Horusec is an open-source tool that performs a static code analysis to identify security flaws during the development process. Horusec can be integrated with CICD tools to find code vulnerabilities & security issues whenever a developer creates PR on a repo.
It performs code scanning that will check if there is any vulnerability or security issue. If some security flaws are found it decides how severe it is and groups them into different severity levels. Finally, it generates a report as output where you can analyze each & every vulnerability Horusec founds.
Horusec Features
- Manage Vulnerability
- Integrate with CI/CD pipelines.
- Self-hosted Horusec Web-UI
- Integrate Sonarqube
- IDE extensions
- CLI tool or scripting
Installation of Horusec CLI
To install the Horusec CLI tool simply run this command in your Linux terminal or Mac terminal. This will download an installation script that run & install Horusec in your system.
curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/main/deployments/scripts/install.sh | bash -s latestAlternative: You can use the docker image for code scanning if you don’t want to install it locally.
docker run -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/src horuszup/horusec-cli:latest horusec start -p /src -P $(pwd)\nUsage of Horusec
1 Open the Application code directory in terminal
Open the application directory that you want to scan. And open a terminal in the directory.
cd path/to/application2 Generate Config file
Generate a config file for Horusec. This file is used as a configuration for the CLI tool to set default behaviors.
You can also use environment variables or CLI flags to override these configs. The precedence of CLI flags is higher than the environment Variable.
Run the below command in the same directory for the application.
horusec generateThe config file will look like this
{
"horusecCliCertInsecureSkipVerify": false,
"horusecCliCertPath": "",
"horusecCliContainerBindProjectPath": "",
"horusecCliCustomImages": {
"c": "",
"csharp": "",
"elixir": "",
"generic": "",
"go": "",
"hcl": "",
"javascript": "",
"leaks": "",
"php": "",
"python": "",
"ruby": "",
"shell": ""
},
"horusecCliCustomRulesPath": "",
"horusecCliDisableDocker": false,
"horusecCliEnableCommitAuthor": false,
"horusecCliEnableGitHistoryAnalysis": false,
"horusecCliEnableInformationSeverity": false,
"horusecCliEnableOwaspDependencyCheck": false,
"horusecCliEnableShellcheck": false,
"horusecCliFalsePositiveHashes": null,
"horusecCliFilesOrPathsToIgnore": [
"*tmp*",
"**/.vscode/**"
],
"horusecCliHeaders": {},
"horusecCliHorusecApiUri": "http://0.0.0.0:8000",
"horusecCliJsonOutputFilepath": "",
"horusecCliLogFilePath": "/tmp/horusec-2022-10-03-01-34-22.log",
"horusecCliMonitorRetryInSeconds": 15,
"horusecCliPrintOutputType": "",
"horusecCliReturnErrorIfFoundVulnerability": false,
"horusecCliRiskAcceptHashes": null,
"horusecCliSeveritiesToIgnore": [
"INFO"
],
"horusecCliShowVulnerabilitiesTypes": [
"Vulnerability"
],
"horusecCliTimeoutInSecondsAnalysis": 600,
"horusecCliTimeoutInSecondsRequest": 3003 Run Horusec command
To start the code scanning. Run the start command in the same terminal & pass the config file which we have created in the previous step.
horusec start –config-file-path=horusec-config.json
After the scanning is completed it will show all vulnerabilities in terminal’s output. Horusec tool is smart enough to categorize vulnerability into different severity & also prints a readable message along with possible resolution & a reference link.
Output will look like
Horusec tool is smart enough to categorize vulnerability into different severity & also prints a readable message to explain the issue. It also prints possible resolutions for the vulnerability and a reference link.
CI Integration – Horusec
Horusec can be integrated with most CI tools in the market & it is also available as a Docker image shown in the previous steps.
To promote SecOps practices, Horusec should be integrate with a CI pipeline to scan a new code on every pull request.
Here is an example of Github actions Pull request workflow.
.github/workflows/pipeline.yaml
on: pull_request
jobs:
checking_code:
runs-on: ubuntu-latest
name: Horusec Scan
steps:
- uses: actions/checkout@v3
- name: Run Horusec
env:
AUTHOR: rahul.soni@knoldus.com
HORUSEC_CLI_RETURN_ERROR_IF_FOUND_VULNERABILITY: "true"
id: run_horusec
uses: fike/horusec-action@v0.2.2
with:
arguments: -p ./ --config-file-path=horusec-config.json -O report.txt --return-error=true
Conclusion
Horusec can be used anywhere & it supports most programming languages including C#, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, Dart, Elixir, Shell, Nginx, Swift.
