10 KiB
name, description, version, maintainer, category, tags, frameworks, dependencies, references
| name | description | version | maintainer | category | tags | frameworks | dependencies | references | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| sast-horusec | Multi-language static application security testing using Horusec with support for 18+ programming languages and 20+ security analysis tools. Performs SAST scans, secret detection in git history, and provides vulnerability findings with severity classification. Use when: (1) Analyzing code for security vulnerabilities across multiple languages simultaneously, (2) Detecting exposed secrets and credentials in git history, (3) Integrating SAST into CI/CD pipelines for secure SDLC, (4) Performing comprehensive security analysis during development, (5) Managing false positives and prioritizing security findings. | 0.1.0 | asrour | secsdlc |
|
|
|
|
Horusec SAST Scanner
Overview
Horusec is an open-source security analysis tool that performs static code analysis across 18+ programming languages using 20+ integrated security tools. It identifies vulnerabilities during development, scans git history for exposed secrets, and integrates seamlessly into CI/CD pipelines for secure SDLC practices.
Supported Languages
C#, Java, Kotlin, Python, Ruby, Golang, Terraform, JavaScript, TypeScript, Kubernetes, PHP, C, HTML, JSON, Dart, Elixir, Shell, Nginx
Quick Start
Run Horusec scan on current project:
# Using Docker (recommended)
docker run -v /var/run/docker.sock:/var/run/docker.sock \
-v $(pwd):/src horuszup/horusec-cli:latest horusec start -p /src -P $(pwd)
# Local installation
horusec start -p ./path/to/project
Core Workflows
Workflow 1: Local Security Scan
For developers performing pre-commit security analysis:
- Navigate to project directory
- Run Horusec scan:
horusec start -p . -o json -O horusec-report.json - Review JSON output for vulnerabilities
- Filter by severity (HIGH, MEDIUM, LOW, INFO)
- Address critical and high-severity findings
- Re-scan to validate fixes
Workflow 2: CI/CD Pipeline Integration
Progress: [ ] 1. Add Horusec to CI/CD pipeline configuration [ ] 2. Configure output format (JSON for automated processing) [ ] 3. Set severity threshold for build failures [ ] 4. Run scan on each commit or pull request [ ] 5. Parse results and fail build on high-severity findings [ ] 6. Generate security reports for audit trail [ ] 7. Track remediation progress over time
Work through each step systematically. Check off completed items.
Workflow 3: Git History Secret Scanning
For detecting exposed credentials and secrets:
- Run Horusec with git history analysis enabled:
horusec start -p . --enable-git-history-analysis - Review detected secrets and credentials
- Rotate compromised credentials immediately
- Add detected patterns to
.gitignoreand.horusec/config.json - Use git-filter-branch or BFG Repo-Cleaner to remove from history (if needed)
- Document incident and update security procedures
Workflow 4: False Positive Management
When managing scan results and reducing noise:
- Run initial scan and export results:
horusec start -p . -o json -O results.json - Review findings and identify false positives
- Create or update
.horusec/config.jsonwith ignore rules:{ "horusecCliRiskAcceptHashes": ["hash1", "hash2"], "horusecCliFilesOrPathsToIgnore": ["**/test/**", "**/vendor/**"] } - Re-run scan to verify false positives are suppressed
- Document risk acceptance decisions for compliance
- Periodically review ignored findings
Configuration
Create .horusec/config.json in project root for custom configuration:
{
"horusecCliCertInsecureSkipVerify": false,
"horusecCliCertPath": "",
"horusecCliContainerBindProjectPath": "",
"horusecCliCustomImages": {},
"horusecCliCustomRulesPath": "",
"horusecCliDisableDocker": false,
"horusecCliFalsePositiveHashes": [],
"horusecCliFilesOrPathsToIgnore": [
"**/node_modules/**",
"**/vendor/**",
"**/*_test.go",
"**/test/**"
],
"horusecCliHeaders": {},
"horusecCliHorusecApiUri": "",
"horusecCliJsonOutputFilePath": "./horusec-report.json",
"horusecCliLogFilePath": "./horusec.log",
"horusecCliMonitorRetryInSeconds": 15,
"horusecCliPrintOutputType": "text",
"horusecCliProjectPath": ".",
"horusecCliRepositoryAuthorization": "",
"horusecCliRepositoryName": "",
"horusecCliReturnErrorIfFoundVulnerability": false,
"horusecCliRiskAcceptHashes": [],
"horusecCliTimeoutInSecondsAnalysis": 600,
"horusecCliTimeoutInSecondsRequest": 300,
"horusecCliToolsConfig": {},
"horusecCliWorkDir": ".horusec"
}
Output Formats
Horusec supports multiple output formats for different use cases:
text- Human-readable console output (default)json- Structured JSON for CI/CD integrationsonarqube- SonarQube-compatible format
Specify with -o flag:
horusec start -p . -o json -O report.json
Common Patterns
Pattern 1: Fail Build on High Severity
Configure CI/CD to fail on critical findings:
horusec start -p . \
--return-error-if-found-vulnerability \
--severity-threshold="MEDIUM"
Exit code will be non-zero if vulnerabilities at or above threshold are found.
Pattern 2: Multi-Project Monorepo Scanning
Scan multiple projects in monorepo structure:
# Scan specific subdirectories
for project in service1 service2 service3; do
horusec start -p ./$project -o json -O horusec-$project.json
done
Pattern 3: Custom Rules Integration
Add custom security rules:
- Create custom rules file (YAML format)
- Configure path in
.horusec/config.json:{ "horusecCliCustomRulesPath": "./custom-rules.yaml" } - Run scan with custom rules applied
Security Considerations
- Sensitive Data Handling: Horusec scans for exposed secrets. Ensure scan results are stored securely and access is restricted to authorized personnel only
- Access Control: Limit access to Horusec configuration files and scan results. Use read-only mounts in Docker for source code scanning
- Audit Logging: Log all scan executions, findings, and risk acceptance decisions for compliance auditing
- Compliance: Integrates with SOC2, PCI-DSS, and GDPR compliance by identifying vulnerabilities and tracking remediation
- Safe Defaults: Configure severity thresholds appropriate for your risk tolerance. Start with MEDIUM or HIGH to reduce noise
Integration Points
CI/CD Integration
GitHub Actions:
- name: Run Horusec Security Scan
run: |
docker run -v /var/run/docker.sock:/var/run/docker.sock \
-v $(pwd):/src horuszup/horusec-cli:latest \
horusec start -p /src -o json -O horusec-report.json \
--return-error-if-found-vulnerability
GitLab CI:
horusec-scan:
image: horuszup/horusec-cli:latest
script:
- horusec start -p . -o json -O horusec-report.json
artifacts:
reports:
horusec: horusec-report.json
Jenkins:
stage('Security Scan') {
steps {
sh 'docker run -v $(pwd):/src horuszup/horusec-cli:latest horusec start -p /src'
}
}
VS Code Extension
Horusec provides a VS Code extension for real-time security analysis during development. Install from VS Code marketplace.
Vulnerability Management
Horusec can integrate with centralized vulnerability management platforms via:
- JSON output parsing
- Horusec Platform (separate web-based management tool)
- Custom integrations using API
Troubleshooting
Issue: Docker Socket Permission Denied
Solution: Ensure Docker socket has proper permissions:
sudo chmod 666 /var/run/docker.sock
# Or run with sudo (not recommended for CI/CD)
Issue: False Positives in Test Files
Solution: Exclude test directories in configuration:
{
"horusecCliFilesOrPathsToIgnore": ["**/test/**", "**/*_test.go", "**/tests/**"]
}
Issue: Scan Timeout on Large Repositories
Solution: Increase timeout values in configuration:
{
"horusecCliTimeoutInSecondsAnalysis": 1200,
"horusecCliTimeoutInSecondsRequest": 600
}
Issue: Missing Vulnerabilities for Specific Language
Solution: Verify language is supported and Docker images are available:
horusec version --check-for-updates
docker pull horuszup/horusec-cli:latest
Advanced Usage
Running Without Docker
Install Horusec CLI directly (requires all security tool dependencies):
# macOS
brew install horusec
# Linux
curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/main/deployments/scripts/install.sh | bash
# Windows
# Download from GitHub releases
Then run:
horusec start -p . --disable-docker
Note: Running without Docker requires manual installation of all security analysis tools (Bandit, Brakeman, GoSec, etc.)
Severity Filtering
Filter results by severity in output:
# Only show HIGH and CRITICAL
horusec start -p . --severity-threshold="HIGH"
# Show all findings
horusec start -p . --severity-threshold="INFO"
Custom Docker Images
Override default security tool images in configuration:
{
"horusecCliCustomImages": {
"python": "my-registry/custom-bandit:latest",
"go": "my-registry/custom-gosec:latest"
}
}
Report Analysis
Parse JSON output for automated processing:
# Extract high-severity findings
cat horusec-report.json | jq '.analysisVulnerabilities[] | select(.severity == "HIGH")'
# Count vulnerabilities by language
cat horusec-report.json | jq '.analysisVulnerabilities | group_by(.language) | map({language: .[0].language, count: length})'
# List unique CWE IDs
cat horusec-report.json | jq '[.analysisVulnerabilities[].securityTool] | unique'