Curated security tooling for shifting left and watching prod. Verdict tags:
★ default pick, solid, niche,
commercial. Principle: free + open + in-CI beats expensive + manual. Scan code,
deps, images, IaC, and secrets in the pipeline; watch runtime + cloud config in prod.
SAST — static code analysis
| Tool | Verdict | Review |
|---|
| Semgrep | ★ default | Fast, rule-based, multi-language; write custom rules in minutes. Low false-positive, great in CI. The default open SAST. |
| CodeQL | solid | GitHub's semantic analysis (data-flow). Deep, finds real vulns; heavier, free for public repos / GHAS for private. |
| SonarQube | solid | Quality + security gate with history/dashboards. Good for orgs wanting a single quality bar; noisier. |
| Bandit / gosec / brakeman | niche | Language-specific linters (Python/Go/Rails). Cheap to add per-stack. |
SCA — dependencies & SBOM
| Tool | Verdict | Review |
|---|
| Trivy | ★ default | One tool scans deps, images, IaC, secrets, and generates SBOM. Fast, free, CI-friendly. Start here. |
| Grype + Syft | solid | Grype = vuln scanner, Syft = SBOM generator (Anchore). Clean, composable, great SBOM output. |
| Dependabot / Renovate | ★ default | Automated dependency-update PRs. Renovate = more configurable; Dependabot = zero-setup on GitHub. |
| Snyk | commercial | Polished SCA + SAST + container, good fix advice + dev UX. Paid; generous free tier. |
| OWASP Dependency-Check | niche | Free, NVD-based; slower, more false positives. Fine when you can't add SaaS. |
SBOM is becoming mandatory
Generate an SBOM (Syft/Trivy, CycloneDX or SPDX) per build and store it. Increasingly required
for compliance + needed to answer "are we affected by CVE-X?" instantly across all artifacts.
Secret detection
| Tool | Verdict | Review |
|---|
| gitleaks | ★ default | Fast secret scanner for repos + history + pre-commit + CI. The default. |
| trufflehog | solid | Deep entropy + verified-secret detection (actually tests if a key is live). Great for audits. |
| GitHub secret scanning | solid | Built-in + push protection blocks commits with known token formats. Turn it on. |
Container & image security
| Tool | Verdict | Review |
|---|
| Trivy | ★ default | Image CVE scanning in CI + registry. Same tool as SCA — one less thing to learn. |
| Cosign (Sigstore) | ★ default | Sign + verify images/artifacts; keyless signing. Pair with admission policy to only run signed images. |
| Falco | solid | Runtime security — detects anomalous syscalls/behaviour in containers (CNCF). The open runtime-threat default. |
| Distroless / Chainguard images | ★ default | Minimal base images = tiny CVE surface, no shell. Best default base for prod. |
IaC & policy-as-code
| Tool | Verdict | Review |
|---|
| Checkov | ★ default | Scans Terraform/CloudFormation/k8s/Dockerfiles for misconfigs. Big rule set, easy CI. Default IaC scanner. |
| tfsec / Trivy config | solid | Terraform-focused (tfsec folded into Trivy). Fast, good defaults. |
| OPA / Gatekeeper | ★ (k8s) | Policy-as-code (Rego). Gatekeeper enforces in k8s admission; OPA for general decisions. The policy standard. |
| Kyverno | solid | k8s-native policy (YAML, no Rego). Easier than Gatekeeper for pure-k8s shops. |
DAST & web security
| Tool | Verdict | Review |
|---|
| OWASP ZAP | ★ default | Free DAST — scan a running app for web vulns; baseline scan fits in CI. Default open DAST. |
| Burp Suite | commercial | The pentester standard for manual web testing. Pro is paid; community is limited. |
| Nuclei | solid | Template-driven scanner for known CVEs/misconfigs across many hosts. Fast recon. |
Cloud posture (CSPM) & runtime
| Tool | Verdict | Review |
|---|
| Prowler / ScoutSuite | ★ default | Open CSPM — audit AWS/GCP/Azure config against CIS benchmarks. Run scheduled; great free baseline. |
| kube-bench / kube-hunter | solid | CIS benchmark + attack-surface checks for Kubernetes clusters. |
| Wiz / Orca / Lacework | commercial | Agentless cloud security platforms (CSPM + CWPP + CIEM). Excellent, pricey — for larger orgs. |
| Cloud-native (GuardDuty / SCC) | solid | Use your cloud's threat detection first — zero infra, decent coverage. |
Secrets management & encryption
| Tool | Verdict | Review |
|---|
| Cloud secret manager | ★ default | AWS SM / GCP Secret Manager / Azure KV — managed, IAM-scoped, rotated. |
| HashiCorp Vault | ★ (advanced) | Dynamic secrets, PKI, leasing, multi-cloud. Powerful, real ops cost. |
| SOPS + age/KMS | solid | Encrypt secrets in Git for GitOps. |
A sensible default stack
- In CI (every PR): Semgrep (SAST) + Trivy (deps/image/IaC/SBOM) + gitleaks (secrets) + Checkov (IaC).
- Supply chain: Syft SBOM + Cosign signing + admission policy (Kyverno/Gatekeeper) to run only signed images.
- Base images: distroless/Chainguard.
- Runtime: Falco (containers) + cloud-native threat detection.
- Cloud posture: Prowler scheduled against CIS benchmarks.
- Secrets: cloud secret manager (or Vault) — never in code/CI logs/images.
- Deps: Renovate/Dependabot auto-update PRs.
shift left, but verify in prod
CI scanning catches known issues at build; it can't see runtime drift or new CVEs in deployed
images. Pair build-time scanning (Trivy/Semgrep) with runtime (Falco) + posture (Prowler) +
re-scan deployed images on new CVE data.