* [Blog](https://www2.paloaltonetworks.com/blog) * [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/) * [CI/CD](https://www2.paloaltonetworks.com/blog/cloud-security/category/ci-cd/) * 2024 Open-Source Security... # 2024 Open-Source Security Tools Roundup [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fopen-source-security-tools-2024%2F) [](https://twitter.com/share?text=2024+Open-Source+Security+Tools+Roundup&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fopen-source-security-tools-2024%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fopen-source-security-tools-2024%2F&title=2024+Open-Source+Security+Tools+Roundup&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/open-source-security-tools-2024/&ts=markdown) \[\](mailto:?subject=2024 Open-Source Security Tools Roundup) Link copied By [Matt Johnson](https://www.paloaltonetworks.com/blog/author/matt-johnson/?ts=markdown "Posts by Matt Johnson") and [Steve Giguere](https://www.paloaltonetworks.com/blog/author/steve-giguere/?ts=markdown "Posts by Steve Giguere") Jun 18, 2024 8 minutes [CI/CD](https://www.paloaltonetworks.com/blog/cloud-security/category/ci-cd/?ts=markdown) [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown) [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown) [Open Source](https://www.paloaltonetworks.com/blog/tag/open-source/?ts=markdown) We're quickly approaching the halfway point of 2024 and, with it, the advent of the summer security conference season. This got us thinking about our favorite go-to open-source security tools! Whether we're building a cloud application security workshop or taking part in a [Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes) capture-the-flag, here are the tools we find ourselves wget-ing, brew installing, or yolo curling to bash. We've split our hot-picks into three sections, whether you're an offensive security professional, a defender, or looking for the latest training and personal development goodies, you should find something that suits you. ## On the Defensive Let explore open-source security tools that empower organizations to build proactive defense strategies, fortifying their systems against an increasingly sophisticated array of cyberthreats. By utilizing these versatile tools, companies can enhance their threat detection and response capabilities, ensuring a resilient security posture. ### OpenSSF Scorecard Victory loves preparation, as they say, and security preparation is no exception! We often see small teams or individuals stuck with the question, What's the first security step? The [OpenSSF Scorecard](http://securityscorecards.dev) project gets a special mention here, especially now that their checks are automated for repeat testing of your repository in [CI/CD](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security). The simplicity of a project that checks for a variety of security issues for OSS maintainers, plus the growing community around the project is a great step toward better security mindfulness and understanding. ### Cosign by Sigstore Unless you've been living in a bunker for the past couple of years, you are now well aware of the risks supply chain attacks pose to our modern technology ecosystems. While it's not the most exciting of topics, it may be one of the most important. [Cosign](http://github.com/sigstore) gets a mention here because it reduces the barrier and complexities traditionally associated with building and maintaining your own code signing solution. (CA Certs, request APIs, transparency logs, etc). Out of the box, it uses keyless signing based on a publicly viewable transparency log. While binary and artifact signing isn't the end all, be all of security, it's an important piece that we should include in our builds. Signed artifacts build a good foundation for other important factors, such as CI security, so read on for tools that will help you to trust your signing pipelines. ### Checkov by Prisma Cloud OK, so we're a little biased but [Checkov](http://github.com/bridgecrewio/checkov) remains one of the industry's go-to tools for infrastructure as code, secrets and more. Let's face it, not many tools can improve your DevOps security posture as quickly, nor do many include configuration files you can tailor to each repository and a baseline feature to block only newly discovered issues in CI. Checkov is a great open-source cloud security multitool. #### The New, Free Prisma Cloud IDE Plugin: After community feedback, we've removed the need to have an API key for use of the Checkov scanning features for the VSCode Prisma Cloud plugin (Support for the IntelliJ plugin coming soon!). You can now have your Kubernetes and infrastructure as code annotated as you edit, which also gives the ability to quickly create inline suppressions on a per-policy basis! ### Trufflehog In the words of Truffle Security, "[TruffleHog™](http://github.com/trufflesecurity/trufflehog) is a \[open-source\] secrets scanning tool that digs deep into your code repositories to find secrets, passwords and sensitive keys." It can of course scan GitHub repositories performing complex multibranch analysis, but it can also dig into S3 buckets, filesystems and Docker images in a flash. ✅ Found verified result Detector Type: AWS Decoder Type: PLAIN Raw result: AKIAXYZDQCEN4B6XXXX Resource\_type: Access key Account: 534212345678 ... ### Kubescape [Kubescape](http://github.com/kubescape/kubescape) is a CNCF [Sandbox](https://www.paloaltonetworks.com/cyberpedia/sandboxing) project designed to run as part of your CI/CD pipeline, protecting your cluster with a Kubernetes operator for ongoing scanning of existing cluster workloads. ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-323506-2.png) While Kubernetes doesn't exist in a vacuum, and cloud infrastructure, [data security](https://www.paloaltonetworks.com/cyberpedia/what-is-data-security) and API security must be considered, Kubescape earns its place on this list as a great starting point for CNCF-backed [Kubernetes security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security). We especially like the highlight of the high-stake workloads that pose the most post-exploitation risk to the cluster (As you know, we like context here!). ### Trivy The brainchild of [Teppei Fukuda](https://github.com/knqyf263), Trivy went from relative obscurity to having over 21.7K stars (when writing this blog post) and becoming the defacto open-source scanner for images. Its differentiating feature is speed. Trivy achieves this by caching vulnerability signatures locally and only downloading occasional delta updates on each execution. Since its inception as a container image scanner, the feature set expanded its capacity to hunt for known vulnerabilities, misconfigurations and secrets and now covers: * Filesystem * Git Repositories (remote) * VMs * Kubernetes * [SBOMs](https://www.paloaltonetworks.com/cyberpedia/what-is-software-bill-materials-sbom) * Terraform [Trivy](http://github.com/aquasecurity/trivy) even has an interesting client/server mode. It allows a single instance to act as a server that harbors the vulnerability database in one location while client Trivys can reference it via a server flag to avoid multiple local copies of the database. While the IaC may not match Checkov's breadth and depth, and the secret scanning may not reach the diversity of a TruffleHog, Trivy has become an excellent image scanner. Additionally, it's matured into a swiss army knife for the open-source security community. ### Cilium [Cilium](http://cilium.io) is a great place to start when you move from a single node dev cluster to real Kubernetes workloads and need answers to "what's going on in my cluster". ### BadRobot by ControlPlane The first of a number of ControlPlane OSS goodies in this list. [BadRobot](http://github.com/controlplaneio/badrobot) performs static security tests --- specifically against Kubernetes operator manifests, as operators are often deployed with a lot of access to the cluster. BadRobot `README.md` excerpt: ***The risk analysis that BadRobot evaluates is primarily focused on the likelihood that a compromised Operator would be able to carry out privilege escalation and obtain full control over every resource in the cluster and in all namespaces.*** ## Let's Put Our Black Hats On Now let's look at tools that can be used to identify vulnerabilities, simulate attacks, and enhance their overall security posture, turning potential threats into valuable learning opportunities. ### AmIcontained Have a shell? In a container? Manually finding and translating information about your shells permissions is a pain. [AmIContained](http://github.com/genuinetools/amicontained) will do the hard work for you: capabilities, blocked syscalls, weather apparmor and seccomp are enabled. ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-323506-3.png) As a second benefit, trying to fetch it from the web also tells you if you have outbound network connectivity. As far as we are aware, there isn't an official distribution by DNS TXT record. ### ZAP Sometimes you just need to see what's going on between a client and server, maybe mess around with a payload or two and see what sticks. While [ZAP](http://zaproxy.org) has many more advanced features than that, it's still a go-to when needing to debug something outside a browser. It's also worth noting that their documentation and community is first rate. We're also big fans of the OWASP community, for which ZAP is a flagship project. ## Training \& Development In the ever-evolving landscape of cybersecurity, leveraging open-source security tools for training and development has become essential for organizations aiming to enhance their defenses and stay ahead of potential threats. These tools not only provide cost-effective solutions but also offer extensive community support and adaptability, making them invaluable for building robust security protocols. ### CI/CD Goat The rise in supply chain attacks, such as SolarWinds and the Linux SSH XZ near-miss, emphasizes that the security of pipelines and build tooling is as critical as production systems. To this end, [CI/CD Goat](http://github.com/cider-security-research/cicd-goat) provides a testing range of intentionally vulnerable CI/CD configurations --- all created using infrastructure as code to create an isolated security training ground. ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-323506-4.png) ### Kubernetes Goat A great place to get started with offensive Kubernetes Security, [Kubernetes Goat](http://github.com/madhuakula/kubernetes-goat) is a purposely vulnerable set of Kubernetes deployments, cluster setups and training materials to explore common Kubernetes security issues. It also serves as a great repository for testing other Kubernetes-capable security scanners, such as Checkov and Kubescape. ### Simulator by ControlPlane [Simulator](http://github.com/controlplaneio/simulator) is a Kubernetes security testing automation and simulation tool that powers all official CNCF SecurityCon and KubeCon capture-the-flags. They're always a highlight of the shows for me, with amazing insights from the ControlPlane team. It's awesome to see tools like this being made open source, and I'm looking forward to using it for our own learning and training exercises. ## Learn More We hope you enjoyed scouting out our OSS shortlist. Don't forget to check out our new [open-source page](https://www.paloaltonetworks.com/prisma/cloud/open-source-projects) for Palo Alto Networks projects, community contributions and more. And whether you're new to containers or a cloud-native veteran, you'll want to download a copy of [The Definitive Guide to Container Security](https://www.paloaltonetworks.com/resources/ebooks/container-security-definitive-guide), your essential resource for implementing and mastering security in a containerized environment. This book-length guide lays out in-depth insights and practical advice to empower developers, DevOps, cloud teams and security professionals to effectively protect their cloud-native applications. *** ** * ** *** ## Related Blogs ### [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [ASPM](https://www.paloaltonetworks.com/blog/cloud-security/category/aspm/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Research](https://www.paloaltonetworks.com/blog/cloud-security/category/research/?ts=markdown) [#### An Inside Look into ASPM: Five Findings from New Industry Research](https://www2.paloaltonetworks.com/blog/cloud-security/aspm-research-omdia/) ### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Compliance](https://www.paloaltonetworks.com/blog/cloud-security/category/compliance/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown) [#### Shifting Security Left with Prisma Cloud and HashiCorp Packer](https://www2.paloaltonetworks.com/blog/cloud-security/secure-hashicorp-packer-images/) ### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown) [#### Shift Left: Should You Push It or Pull It?](https://www2.paloaltonetworks.com/blog/cloud-security/shift-left-code-cloud-integration/) ### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown) [#### Empowering Developers and Security Teams with Prisma Cloud and Terraform](https://www2.paloaltonetworks.com/blog/cloud-security/empowering-developers-and-security-teams-with-prisma-cloud-and-terraform/) ### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown) [#### Instilling a Secure Cloud Mindset](https://www2.paloaltonetworks.com/blog/cloud-security/devsecops-cloud-security/) ### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown) [#### Four Steps To Get Started With a 'Bottom-Up' Cybersecurity Approach](https://www2.paloaltonetworks.com/blog/cloud-security/four-steps-to-get-started-with-a-bottom-up-cybersecurity-approach/) ### Subscribe to Cloud Security Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language