Need help with horusec?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

ZupIT
546 Stars 89 Forks Other 406 Commits 14 Opened issues

Description

Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.

Services available

!
?

Need anything else?

Contributors list

logo_header

Table of contents

  1. What is Horusec?
  2. Getting started
    1. Requirements
    2. Installing Horusec
    3. Usage
      1. CLI Usage
      2. Using Docker
      3. Older versions
      4. Using Horusec-Web application
      5. Using Visual Studio Code
      6. Using the Pipeline
  3. Contributing
  4. Roadmap
  5. License
  6. Community




What is Horusec?

Horusec is an open source tool that performs a static code analysis to identify security flaws during the development process. Currently, the languages for analysis are C#, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, Dart, Elixir, Shell, Nginx. The tool has options to search for key leaks and security flaws in all your project's files, as well as in Git history. Horusec can be used by the developer through the CLI and by the DevSecOps team on CI /CD mats.

Check out our Documentation, you will see the complete list of tools and languages Horusec performs analysis.

architecture

See an Output example:

usage_gif

Getting started

Requirements

  • Docker

You need Docker installed in your machine in order to run Horusec with all the tools we use. If you don't have Docker, we have a flag

-D true
that will disable the dependency, but it also loses much of the analysis power. We recommend using it with Docker.

If you enable commit authors

-G true
, there is also a
git
dependency.

Installing Horusec

Mac or Linux

make install

or

curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest

Windows

curl "https://github.com/ZupIT/horusec/releases/latest/download/horusec_win_x64.exe" -o "./horusec.exe" && ./horusec.exe version

Check the installation

horusec version

Usage

CLI Usage

To use horusec-cli and check the application's vulnerabilities, use the following command:

bash
horusec start -p .

When horusec starts an analysis, it creates a folder called

.horusec
. This folder is the basis for not changing your code. We recommend you to add the line
.horusec
into your
.gitignore
file so that this folder does not need to be sent to your git server.

Using Docker

It is possible to use Horusec through a docker image

horuszup/horusec-cli:latest
.

Run the following command to do it:

sh
docker run -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/src horuszup/horusec-cli:latest horusec start -p /src -P $(pwd)
  • We created a volume containing the project
    -v $(pwd):/src
    .

With the docker image we ended up having two paths where the project can be found.

The

-p
flag will represent the project path inside the container, in our example
/src
. The
-P
flag will represent the project outside the container, in our example is represented by
$(pwd)
, will be also needed to pass the project path to mount the volume
-v $(pwd):/src
.

Older versions

Horusec's v1 is still available.

WARNING: The endpoint with v1 will be deprecated, please upgrade your CLI to v2. Check out more details in the documentation.

Mac or Linux

curl -fsSL https://horusec.io/bin/install.sh | bash -s latest

Windows

curl "https://horusec.io/bin/latest/win_x64/horusec.exe" -o "./horusec.exe" && ./horusec.exe version
  • The older binaries can be found at this endpoint, including the latest version of v1
    v1.10.3
    .
  • As of v2, binaries will no longer be distributed by this endpoint, and you can find in the releases page.

Using Horusec-Web application

Manage your vulnerabilities through our web interface. You can have a dashboard of metrics about your vulnerabilities, control of false positives, authorization token, update of vulnerabilities and much more. See the web application section to keep reading about it.

Check out the example below, it is sending an analysis to Horusec web services:

bash
horusec start -p  -a 

Check out the tutorial on how to create an authorization token through Horusec Manager Web Service.

WARNING: Our web services was moved to a ** new repository**. You need to upgrade to v2, check out how to migrate from v1 to v2.

Using Visual Studio Code

You can analyze your project using Horusec's Visual Studio Code extension. For more information, check out the documentation.

Using the Pipeline

You can perform an analysis of your project before you hold deployment in your environment by ensuring maximum security in your organization. For more information, check out the documentation:

Features

See below: - Analyzes simultaneously 18 languages with 20 different security tools to increase accuracy; - Search for their historical git by secrets and other contents exposed; - Your analysis can be fully configurable, see all CLI available resources.

Contributing

Feel free to use, recommend improvements, or contribute to new implementations.

Check out our contributing guide to learn about our development process, how to suggest bugfixes and improvements.

Developer Certificate of Origin - DCO

This is a security layer for the project and for the developers. It is mandatory.

There are two ways to use DCO, see them below:

1. Command line Follow the steps: Step 1: Check out your local git:

git config --global user.name “Name”
git config --global user.email “[email protected]

Step 2: When you commit, add the sigoff via

-s
flag:
$ git commit -s -m "This is my commit message"

2. GitHub website

Step 1: When the commit changes box opens, add

$ git commit -m “My signed commit” Signed-off-by: username 
Note: For this option, your e-mail must be the same in registered in GitHub.

Roadmap

We have a project roadmap, you can come contribute with us!

Horusec also have other repositories, check out some of our other projects:

License

Apache License 2.0.

Community

Feel free to reach out to us at:

This project exists thanks to all the contributors. You rock! ❤️ 🚀

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.