Skip to main content
DevSecOpsSchool logo DevSecOpsSchool

ELEMENTS / 118 CATALOGUED

The DevSecOps Periodic Table

118 tools, frameworks, and standards that secure modern software delivery — mapped like the elements. Search, filter by category, and click any element to decode it.

INDEX / BY CATEGORY

Every Element, Decoded

The full catalogue — what each tool is and where it fits in secure delivery.

Source & Collaboration

  • Gt Git — Distributed version control — the foundation of every secure delivery workflow.
  • Gh GitHub — Code hosting with PRs, branch protection, code owners, and native security features.
  • Gl GitLab — End-to-end DevSecOps platform with built-in scanning across the merge lifecycle.
  • Bb Bitbucket — Atlassian source hosting with pipelines and merge checks for security gates.
  • Gr Gerrit — Code review system enforcing mandatory review before merge.
  • Az Azure Repos — Microsoft-hosted Git with branch policies and audit integration.
  • Ge Gitea — Self-hosted lightweight Git service for air-gapped and regulated environments.
  • Cc CodeCommit — AWS-managed Git with IAM-based access control and KMS encryption.

CI/CD Pipelines

  • Jk Jenkins — The most widely deployed automation server; plugin ecosystem for every security gate.
  • Ga GitHub Actions — Workflow automation in GitHub with OIDC, environments, and required checks.
  • Gc GitLab CI — Pipeline engine with security templates, DAG stages, and compliance pipelines.
  • Ci CircleCI — Hosted CI with contexts, orbs, and OIDC for secretless cloud deploys.
  • Ap Azure Pipelines — Microsoft CI/CD with approvals, gates, and service connections.
  • Tk Tekton — Kubernetes-native pipeline CRDs — the engine behind many internal platforms.
  • Ar Argo CD — Declarative GitOps continuous delivery with drift detection for Kubernetes.
  • Bm Bamboo — Atlassian CI server integrated with Bitbucket and Jira workflows.
  • Cp CodePipeline — AWS-managed delivery pipelines with IAM-scoped stage actions.

SAST & Code Quality

  • Sq SonarQube — Static analysis and quality gates across 30+ languages; the default CI code gate.
  • Sg Semgrep — Fast, rule-based static analysis with custom policies as code.
  • Cx Checkmarx — Enterprise SAST with deep data-flow analysis and IDE feedback.
  • Ft Fortify — OpenText enterprise static analysis with extensive compliance reporting.
  • Vc Veracode — SaaS application security testing across SAST, DAST, and SCA.
  • Cq CodeQL — GitHub semantic code analysis — query code like data to find vulnerability patterns.
  • Cv Coverity — Synopsys static analysis trusted in safety-critical and embedded domains.
  • Bd Bandit — Python-focused security linter for common dangerous patterns.
  • Sb SpotBugs — Java bytecode analysis with the FindSecBugs security ruleset.

DAST & Offensive

  • Zp OWASP ZAP — The leading open-source DAST proxy — automated scans and manual testing.
  • Bp Burp Suite — The de-facto web security testing toolkit for professionals.
  • Nk Nikto — Web server scanner for dangerous files, outdated software, and misconfigurations.
  • Nc Nuclei — Template-driven vulnerability scanner built for automation at scale.
  • Ax Acunetix — Automated web vulnerability scanning with high-coverage crawling.
  • Iv Invicti — Proof-based DAST (formerly Netsparker) that verifies exploitability.
  • Ms Metasploit — Exploitation framework for validating that findings are truly exploitable.
  • Nm Nmap — Network discovery and port scanning — the reconnaissance baseline.
  • Sm sqlmap — Automated SQL injection detection and exploitation tool.

SCA & Dependencies

  • Sk Snyk — Developer-first scanning for dependencies, containers, and IaC with fix PRs.
  • Db Dependabot — GitHub-native automated dependency updates and security alerts.
  • Dc Dependency-Check — OWASP SCA tool mapping dependencies to known CVEs in CI.
  • Mn Mend — Automated open-source risk management (formerly WhiteSource).
  • Bk Black Duck — Synopsys SCA for license compliance and vulnerability management.
  • Rv Renovate — Highly configurable automated dependency update bot.
  • Xr JFrog Xray — Deep recursive scanning of artifacts and dependencies in Artifactory.
  • Nq Nexus IQ — Sonatype policy engine for open-source governance across the SDLC.

Secrets & Keys

  • Vt Vault — HashiCorp secrets management — dynamic credentials, leasing, and encryption as a service.
  • Gk GitLeaks — Fast secret scanning for repos and CI — catch credentials before they ship.
  • Th truffleHog — Deep secret detection with verification against live credential APIs.
  • Sa Secrets Manager — AWS-managed secret storage with rotation and IAM integration.
  • Kv Key Vault — Azure-managed keys, secrets, and certificates with HSM backing.
  • Cj Conjur — CyberArk secrets management built for machine identities and pipelines.
  • Dp Doppler — Developer-friendly centralized secrets and config across environments.
  • Sp SOPS — Encrypted secrets in Git using KMS/PGP — GitOps-friendly secret storage.

Container Security

  • Dk Docker — The container runtime and image format securing workloads start here.
  • Tv Trivy — Aqua’s all-in-one scanner for images, filesystems, IaC, and SBOMs.
  • Cl Clair — Static vulnerability analysis for container images, built for registries.
  • Aq Aqua — Full-lifecycle cloud-native application protection platform.
  • Gy Grype — Anchore’s fast vulnerability scanner for images and filesystems.
  • An Anchore — Policy-based container image inspection and compliance enforcement.
  • Hb Harbor — CNCF registry with scanning, signing, and RBAC built in.
  • Dbn Docker Bench — Automated checks against the CIS Docker Benchmark.
  • Sy Sysdig — Runtime security and forensics powered by system-call visibility.

Kubernetes & Runtime

  • K8 Kubernetes — The orchestrator — RBAC, Pod Security, and network policy are your control plane.
  • Fc Falco — CNCF runtime threat detection from kernel events.
  • Kb kube-bench — CIS Kubernetes Benchmark checks for cluster hardening.
  • Kh kube-hunter — Offensive testing that hunts for exploitable Kubernetes weaknesses.
  • Og Gatekeeper — OPA admission control enforcing policy on every cluster object.
  • Ky Kyverno — Kubernetes-native policy engine using plain YAML policies.
  • Is Istio — Service mesh delivering mTLS, authorization, and traffic policy.
  • Cm Cilium — eBPF networking and security with identity-aware network policy.
  • Ka KubeArmor — Runtime enforcement of process, file, and network behavior for pods.

IaC Security

  • Tf Terraform — The infrastructure-as-code standard — scan it before every apply.
  • Ck Checkov — Policy-as-code scanning for Terraform, CloudFormation, Kubernetes, and more.
  • Ts tfsec — Fast Terraform static analysis (now part of Trivy).
  • Kc KICS — Checkmarx open-source scanner covering 15+ IaC formats.
  • Tc Terrascan — Policy-based IaC scanning with OPA under the hood.
  • As Ansible — Configuration management — automate hardening and patch baselines.
  • Pl Pulumi — IaC in real languages with CrossGuard policy packs.
  • Cg cfn-guard — AWS policy-as-code validation for CloudFormation templates.
  • Df driftctl — Detects infrastructure drift between code and reality.

Cloud Security

  • Gd GuardDuty — AWS intelligent threat detection across accounts and workloads.
  • Sh Security Hub — AWS posture aggregation against CIS and FSBP standards.
  • Md Defender — Microsoft Defender for Cloud — CSPM and workload protection on Azure.
  • Sc Sec Command Ctr — Google Cloud’s native security and risk management surface.
  • Pw Prowler — Open-source multi-cloud posture assessment — hundreds of checks.
  • Ss ScoutSuite — Multi-cloud auditing tool producing offline posture reports.
  • Wz Wiz — Agentless CNAPP correlating cloud risks into attack paths.
  • Oc Orca — Agentless cloud security via side-scanning of workloads.
  • Pc Prisma Cloud — Palo Alto CNAPP spanning code-to-cloud protection.

Monitoring & Response

  • Pm Prometheus — CNCF metrics and alerting — the observability backbone.
  • Gf Grafana — Dashboards that make security and delivery KPIs visible.
  • Es Elastic Security — SIEM and detection built on the Elastic Stack.
  • Sl Splunk — Enterprise log analytics and SIEM for security operations.
  • Wh Wazuh — Open-source XDR/SIEM with host intrusion detection.
  • Os OSSEC — Host-based intrusion detection — log analysis, file integrity, rootkits.
  • Hv TheHive — Open-source security incident response platform.
  • Pd PagerDuty — Incident alerting and on-call orchestration when gates trip.
  • Dd Datadog — Unified observability with cloud SIEM and workload security.

Compliance & Policy

  • Op OPA — Open Policy Agent — the general-purpose policy engine behind policy-as-code.
  • In InSpec — Chef’s compliance-as-code framework for testable controls.
  • Cf Conftest — Test structured configs against OPA policies in CI.
  • Cu Cloud Custodian — Rules engine for cloud governance and automated remediation.
  • St Sentinel — HashiCorp policy-as-code embedded in Terraform workflows.
  • Dr Drata — Continuous compliance automation for SOC 2, ISO 27001, and more.
  • Va Vanta — Automated evidence collection and trust management.
  • Oscp OpenSCAP — NIST SCAP-based configuration and vulnerability compliance scanning.

Supply Chain & SBOM

  • Sf Syft — Generates SBOMs from images and filesystems in CycloneDX/SPDX.
  • Co Cosign — Sigstore artifact signing and verification for containers.
  • Si Sigstore — Keyless signing infrastructure — Fulcio, Rekor, and transparency logs.
  • It in-toto — Attestation framework securing the integrity of the whole pipeline.
  • Ls SLSA — Supply-chain Levels for Software Artifacts — the provenance maturity ladder.
  • Cd CycloneDX — OWASP SBOM standard for components, services, and vulnerabilities.
  • Sx SPDX — Linux Foundation SBOM standard with deep license semantics.
  • Dt Dependency-Track — OWASP platform that continuously analyzes SBOMs for risk.

AI Security

  • Lt LLM Top 10 — OWASP’s risk taxonomy for large-language-model applications.
  • Pa Protect AI — ML supply chain and model security scanning platform.
  • Lk Lakera — Guardrails against prompt injection and LLM data leakage.
  • Gx garak — Open-source LLM vulnerability scanner — probes for jailbreaks and leaks.
  • Py PyRIT — Microsoft’s red-teaming framework for generative AI systems.
  • Lg LLM Guard — Input/output sanitization toolkit for LLM-powered apps.

FAQ / DECRYPTED

Periodic Table FAQ

An interactive map of 118 essential DevSecOps tools, frameworks, and standards — arranged like the chemical periodic table and grouped into 14 categories from source control and CI/CD to supply chain and AI security. Use it to explore the ecosystem, plan your toolchain, or study for certification.

As an homage to the real periodic table, which has 118 confirmed elements. Each DevSecOps "element" earns its place by being widely adopted, openly documented, and practically useful in securing software delivery.

Curated by DevSecOpsSchool mentors from the tools we teach, implement in consulting engagements, and see across enterprise environments — balancing open-source standards, cloud-native services, and enterprise platforms in every category.

No. Most practitioners master one or two tools per category relevant to their stack. Our role-based courses teach a production-proven path through the table: roughly 46 tools hands-on across the Professional, Engineer, Manager, and Architect tracks.

Yes — email contact@devsecopsschool.com with the tool, its category, and why it deserves a spot. The table is reviewed and updated as the ecosystem evolves.

CROSS-LINKS

Master the Elements

INITIATE / CONTACT

Want This Table Running in Your Pipelines?

From SAST to SBOM — our engineers and trainers turn elements into working security gates.

Talk to a DevSecOps Advisor +91 99057 40781

contact@devsecopsschool.com +1 (469) 756-6329