Horusec with Sonarqube

Reading Time: 3 minutes

Horusec is an open-source tool that performs a static code analysis to identify security flaws during the development process and with Sonarqube, you can manage issues in a team. It can be integrated with CICD tools to find code vulnerabilities whenever a developer creates PR on a repo.

You can integrate Horusec with Sonarqube to see security reports for your application code. For local scanning or for CI integration read this blog “Horusec – Code security & vulnerability”

Horusec Features

• Manage Vulnerability
• Integrate with CI/CD pipelines.
• Self-hosted Horusec Web-UI
• Integrate Sonarqube
• IDE extensions
• CLI tool or scripting

Installation of Horusec CLI

To install the Horusec CLI tool simply run this command in your Linux terminal or Mac terminal. This will download an installation script that run & install Horusec in your system.

curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/main/deployments/scripts/install.sh | bash -s latest

Alternative: You can use the docker image for code scanning if you don’t want to install it locally.

docker run -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/src horuszup/horusec-cli:latest horusec start -p /src -P $(pwd)\n

Setup Sonarqube

Run sonarqube with docker

Run this command in your terminal to spin up a sonarqube container

docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest

After the container is created. Open a web browser and hit http://localhost/9000

Default Credentials

• Username: admin
• Password: admin

Create sonarqube project locally & generate token

Now create a project manually in the sonarqube UI. Then generate a token and save it somewhere for later use. This token will be used to access this sonar project.

Setup the project & copy the code provided by sonarqube

1. Choose build type (Others in this case)
2. Select OS that your are using ( Linux in this case )

It will came up with a command. Save this command in a file, we will use this later to update the sonarqube project.

sonar-scanner \
  -Dsonar.projectKey=noteapp \
  -Dsonar.sources=. \
  -Dsonar.host.url=http://localhost:9000 \
  -Dsonar.login=sqp_d5e319e6492a16c3f94a2aa99674ee2d70d2eea8

Setup Horusec for Sonar

Open Application code

Open the application directory that you want to scan. And open a terminal in the directory.

cd path/to/code

Generate Config file

Generate a config file for Horusec. This file is used as a configuration for the CLI tool to set default behaviors.

You can also use environment variables or CLI flags to override these configs. The precedence of CLI flags is higher than the environment Variable.

Run the below command in the same directory for the application.

horusec generate

The config file will look like this

{
  "horusecCliCertInsecureSkipVerify": false,
  "horusecCliCertPath": "",
  "horusecCliContainerBindProjectPath": "",
  "horusecCliCustomImages": {
    "c": "",
    "csharp": "",
    "elixir": "",
    "generic": "",
    "go": "",
    "hcl": "",
    "javascript": "",
    "leaks": "",
    "php": "",
    "python": "",
    "ruby": "",
    "shell": ""
  },
  "horusecCliCustomRulesPath": "",
  "horusecCliDisableDocker": false,
  "horusecCliEnableCommitAuthor": false,
  "horusecCliEnableGitHistoryAnalysis": false,
  "horusecCliEnableInformationSeverity": false,
  "horusecCliEnableOwaspDependencyCheck": false,
  "horusecCliEnableShellcheck": false,
  "horusecCliFalsePositiveHashes": null,
  "horusecCliFilesOrPathsToIgnore": [
    "*tmp*",
    "**/.vscode/**"
  ],
  "horusecCliHeaders": {},
  "horusecCliHorusecApiUri": "http://0.0.0.0:8000",
  "horusecCliJsonOutputFilepath": "",
  "horusecCliLogFilePath": "/tmp/horusec-2022-10-03-01-34-22.log",
  "horusecCliMonitorRetryInSeconds": 15,
  "horusecCliPrintOutputType": "",
  "horusecCliReturnErrorIfFoundVulnerability": false,
  "horusecCliRiskAcceptHashes": null,
  "horusecCliSeveritiesToIgnore": [
    "INFO"
  ],
  "horusecCliShowVulnerabilitiesTypes": [
    "Vulnerability"
  ],
  "horusecCliTimeoutInSecondsAnalysis": 600,
  "horusecCliTimeoutInSecondsRequest": 300

Edit config setting in horusec config file

"horusecCliPrintOutputType": "sonarqube",
"horusecCliJsonOutputFilepath": "sonarqube.json"

Run Horusec code scanning

To start the code scanning. Run the start command in the same terminal & pass the config file which we have created in the previous step.

horusec start --config-file-path=horusec-config.json

After scanning is completed Horusec will generate a external report file in Sonarqube format with a name sonarqube.json as configured in the horusec configuration file.

Now, this external report file will be imported in the Sonarqube project using CLI flag –Dsonar.externalIssuesReportPaths=sonarqube.json as shown in the next step.

Update Sonarqube with external report

To update the Sonarqube project we created in the previous steps. It is needed to run the sonar-scanner command & pass the following flags with the right values for your project.

The sonarqube.json file we created in the previous step will be passed here t update the Sonarqube project with our vulnerability report.

sonar-scanner \

-Dsonar.projectKey=noteapp \

-Dsonar.sources=. \

-Dsonar.host.url=http://localhost:9000 \

-Dsonar.login=sqp_6c35d1c5ec0d881861e394afe466a3127ce2a7b8 \

-Dsonar.externalIssuesReportPaths=sonarqube.json

After Sonarqube is updated you will now see all vulnerabilities & all security details in the project. Now you can look at each vulnerability & assign them to your team members & fix them all.