Security

Vault35.3k★

Vault is the industry standard for managing secrets: API keys, database passwords, encryption keys, anything that shouldn't live in environment variables or config files. It stores secrets, controls who can access them, rotates them automatically, encrypts data, and logs every access. It's a bank vault for your application secrets. built by HashiCorp. The most widely deployed secrets management tool in production infrastructure. The catch: HashiCorp relicensed Vault from MPL to BSL (Business Source License) in 2023. You can still self-host for free for your own use, but you cannot offer Vault as a managed service competing with HashiCorp. This triggered the OpenBao fork. Also, Vault is powerful but complex; setting up HA (high availability), configuring auth methods, managing policies, and operating the unsealing process requires real infrastructure knowledge. This is not a 'docker run and forget' tool.

Trivy34.4k★

Trivy scans everything in your stack for vulnerabilities: container images, filesystems, Git repos, Kubernetes configs, cloud infrastructure. Container images, filesystems, Git repos, Kubernetes clusters, AWS accounts, Terraform configs. One tool, one command, comprehensive results. It's a security X-ray machine. Point it at anything in your stack and it tells you what's vulnerable, misconfigured, or leaking secrets. It checks against multiple vulnerability databases and updates them automatically. Apache 2.0, backed by Aqua Security. The most popular open source security scanner in the container ecosystem. The catch: Trivy finds problems; it doesn't fix them. You'll get a list of CVEs and misconfigurations, and then it's on you to remediate. At scale, the volume of findings can be overwhelming without a management layer on top. Aqua's commercial platform provides that management layer, which is exactly the upsell.

Gitleaks25.8k★

It runs locally or in CI, checks every commit, and flags anything that looks like a credential. MIT license, Go. Fast. Scans entire repositories in seconds. Comes with 150+ built-in rules for common secret patterns: AWS keys, Stripe tokens, private keys, JWTs. You can add custom rules via a TOML config. Runs as a pre-commit hook or in GitHub Actions, GitLab CI, any pipeline. The CLI tool is fully free and open source. Gitleaks also offers a commercial SaaS product at gitleaks.io with team dashboards and centralized management, but the core scanner is the same. For solo developers and small teams: install it, add the pre-commit hook, done. Five minutes of setup, zero ongoing cost. Medium to large teams might want the commercial dashboard for visibility across repos. The catch: Gitleaks finds secrets, but it doesn't revoke them. When it flags a leaked AWS key, you still need to rotate it yourself. And regex-based detection means false positives happen; high-entropy strings in test fixtures will trigger alerts. You'll spend some time tuning your .gitleaks.toml allowlist.

Infisical25.7k★

Infisical manages your secrets: API keys, database passwords, environment variables, across all your projects and environments. It replaces scattered .env files with a central platform that has versioning, access control, audit logs, and native integrations with Kubernetes, Docker, and CI/CD pipelines. MIT-licensed, free to self-host. Docker Compose setup with Postgres and Redis. The web UI is genuinely good. CLI syncs secrets to local environments. Native Kubernetes operator handles pod injection. The setup is far less operationally complex than Vault, which is the point. Engineering teams with dozens of services and no secrets management discipline will get immediate value. The free self-hosted tier has no artificial limits. Infisical Cloud starts at around 6 USD/month per user for those who want managed hosting. The catch: for teams that need the full Vault feature set (PKI, dynamic secrets, hardware security modules), Infisical does not cover it. It is the right tool for application secrets; it is not a full secret engine.

TruffleHog25.5k★

TruffleHog finds leaked secrets in your code (API keys, passwords, tokens) and verifies whether they're actually live and valid. That's the key difference from other secret scanners. Instead of flagging every high-entropy string, TruffleHog checks if that AWS key still works, if that Slack token is active, if that database password connects. AGPL v3, Go. Scans Git repos, GitHub/GitLab orgs, S3 buckets, Docker images, and filesystems. 800+ credential detectors with built-in verification. The CLI is fast and the output tells you exactly which secrets are verified-active vs. unverified. The open source CLI is free under AGPL. TruffleSecurity offers an Enterprise platform with a dashboard, API, team management, and continuous monitoring. Pricing is custom. For solo developers and small teams: the CLI is everything you need. Run it on your repos, pipe it into CI, done. Medium teams: the CLI still works, but the Enterprise dashboard adds visibility. Large teams: Enterprise for org-wide scanning and compliance reporting. The catch: AGPL license. If you're building a product that incorporates TruffleHog, the copyleft terms require you to open source your code. For internal use it doesn't matter, but SaaS products need to be careful. Also, verification means TruffleHog actually attempts to authenticate with found credentials. In rare cases, this could trigger rate limits or account lockouts on the service being tested.

SOPS21.4k★

SOPS encrypts secret values in your config files while leaving field names in plain text, so you can safely store secrets in git. You can see that a file has a `database_password` field, but the value is encrypted gibberish until you decrypt it. This is elegant because your secrets live in version control alongside your code. No separate secrets server, no external service, no extra infrastructure. The encrypted files are diffable in git. You can see that someone changed the database password even though you can't read the new value. SOPS supports AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault, and age (a simple file-based key) for encryption. It works with YAML, JSON, ENV, and INI files. The workflow: edit the file with `sops secrets.yaml`, it decrypts in your editor, you make changes, it re-encrypts on save. The catch: SOPS is for storing secrets, not managing access to them. There's no audit log of who accessed what, no dynamic credential rotation, no fine-grained permissions. For a team of 3 sharing a dozen secrets, SOPS is perfect. For a team of 50 with compliance requirements, you need Vault. Also, key management is on you; if you lose your encryption key and don't have KMS, your secrets are gone forever.

SafeLine21.0k★

SafeLine is a web application firewall (WAF) that sits in front of your servers and filters malicious requests: SQL injection, XSS, bot traffic, credential stuffing. It's a bouncer for your web traffic that inspects every request before it reaches your app. GPL v3, Go. Uses a semantic analysis engine (not just regex pattern matching) to detect attacks, which means lower false positives than traditional WAFs. Dashboard shows traffic stats, blocked threats, and lets you configure rules. Supports reverse proxy mode. Drop it in front of Nginx or any web server. The community edition is free. Docker install, configure your upstream servers, and it's running. Basic WAF protection, bot detection, rate limiting, and IP blocking included. A pro/enterprise version exists with advanced features like enhanced bot protection, API security, and priority support. Pricing isn't publicly listed. Contact sales. Solo developers: free community edition is solid for protecting personal projects and small apps. Small teams: free edition handles most threats. Medium to large: evaluate the pro version for advanced bot protection and API security, or consider Cloudflare WAF if you're already using their CDN. The catch: you're adding another hop in your request chain. Latency increases slightly. The community edition's rule set is less comprehensive than Cloudflare or AWS WAF. And the GPL v3 license means modifications must be open-sourced, which matters if you're integrating it deeply into proprietary infrastructure.

CrowdSec13.0k★

CrowdSec analyzes your server logs, detects attack patterns, and shares threat intelligence with the community. Basically fail2ban on steroids with a global blocklist that everyone contributes to. MIT license, Go. It reads your logs (Nginx, SSH, WordPress, anything), detects attack patterns using community-written scenarios, and takes action: blocking IPs via your firewall, Cloudflare, AWS Security Groups, or a dozen other bouncers. The crowd-sourced threat intelligence means an IP that attacks someone else gets flagged before it hits you. Free tier: the Security Engine (detection + local decisions) is fully free. The community blocklist (crowd-sourced IP reputation) is free. Self-host everything. Paid: CrowdSec Console premium starts around $20/mo per server for advanced dashboards, custom blocklists, and priority threat feeds. Enterprise pricing is custom. Solo: install the free tier on your VPS, block 90% of automated attacks for $0. Small teams (2-10): free tier covers most needs. Pay $20/server/month when you want centralized dashboards across multiple servers. Large teams: enterprise plan for fleet management and custom threat feeds. The catch: CrowdSec depends on accurate log parsing. If your app logs in a non-standard format, you'll write custom parsers. And the community blocklist, while useful, can produce false positives. A shared hosting IP getting flagged because of one bad tenant affects everyone on that IP.

Falco8.8k★

Falco monitors Linux system calls in real time and alerts you when something unexpected happens: a container spawning a shell, a process reading sensitive files, a network connection to an unusual destination. It's a security camera for your Linux kernel. It sees everything a process does because it hooks into the kernel via eBPF. The open source version is free under Apache 2.0. CNCF graduated project. You get real-time threat detection, a rich rule engine, hundreds of pre-built rules for common attack patterns, and output to any alerting system (Slack, PagerDuty, syslog, etc.). Sysdig (the company that created Falco) sells Sysdig Secure, which adds a management UI, compliance dashboards, image scanning, and enterprise support. That's the commercial product. Falco itself has no enterprise tier. Self-hosting is the only option. Install Falco on each host or as a DaemonSet in Kubernetes. The eBPF probe needs a kernel that supports it (5.8+ for best results). Initial setup is straightforward; tuning the rules to reduce false positives is where the real work starts. Solo developers: overkill unless you're running production containers with sensitive data. Small teams: install it on your Kubernetes cluster and configure Slack alerts. Cheap insurance. Growing teams: essential. Runtime security detection is a gap most teams don't fill until something bad happens. The catch: out-of-the-box rules are noisy. You'll get alerts for normal container behavior until you tune the rules for your environment. Budget a few days for tuning, or you'll learn to ignore the alerts, which defeats the purpose.

Modlishka5.3k★

Mitmproxy intercepts, inspects, and modifies HTTP/HTTPS traffic between your applications and the internet in real time. It's a tool that demonstrates why SMS and TOTP-based 2FA aren't as secure as people think. Fully free. No paid tier. This is a security research tool, not a commercial product. Set it up, point it at a target domain, and it automatically mirrors the real site while capturing everything the user types, including one-time 2FA codes. The catch: this is a double-edged sword. It's designed for authorized penetration testing only. Using it against targets without permission is illegal. The project hasn't been actively maintained, and modern phishing-resistant methods like WebAuthn/passkeys defeat it entirely. If you're a defender, this tool shows you exactly why you should be pushing your org toward hardware security keys instead of SMS codes.

teller3.2k★

Teller unifies them behind one CLI and one config file. It's a secrets multiplexer. Map your environment variables to any combination of secret stores, and Teller fetches them at runtime. `teller run, node app.js` injects secrets into your process without them ever touching disk. It also syncs between providers: pull from Vault, push to AWS, or vice versa. Apache 2.0, written in Rust. No paid tier, no cloud version. The catch: Teller solves a real problem but it's a niche one. If you only use one secrets manager, you don't need it. Just use that provider's SDK. The value shows up when you have secrets scattered across 3+ providers and need one workflow. The community is small and the tool is emerging. Don't bet critical infrastructure on it without evaluating the bus factor. For a more established approach, look at how Infisical or HashiCorp Vault handle multi-source aggregation.

zeroboot2.1k★

Zeroboot spins up virtual machine sandboxes in under a millisecond using copy-on-write forking. That speed matters because agents need to spin up and tear down environments constantly, and traditional VMs take seconds to minutes. Sub-millisecond means your agent can create a fresh isolated environment for every single command it runs. No leftover state, no risk of one task contaminating another. It's like giving your agent a brand new computer for every action. Apache 2.0 licensed, Rust. The catch: this is Linux-only (it relies on kernel-level VM features). No macOS, no Windows. The sub-millisecond claim is for the VM fork. Actual workload startup depends on what you're running inside. And the community is small. If you hit an edge case, you're likely on your own.

ggshield1.9k★

Ggshield catches that before it reaches your remote repository. It scans your commits for secrets (API keys, passwords, certificates, private keys) and blocks the push if it finds any. Picture a pre-commit hook that prevents your worst 'oh no' moments. MIT license, Python CLI. Runs as a Git hook, in CI/CD pipelines, or as a standalone scanner. Uses GitGuardian's detection engine which recognizes 400+ types of secrets. Also scans for infrastructure-as-code misconfigurations (Terraform, CloudFormation, Kubernetes). The free tier covers individual developers: unlimited local scanning, up to 25 developers on GitGuardian's platform with basic features. Paid plans start at $60/developer/month for teams, which adds historical scanning, dashboards, incident management, and remediation workflows. Solo developers: free and you should install it today. There's no reason not to have secret detection in your Git hooks. Small teams (2-25): free tier covers you. Growing teams: $60/dev/mo adds value when you need historical scanning and incident workflows. Large orgs: enterprise pricing for SAML SSO, custom detectors, and API access. The catch: the real power is in GitGuardian's cloud platform, not just the CLI. The free CLI scans current commits, but finding secrets already buried in your Git history requires the paid platform. TruffleHog and Gitleaks are fully free alternatives that scan history locally, less polished, but no per-developer pricing.

for-open-source1.9k★

This is not a tool you install. It's 1Password's program that gives free team accounts to open source projects. If you maintain an open source project and need to share API keys, deployment credentials, or service passwords with contributors, this gets you a 1Password Teams account at no cost. The application is straightforward: submit your open source project, demonstrate active maintenance, and 1Password provides a free team account with all the premium features: shared vaults, access controls, and the 1Password CLI for CI/CD integration. This matters because open source projects constantly struggle with credential management. Sharing secrets over Discord DMs or unencrypted emails is how breaches happen. A proper password manager with team vaults is the right answer. The catch: this is a proprietary product offered for free, not open source software. 1Password itself is closed-source. If 1Password changes or ends this program, you'd need to migrate. And the free tier is specifically for open source teams; your startup or side business doesn't qualify. For an actually open source password manager, Vaultwarden (self-hosted Bitwarden) is the alternative. It's more work to set up but you own everything.

leak-check1.9k★

A personal information leak detection tool that checks whether your email, phone, or other personal data has been exposed in known data breaches. An open source alternative to HaveIBeenPwned that you can run yourself. The interface is in Chinese, built for the Chinese developer community. It queries breach databases to find matches against your personal identifiers and reports what was exposed and when. The catch: the breach databases it checks may not cover all sources. HaveIBeenPwned has broader coverage of international breaches. Running your own leak checker means you trust the data sources it queries, and those sources vary in reliability. If you just need a quick check, HaveIBeenPwned is more comprehensive. This tool is better if you want to run checks programmatically or self-host the capability.

nono1.7k★

Nono provides that. It's a capability-based sandbox where you explicitly grant each permission an agent gets. Basically, it's a bouncer for your operating system: the agent only gets through the doors you open. Capability-based means instead of blocking bad things (which requires knowing all bad things), you whitelist good things. The agent can only access files, network, and system calls you explicitly allow. Everything else is denied at the kernel level. Apache 2.0 licensed, Rust. The catch: kernel-level enforcement means Linux only, no macOS, no Windows. The capability model requires you to think carefully about what permissions each agent needs, which is more work upfront than just running Docker. And the documentation and community support are thin.

eth-phishing-detect1.3k★

This is MetaMask's phishing detection library. It maintains a blocklist of known phishing domains targeting crypto users and a fuzzy-matching algorithm that catches typosquatting attempts. You feed it a domain, it tells you if it's a known phishing site or looks suspiciously similar to a legitimate one. MetaMask uses it internally to warn users before they connect their wallet to a malicious site. The library itself is simple; it's the maintained blocklist that's valuable. Community-contributed and regularly updated as new phishing campaigns appear. The catch: this is narrowly focused on Web3/crypto phishing. It won't help with general phishing detection. The blocklist is only as current as the last update; zero-day phishing domains won't be caught until someone reports them. And the license is listed as 'Other'; check the repo for exact terms before integrating commercially.

darksword-kexploit1.2k★

This is the DarkSword kernel exploit reimplemented in clean Objective-C. It targets iOS 15.0 through 26.0.1 and provides arbitrary kernel read/write, the foundation for jailbreaks, security research, and vulnerability analysis. The original DarkSword exploit chain was used by commercial surveillance vendors targeting multiple countries before being leaked publicly. This reimplementation by opa334 (a well-known jailbreak developer) makes it accessible to researchers in clean, readable code rather than the obfuscated original. No license specified. The catch: this is a kernel exploit. The security implications are real. Apple has patched this in newer iOS versions, so it only affects devices that haven't updated. Using this for anything other than security research or personal device modification puts you in legal and ethical gray areas. No license means no explicit permission to use or modify. And if you're not already deep in iOS internals, the code won't teach you much without significant background knowledge.

vault-guides1.1k★

This isn't HashiCorp Vault itself; it's the official collection of example code and tutorials for learning Vault. If you're trying to figure out how to store API keys, database passwords, or encryption keys securely, these guides walk you through Vault's features with working code examples. Vault is a secrets management tool: instead of hardcoding passwords in environment variables or config files, your applications request secrets from Vault at runtime. Vault can also generate temporary database credentials, encrypt data, and manage PKI certificates. It's the industry standard for secrets management at scale. The guides cover identity management, secrets engines, encryption as a service, governance policies, and operational patterns. Examples in Shell, Python, Ruby, and Terraform. Useful for getting started but increasingly dated; some guides reference older Vault versions. Vault itself is source-available (BSL license). The open source fork is OpenBao. HCP Vault (managed cloud) starts at $0.03/hr (~$22/mo) for a small cluster. The catch: these are learning guides, not the tool. If you need Vault, go to the main vault repo. And Vault itself is complex; it's designed for organizations with real compliance requirements. For a solo developer or small team, SOPS or doppler.com handles secrets management with 10% of the complexity.

HacxGPT911★

This tool claims to be a GPT-based hacking/security tool. MIT license, Python-based. The homepage URL points to python.org (not a real project page), and the description is blank. Let me be direct: this has every hallmark of a star-farmed or spam repository. Blank description, generic homepage pointing to python.org, unknown provenance, and a name designed to attract clicks from people searching for 'hacking tools.' The GitHub profile and commit history should be scrutinized before running any code from this repo. If you're looking for legitimate security testing tools, look at the alternatives below. Do not run unknown Python scripts from suspicious repositories on your machine. The catch: everything about this. Don't use it.

fence594★

Fence sandboxes them without containers. It restricts network access and filesystem access at the OS level, so a rogue script can't phone home or delete your files. What's free: Everything. Apache 2.0 license. Single Go binary, no dependencies, no account. The value proposition is simplicity. Docker gives you isolation but requires the Docker daemon, images, and significant overhead. Fence is one binary. Run `fence <command>` and it executes with network and filesystem restrictions. That's it. For AI agent sandboxing, where you're running LLM-generated code and need guardrails, this is exactly the right weight class. The catch: it's brand new and early-stage. Linux only (uses kernel namespaces and seccomp). No macOS or Windows support. The security model is narrower than a full container. It restricts network and filesystem but doesn't provide complete process isolation. For high-security use cases, you still want containers or VMs. For 'don't let this script access the internet or my home directory,' it's perfect.

VaultSharp536★

VaultSharp is the .NET client library for HashiCorp Vault. Instead of making raw HTTP calls to Vault's API, you get typed methods and objects. Apache 2.0, C#. Covers the full Vault API: secret engines (KV, Transit, PKI, databases), auth methods (AppRole, Token, LDAP, Kubernetes), and system operations. Supports both Vault Community and Enterprise features. Fully free. This is a client library: no hosting, no service, no paid tier. NuGet install and use. The catch: this is a niche library for a specific integration. You need HashiCorp Vault already running (which has its own cost and ops story). VaultSharp just makes talking to it from C# easier. If you're not in the .NET ecosystem, this isn't relevant. If you are, it's essentially the only maintained Vault client for C#, so the choice is this or raw HTTP. At, the community is small, don't expect instant answers to edge case questions.