Try to fit all these tools inside

[mattaereal]

• GitHub analysis (fake profiles, OSINT):
  • gitxray: A multifaceted security tool that leverages Public GitHub REST APIs for OSINT, Forensics, Pentesting and more.
  • gh-fake-analyzer: Dump github profile data for analysis.
• Only Secrets:
  • Previous to commit:
    • git-secrets: Works along with git, preventing secrets from being pushed to a repo.
  • Post commit:
    • trufflehog: Find, verify, and analyze leaked credentials. Easy marketplace.
    • gitleaks: Protect and discover secrets. Also git-leaks-action
    • 2ms: Too many secrets (2MS) helps people protect their secrets on any file or on systems like CMS, chats and git.
    • detect-secrets: yet another one.
• Vulnerability scanners:
  • trivy: Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
  • clair: Vulnerability Static Analysis for Containers
  • snyk: Snyk CLI scans and monitors your projects for security vulnerabilities.
  • grype: A vulnerability scanner for container images and filesystems
  • falco: Cloud Native Runtime Security.
• Static analysis:
  • semgrep: Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
    • docker-compose
    • dockerfile
    • kubernetes
    • flawfinder (many things)
    • sast-scan: Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly.
• Misconfigurations:
  • legitify: Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets
  • kics: Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx. Scan free up to 4mb repositories.
• GitHub actions:
  • harden-runner: Network egress filtering and runtime security for GitHub-hosted and self-hosted runners
  • secure-repo: Orchestrate GitHub Actions Security
  • wait-for-secrets: 2fa for GHA
  • generic: A set of GitHub actions for checking your projects for vulnerabilities
• Container and/or cloud specific:
  • kube-bench: Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
  • checkov: Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
  • scoutsuite: Multi-Cloud Security Auditing Tool
  • pmapper: A tool for quickly evaluating IAM permissions in AWS.
  • hadolint: Dockerfile linter.
• Dependency & lib checkers:
  • DependencyCheck: OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
  • retirejs: scanner detecting the use of JavaScript libraries with known vulnerabilities. Also generates an SBOM of the libraries it finds.
  • npm audit: This built-in npm command checks for vulnerabilities in your installed packages.
  • installed-check: This tool verifies that installed modules comply with the requirements specified in package.json, ensuring that you are not using incompatible or potentially insecure versions of dependencies .
  • better-npm-audit: The goal of this project is to provide additional features on top of the existing npm audit options
  • eslint-plugin-security: ESLint rules for Node Security.
  • eslint-plugin-no-unsanitized: Custom ESLint rule to disallows unsafe innerHTML, outerHTML, insertAdjacentHTML and alike
  • eslint-plugin-no-secrets: An eslint plugin to find strings that might be secrets/credentials.
  • node-version-audit: Node Version Audit is a convenience tool to easily check a given Node.js version against a regularly updated list of CVE exploits, new releases, and end of life dates.
  • yarn-audit-fix: The missing yarn audit fix.
  • better-npm-audit: The goal of this project is to provide additional features on top of the existing npm audit options. We hope to encourage more people to do security audits for their projects.
  • nodejsscan: a static security code scanner for Node.js applications.
  • lavamoat: tools for sandboxing your dependency graph.

[mattaereal]

Maybe not scoutsuite, since this is not intended to be run inside a cloud.

[reynico]

I'd convert the bulleted list into a TO-DO list to check each tool for the same issue!