Horusec – Code security & vulnerability

Programmers working on computer program
Reading Time: 3 minutes

Horusec is an open-source tool that performs a static code analysis to identify security flaws during the development process. Horusec can be integrated with CICD tools to find code vulnerabilities & security issues whenever a developer creates PR on a repo.

It performs code scanning that will check if there is any vulnerability or security issue. If some security flaws are found it decides how severe it is and groups them into different severity levels. Finally, it generates a report as output where you can analyze each & every vulnerability Horusec founds.

Horusec Features

  • Manage Vulnerability
  • Integrate with CI/CD pipelines.
  • Self-hosted Horusec Web-UI
  • Integrate Sonarqube
  • IDE extensions
  • CLI tool or scripting

Installation of Horusec CLI

To install the Horusec CLI tool simply run this command in your Linux terminal or Mac terminal. This will download an installation script that run & install Horusec in your system.

curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/main/deployments/scripts/install.sh | bash -s latest

Alternative: You can use the docker image for code scanning if you don’t want to install it locally.

docker run -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/src horuszup/horusec-cli:latest horusec start -p /src -P $(pwd)\n

Usage of Horusec

1 Open the Application code directory in terminal

Open the application directory that you want to scan. And open a terminal in the directory.

cd path/to/application

2 Generate Config file

Generate a config file for Horusec. This file is used as a configuration for the CLI tool to set default behaviors.

You can also use environment variables or CLI flags to override these configs. The precedence of CLI flags is higher than the environment Variable.

Run the below command in the same directory for the application.

horusec generate

The config file will look like this

  "horusecCliCertInsecureSkipVerify": false,
  "horusecCliCertPath": "",
  "horusecCliContainerBindProjectPath": "",
  "horusecCliCustomImages": {
    "c": "",
    "csharp": "",
    "elixir": "",
    "generic": "",
    "go": "",
    "hcl": "",
    "javascript": "",
    "leaks": "",
    "php": "",
    "python": "",
    "ruby": "",
    "shell": ""
  "horusecCliCustomRulesPath": "",
  "horusecCliDisableDocker": false,
  "horusecCliEnableCommitAuthor": false,
  "horusecCliEnableGitHistoryAnalysis": false,
  "horusecCliEnableInformationSeverity": false,
  "horusecCliEnableOwaspDependencyCheck": false,
  "horusecCliEnableShellcheck": false,
  "horusecCliFalsePositiveHashes": null,
  "horusecCliFilesOrPathsToIgnore": [
  "horusecCliHeaders": {},
  "horusecCliHorusecApiUri": "",
  "horusecCliJsonOutputFilepath": "",
  "horusecCliLogFilePath": "/tmp/horusec-2022-10-03-01-34-22.log",
  "horusecCliMonitorRetryInSeconds": 15,
  "horusecCliPrintOutputType": "",
  "horusecCliReturnErrorIfFoundVulnerability": false,
  "horusecCliRiskAcceptHashes": null,
  "horusecCliSeveritiesToIgnore": [
  "horusecCliShowVulnerabilitiesTypes": [
  "horusecCliTimeoutInSecondsAnalysis": 600,
  "horusecCliTimeoutInSecondsRequest": 300

3 Run Horusec command

To start the code scanning. Run the start command in the same terminal & pass the config file which we have created in the previous step.

horusec start –config-file-path=horusec-config.json

After the scanning is completed it will show all vulnerabilities in terminal’s output. Horusec tool is smart enough to categorize vulnerability into different severity & also prints a readable message along with possible resolution & a reference link.

Output will look like

Horusec tool is smart enough to categorize vulnerability into different severity & also prints a readable message to explain the issue. It also prints possible resolutions for the vulnerability and a reference link.

CI Integration – Horusec

Horusec can be integrated with most CI tools in the market & it is also available as a Docker image shown in the previous steps.

To promote SecOps practices, Horusec should be integrate with a CI pipeline to scan a new code on every pull request.

Here is an example of Github actions Pull request workflow.


on: pull_request

    runs-on: ubuntu-latest
    name: Horusec Scan
      - uses: actions/checkout@v3
      - name: Run Horusec
          AUTHOR: rahul.soni@knoldus.com
        id: run_horusec
        uses: fike/horusec-action@v0.2.2
          arguments: -p ./ --config-file-path=horusec-config.json -O report.txt --return-error=true


Horusec can be used anywhere & it supports most programming languages including C#, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, Dart, Elixir, Shell, Nginx, Swift.

Written by 

Rahul Soni is a Software Consultant at Knoldus Software. He is always charged up for new things & learnings. He is dedicated to his work and believes in quality output. He loves to take deep dives into cloud technologies & different tools.