-★-blue) | GitHub 星标数 - 代表社区采用度 | | ![Last Commit](https://img.shields.io/badge/last%20commit-date-green) | 最后提交日期 - 显示确切更新时间 | ## 许可证 [![CC0](https://mirrors.creativecommons.org/presskit/buttons/88x31/svg/cc-zero.svg)](http://creativecommons.org/publicdomain/zero/1.0/) 在法律允许的范围内，贡献者已放弃本作品的所有版权及相关或邻接权利。

标签：AI应用开发, Awesome 列表, CI/CD 安全, DAST, DevOps 工具链, DevSecOps, Docker镜像, IaC 安全, JS文件枚举, Kubernetes 安全, SAST, SBOM, StruQ, Web截图, 上游代理, 代码分析, 供应链合规, 凭证管理, 制品签名, 可视化界面, 子域名突变, 安全专业人员, 安全工具列表, 容器安全, 开源安全工具, 恶意软件分析, 数据投毒防御, 文档安全, 日志审计, 模型鲁棒性, 活动识别, 盲注攻击, 硬件无关, 秘密检测, 策略即代码, 网络安全, 聊天机器人安全, 请求拦截, 跌倒检测, 软件供应链安全, 软件物料清单, 远程方法调用, 逆向工具, 逆向工程平台, 错误基检测, 镜像扫描, 隐私保护, 静态代码分析