Skip to content
forked from ZupIT/horusec

Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.

License

Notifications You must be signed in to change notification settings

brunoduruzup/horusec

 
 

Repository files navigation

logo_header

What is Horusec?

Horusec is an open source tool that performs static code analysis to identify security flaws during the development process. Currently, the languages for analysis are: C#, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, Dart, Elixir, Shell, Nginx. The tool has options to search for key leaks and security flaws in all files of your project, as well as in Git history. Horusec can be used by the developer through the CLI and by the DevSecOps team on CI /CD mats. See in our DOCUMENTATION the complete list of tools and languages that we perform analysis

architecture

Example Output

usage_gif

Getting started

Requirements

  • Docker

To run horusec with all the tools we use the docker installed on your machine. If you don't have docker, we have a flag -D true that will disable the dependency, but it also loses much of the analysis power. We recommend whenever possible using it with docker.

If you enable commit authors -G true, there is also a git dependency.

Mac or Linux

make install

or

curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest

Windows

curl "https://github.com/ZupIT/horusec/releases/latest/download/horusec_win_x64.exe" -o "./horusec.exe" && ./horusec.exe version

All binaries with versions can be found in our releases page.

Click here to see more details in how to install.

Check the installation

horusec version

Usage CLI

To use horusec-cli and check the application's vulnerabilities:

horusec start -p .

WARN: When horusec starts an analysis it creates a folder called .horusec. This folder serves as the basis for not changing your code. So we recommend that you add the line .horusec into your .gitignore file so that this folder does not need to be sent to your git server!

Usage with Docker

It is also possible to be using the horusec through a docker image `horuszup/horusec-cli:latest.

To do so, just run the following command:

docker run -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/src horuszup/horusec-cli:latest horusec start -p /src -P $(pwd)

As you can see in the command, we created a volume containing the project -v $(pwd):/src.

With the docker image we ended up having two paths where the project can be found.

The -p flag will represent the project path inside the container, in our example /src. The -P flag will represent the project outside the container, in our example is represented by $(pwd), will be also needed to pass the project path to mount the volume -v $(pwd):/src.

Oldest versions

Oldster versions of v1 cli are still available.

WARN: The endpoint with v1 will be discontinued in the future, please upgrade your cli to v2.

Mac or Linux

curl -fsSL https://horusec.io/bin/install.sh | bash -s latest

Windows

curl "https://horusec.io/bin/latest/win_x64/horusec.exe" -o "./horusec.exe" && ./horusec.exe version

All oldster binaries can be found at this endpoint, including the latest version of v1 v1.10.3. As of v2, binaries will no longer be distributed by this endpoint, and can be found in our releases page.

Usage with Horusec-Web application

Manage your vulnerabilities through our web interface. With it, you can have a dashboard of metrics about your vulnerabilities, control of false positives, authorization token, update of vulnerabilities and much more. See more about it here.

Usage example sending an analysis to Horusec web services.

horusec start -p <PATH_TO_YOUR_PROJECT> -a <YOUR_AUTHORIZATION_TOKEN>

You can create an authorization token through the horusec manager web service, click here to see more details.

WARN: Our web services have been moved to a new repository, version 2 of the cli require the upgrade of web services, click here to know more about it.

Usage with Visual Studio Code

Analyze your project using the Visual Studio Code with Horusec extension. See more details Here:

Usage with Pipeline

You can perform an analysis of your project before you hold Deploy in your environment by ensuring maximum security in your organization. See more details Here:

Features

  • Analyzes simultaneously 18 languages with 20 different security tools to increase accuracy;
  • Search for their historical git by secrets and other contents exposed;
  • Your analysis can be fully configurable, see all cli available resources;

Communication

We have a few channels for contact, feel free to reach out to us at:

Contributing

Feel free to use, recommend improvements, or contribute to new implementations.

Read our contributing guide to learn about our development process, how to propose bugfixes and improvements, and how to build and test your changes to horusec.

If this is our first repository that you visit, or would like to know more about Horusec, check out some of our other projects.

This project exists thanks to all the contributors. You rock! ❤️ 🚀

About

Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Go 97.2%
  • Shell 1.6%
  • Other 1.2%