The following table provides a list of some open source scanners that help mitigate a variety of security risks:

Secrets Scanner

git-secrets This utility prevents you from accidentally committing secrets and credentials into git repositories. Ideally, it should be invoked as part of a pre-commit hook.

Vulnerability Scanners for Third-Party Libraries
	Grype scans the container images and filesystems for vulnerabilities
Grype	from third-party dependencies. It supports Docker, Ruby, Java, and
	Python, among others.
OWASP  dependency-	This utility scans the dependencies against the vulnerabilities
check	registered in the NVD database. It supports Java, JavaScript, and Ruby.
Trivy	Trivy scans container images, git repos, and dependency frameworks
	such as maven, npm, and yarn.
Security Scanners for CloudFormation, CDK, and Terraform Code
	It searches the CloudFormation templates for indicators of insecure
cfn_nag	infrastructure, which includes overly permissive IAM rules, security
	groups, missing access logs, and so on.
	Technically, cfn_guard is similar to the OPA. You can use it to
cfn_guard	define declarative policies, which can then be used for evaluating
	CloudFormation templates.
	Searches for security compliance issues in CDK applications. It
cdk_nag	also supports a list of rules that can be used for HIPAA, NIST,
	and PCI compliance.
checkov	checkov is a static code analysis tool that scans IaC templates
	and looks for vulnerabilities in open source packages.
tfsec	tfsec is a code scanner from AquaSec. It reports misconfigurations
	in infrastructure configurations.

In the next section, we will get hands-on and deploy a test CI/CD workflow that summarizes all our learnings so far.

Rolling out a test CI/CD workflow for DevSecOps

To put things into practice, we’ll deploy a test pipeline in an AWS account to demonstrate the usage of various tools (AWS and open source) from a security perspective. More concretely, let’s consider a requirement that almost every modern software development team needs to address – securely delivering Docker images at scale. In real-life scenarios, you should consider deploying the output artifacts (Docker images) from such workflows to dedicated test environments where DAST investigations can be performed. This is particularly useful before deploying the image into subsequent environments (pre-prod, prod, and so on).

To have a visual mind map of what we are going to build, let’s dive into the details with an architecture diagram that highlights the end-to-end flow.