Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.

Overview

logo_header

Table of contents

1. About

2. Getting started

2.1. Requirements

2.2. Installation

3. Usage

3.1. CLI Usage

3.2. Using Docker

3.3. Older versions

3.4. Using Horusec-Web application

3.5. Using Visual Studio Code

3.6. Using the Pipeline

4. Documentation

5. Roadmap

6. Contributing

7. Code of Conduct

8. License

9. Community




About

Horusec is an open source tool that performs a static code analysis to identify security flaws during the development process. Currently, the languages for analysis are C#, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, Dart, Elixir, Shell, Nginx. The tool has options to search for key leaks and security flaws in all your project's files, as well as in Git history. Horusec can be used by the developer through the CLI and by the DevSecOps team on CI /CD mats.

Check out our Documentation, you will see the complete list of tools and languages Horusec performs analysis.

architecture

See an Output example:

usage_gif

Getting started

Requirements

  • Docker

You need Docker installed in your machine in order to run Horusec with all the tools we use. If you don't have Docker, we have a flag -D true that will disable the dependency, but it also loses much of the analysis power. We recommend using it with Docker.

If you enable commit authors -G true, there is also a git dependency.

Installing Horusec

Mac or Linux

make install

or

curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest

Windows

curl "https://github.com/ZupIT/horusec/releases/latest/download/horusec_win_x64.exe" -o "./horusec.exe" -L && ./horusec.exe version

Check the installation

horusec version

Usage

CLI Usage

To use horusec-cli and check the application's vulnerabilities, use the following command:

horusec start -p .

When horusec starts an analysis, it creates a folder called .horusec. This folder is the basis for not changing your code. We recommend you to add the line .horusec into your .gitignore file so that this folder does not need to be sent to your git server.

Using Docker

It is possible to use Horusec through a docker image horuszup/horusec-cli:latest.

Run the following command to do it:

docker run -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/src horuszup/horusec-cli:latest horusec start -p /src -P $(pwd)
  • We created a volume containing the project -v $(pwd):/src.

With the docker image we ended up having two paths where the project can be found.

The -p flag will represent the project path inside the container, in our example /src. The -P flag will represent the project outside the container, in our example is represented by $(pwd), will be also needed to pass the project path to mount the volume -v $(pwd):/src.

Older versions

Horusec's v1 is still available.

WARNING: The endpoint with v1 will be deprecated, please upgrade your CLI to v2. Check out more details in the documentation.

Mac or Linux

curl -fsSL https://horusec.io/bin/install.sh | bash -s latest

Windows

curl "https://horusec.io/bin/latest/win_x64/horusec.exe" -o "./horusec.exe" && ./horusec.exe version
  • The older binaries can be found at this endpoint, including the latest version of v1 v1.10.3.
  • As of v2, binaries will no longer be distributed by this endpoint, and you can find in the releases page.

Using Horusec-Web application

Manage your vulnerabilities through our web interface. You can have a dashboard of metrics about your vulnerabilities, control of false positives, authorization token, update of vulnerabilities and much more. See the web application section to keep reading about it.

Check out the example below, it is sending an analysis to Horusec web services:

horusec start -p <PATH_TO_YOUR_PROJECT> -a <YOUR_AUTHORIZATION_TOKEN>

Check out the tutorial on how to create an authorization token through Horusec Manager Web Service.

WARNING: Our web services was moved to a new repository. You need to upgrade to v2, check out how to migrate from v1 to v2.

Using Visual Studio Code

You can analyze your project using Horusec's Visual Studio Code extension. For more information, check out the documentation.

Using the Pipeline

You can perform an analysis of your project before you hold deployment in your environment by ensuring maximum security in your organization. For more information, check out the documentation:

Features

See below:

  • Analyzes simultaneously 18 languages with 20 different security tools to increase accuracy;
  • Search for their historical git by secrets and other contents exposed;
  • Your analysis can be fully configurable, see all CLI available resources.

Documentation

You can find Horusec's documentation on our website.

Roadmap

We have a project roadmap, you can contribute with us!

Horusec has other repositories, check them out:

Contributing

Feel free to use, recommend improvements, or contribute to new implementations.

Check out our contributing guide to learn about our development process, how to suggest bugfixes and improvements.

Developer Certificate of Origin - DCO

This is a security layer for the project and for the developers. It is mandatory.

Follow one of these two methods to add DCO to your commits:

1. Command line Follow the steps: Step 1: Configure your local git environment adding the same name and e-mail configured at your GitHub account. It helps to sign commits manually during reviews and suggestions.

git config --global user.name “Name”
git config --global user.email “[email protected]

Step 2: Add the Signed-off-by line with the '-s' flag in the git commit command:

$ git commit -s -m "This is my commit message"

2. GitHub website

You can also manually sign your commits during GitHub reviews and suggestions, follow the steps below:

Step 1: When the commit changes box opens, manually type or paste your signature in the comment box, see the example:

Signed-off-by: Name < e-mail address >

For this method, your name and e-mail must be the same registered on your GitHub account.

Code of Conduct

Please follow the Code of Conduct in all your interactions with our project.

License

Apache License 2.0.

Community

Feel free to reach out to us at:

This project exists thanks to all the contributors. You rock! ❤️ 🚀

Comments
  • Horusec Manager

    Horusec Manager

    I know it's a simple question, I already did the code analysis, but I didn't understand how to access Horusec-Manager, is it your central server or a web server that is installed on the local machine?

    Environment:

    • Horusec version (use horusec version): 1.8.0
    • Operating System: Kali
    help wanted 
    opened by wesleybsb1 35
  • Add missing RuleIDs

    Add missing RuleIDs

    - What I did Where a tool provides an identifier for the rule being violated, add that identifier to RuleId

    - How to verify it Create an output which depends upon the RuleId field, such as the SARIF type

    - Description for the changelog Add rule IDs for supported tools

    kind/improvement project/horusec-cli 
    opened by anthturner 30
  • SARIF Output Support

    SARIF Output Support

    Signed-off-by: Anthony Turner [email protected]

    What I did

    Added SARIF-compatible output structures as an output option in the same vein as SonarQube

    How to verify it

    Use -o sarif as an option with Horusec to output a SARIF report

    - Description for the changelog Adds SARIF output support


    Want to note that this is not necessarily complete; there are several things which just don't exist in Horusec right now. For example, I notice not all of the engine modules have RuleIDs populated, and there is other metadata (such as URL) which need to have a lookup table or some other place to pull them from. This might mean authoring a .csv file to track the metadata or maybe embedding it into code somehow is better.

    Hopefully this at least helps get the conversation started.

    • See also #937
    kind/enhancement 
    opened by anthturner 28
  • horusec-manager não loga apos alterar variaveis para HTTPS

    horusec-manager não loga apos alterar variaveis para HTTPS

    Alterei as seguintes variáveis ::

    REACT_APP_HORUSEC_ENDPOINT_API="https://sec.meuend.com.br:8000" REACT_APP_HORUSEC_ENDPOINT_ANALYTIC="https://sec.meuend.com.br:8005" REACT_APP_HORUSEC_ENDPOINT_ACCOUNT="https://sec.meuend.com.br:8003" REACT_APP_HORUSEC_ENDPOINT_AUTH="https://sec.meuend.com.br:8006":

    O resultado após novo 'make install é não conseguir logar na página:

    Environment:

    • Horusec version (use horusec version): v1.8.0
    • Operating System: Ubuntu 20.04
    • Others: Existe algum outro item que necessita de ajustes nos parâmetros ??
    help wanted 
    opened by jcsferraz 23
  • False Positive

    False Positive

    What happened:

    I used with my laravel(php) project, and the tool said that my password is hardcoded, but is a validation rule

    What you expected to happen: That this not happens How to reproduce it (as minimally and precisely as possible): Create a laravel project, and a validation rule with password is required.

    Anything else we need to know?: The error and the file

    Captura de tela de 2021-03-27 21-40-56 Captura de tela de 2021-03-27 21-40-23

    Environment:

    • Horusec version (use horusec version): 1.10.1
    • Operating System: ubuntu 20.04
    • Network plugin / Tool and version (if this is a network-related / tool bug): laravel (php) 8.0
    • Others:
    kind/bug kind/improvement 
    opened by IgorDePaula 21
  • Horusec is not reading my config-file.json

    Horusec is not reading my config-file.json

    What happened: I am running Horusec in a pipeline using Docker. I have a Python script that receives the desired parameters and configurations, runs the scan, and shows the results. Two weeks ago it was working fine, but I ran it again yesterday and some issues appeared. First, it returned an error saying "open: /tmp is a directory". I just create a new branch and without any change in the code, the scanner started to work but currently, it is not taking my config-file.json

    How to reproduce it (as minimally and precisely as possible): This is how I am building the command structure in my Python code:

    def GetStartHorusecCMD(imageName, reportName, outputFormat, configFilePath):  
        command =("docker run -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/src "+imageName+
                ":latest horusec start -p /src -P $(pwd) --config-file-path "+configFilePath+" -o "+outputFormat)  
        if outputFormat != 'text':
                command = command + " -O /src/Horusec/"+ reportName
       return command 
    

    And the variables that I am passing in my pipeline (running in an Ubuntu environment in GitHub) are:

    imageName: "horuszup/horusec-cli" 
    reportName: "Horusec-21-10-07"
    outputFormat: 'json'
    configFilePath: '/src/Horusec/horusec-config.json'
    

    Anything else we need to know?: This is my project structure: image

    Configurations showed using the --log-level=debug flag: image

    Environment:

    • Horusec version (use horusec version): We are downloading the latest version from Docker
    • Operating System: Ubuntu-latest (GitHub pipeline environment)
    • Network plugin / Tool and version (if this is a network-related / tool bug): N/A
    • Others:
    help wanted 
    opened by NahuelHerr 20
  • horusec-manager inicializa com pagina em branco

    horusec-manager inicializa com pagina em branco

    **horusec-manager inicializa com a página em branco **:

    ** Após executados os passos abaixo conforme orientação para instalação local o horusec manager carrega com página em branco

    • git clone https://github.com/ZupIT/horusec.git
    • make install**:

    Anything else we need to know?:

    Environment:

    • Horusec version (use horusec version): 1.6.1
    • Operating System: Ubuntu 20.04.1 kernel 5.4.0-1029-aws
    • Others: docker-compose 1.25.0 , docker 20.10.1
    kind/bug help wanted 
    opened by jcsferraz 20
  • Problems when sent a analisis to web manager in a another host.

    Problems when sent a analisis to web manager in a another host.

    What happened: I install the web manager in another host i am trying run a analysis and sent it, but the analysis dont show in web manager How to reproduce it (as minimally and precisely as possible): install horusec manager in another host. Run a analisis and put the flag -u whit the ip where manager are located and the token Web manager dont show the analisys Anything else we need to know?: How to know what is the error, because, the anlysis dont show if the conection was succesfull Environment:

    • Horusec version : V2.0
    • Operating System: kali linux
    • Network plugin / Tool and version (if this is a network-related / tool bug):
    • Others: instalation whit docker and docker compose
    project/horusec-platform project/horusec-cli kind/more-info-needed 
    opened by dschacon288 16
  • RuleIDs are not present in all engines

    RuleIDs are not present in all engines

    What would you like to be added: Rule IDs to quickly differentiate flagged items on engines other than HorusecEngine.

    Why is this needed: If we are adding RuleId elsewhere (as in SARIF or JSON), having content to populate that field will be necessary.

    I created an example of what I'm thinking here: https://github.com/anthturner/horusec/commit/71f2b4939ceccca0fe4b59949785cb5c5d892d77

    I'll be happy to continue building it out if the community thinks this is the right approach.

    kind/improvement project/horusec-cli 
    opened by anthturner 12
  • Duvidas sobre parametrizações

    Duvidas sobre parametrizações

    What happened: Eu estou tentando subir a stack em um servidor, aqui utilizo o traefik como proxy reverso, adicionei as labels do meu proxy reverso e subi a stack utilizando docker-compose -f deployments/docker-compose.yaml e tudo ocorreu sem erros, mas ao logar no manager, o mesmo não consegue autenticar com a api e o auth.

    Gostaria de entender como alterar os endereços de comunicação entre os containers, visto que via console vi que está chamando em localhost (127.0.0.1:8006)

    Environment:

    • Horusec version (use horusec version): latest
    • Operating System:
    • Ubuntu server 20.04
    • Network plugin / Tool and version (if this is a network-related / tool bug): traefik as reverse proxy
    help wanted 
    opened by GabrielMioranza 12
  • Add Checkov as HCL analyzer

    Add Checkov as HCL analyzer

    DEPENDS ON

    • https://github.com/ZupIT/horusec/pull/508
    • https://github.com/ZupIT/horusec-devkit/pull/61

    - What I did

    Added Checkov as a HCL analyzer, which provides larger coverage than Tfsec. Current implementation ignores docker and secrets vulnerability, and only shows terraform vulnerabilities. Closes #507

    - How to verify it

    Run horusec with terraform enabled, without ignoring checkov. This repository https://github.com/bridgecrewio/terragoat can be used to scan on, with known vulnerabilities

    - Description for the changelog

    • Added Checkov as HCL analyzer
    opened by wibisana-kargo 9
  • Use internal network on docker-compose setup

    Use internal network on docker-compose setup

    The current docker-compose setup requires the external network to access other components such as config, login, etc.. Is it possible to route those requests to the internal network

    How to reproduce it (as minimally and precisely as possible): The browser tries to connect to config endpoint over a public IP, is it possible to route those requests on the internal host network (container -> container)?

    Environment:

    • Horusec version (use horusec version): v2.8.0
    • Operating System: Ubuntu 20.04.5 LTS (Focal Fossa)
    opened by bpetric0 0
  • deps:chore - update alpine Docker tag to v3.16.3

    deps:chore - update alpine Docker tag to v3.16.3

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | alpine | final | patch | 3.16.0 -> 3.16.3 |


    Configuration

    📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

    🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

    Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    🔕 Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, check this box

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate[bot] 0
  • K8s ends support for docker runtime

    K8s ends support for docker runtime

    With the release of k8s 1.2 they will end the support for docker runtime. Horusec relies on the underlying docker socket (/var/run/docker.sock). Are there there any plans for moving to any other runtime(containerd)?

    Thanks in advance!

    opened by manojbinjola 1
  • horusecCliFilesOrPathsToIgnore not matching properly

    horusecCliFilesOrPathsToIgnore not matching properly

    What happened: I'm running Horusec using the command docker run --rm -v "/var/run/docker.sock:/var/run/docker.sock" -v "/home/myuser/repos/my_python_project:/src/horusec" --network host horuszup/horusec-cli:latest horusec start -p /src/horusec -P /home/myuser/repos/my_python_project -s INFO,LOW --enable-owasp-dependency-check --enable-git-history --enable-commit-author --config-file-path '/src/horusec/horusec-config.json' -o sonarqube -O /src/horusec/sonar-out.json

    My horusec-config.json has the following content:

    {
      "horusecCliFilesOrPathsToIgnore": [
        "tests/**"
      ]
    }
    

    My sonar-out.json comes with this content:

    {
      "issues": [
        {
          "type": "VULNERABILITY",
          "ruleId": "HorusecEngine",
          "engineId": "horusec",
          "severity": "BLOCKER",
          "effortMinutes": 0,
          "primaryLocation": {
            "message": "(1/1) * Possible vulnerability detected: Password found in a hardcoded URL\nA password was found in a hardcoded URL, this can lead to not only the leak of this password but also a failure point to some more sophisticated CSRF and SSRF attacks. Check CWE-352 (https://cwe.mitre.org/data/definitions/352.html) and CWE-918 (https://cwe.mitre.org/data/definitions/918.html) for more details.",
            "filePath": "tests/unit/infrastructure/mysql/test_mysql.py",
            "textRange": {
              "startLine": 72,
              "startColumn": 27
            }
          }
        },
        {
          "type": "VULNERABILITY",
          "ruleId": "GitLeaks",
          "engineId": "horusec",
          "severity": "BLOCKER",
          "effortMinutes": 0,
          "primaryLocation": {
            "message": "(1/1) * Possible vulnerability detected: Hardcoded Credential",
            "filePath": "tests/infrastructure/mysql/test_mysql.py",
            "textRange": {
              "startLine": 72,
              "startColumn": 29
            }
          }
        }
      ]
    }
    

    What you expected to happen: The sonar-out.json report should come empty, since both vulnerabilities are in files whose paths match the expression passed in the horusecCliFilesOrPathsToIgnore variable in horusec-config.json file.

    How to reproduce it (as minimally and precisely as possible): Create a file that has a vulnerability and place it in a directory. Add to the horusec-config.json file the variable horusecCliFilesOrPathsToIgnore, and add to this variable an expression that has a directory that is one of the parents of the directory that contains the file you created, followed by the wildcard /**, so the expression matches the file you created. Run horusec using a command that is equivalent to the one I mentioned in the "What happened" section. The output recorded in sonar-format should contain the vulnerability that was supposed to be ignored.

    Anything else we need to know?:

    • The second vulnerability ("ruleId": "GitLeaks") is present only in Git history, because the file has been moved to another path (the one of the first vulnerability).

    • If I change tests/** to **/tests/**, Horusec runs normally and the first vulnerability ("ruleId": "HorusecEngine") does not appear in the sonar report, but the second one still does. As far as I can tell, **/tests/** is not a valid expression.

    Environment:

    • Horusec version (use horusec version):

    Version: v2.8.0 Git commit: df32c1ce03d2de748cecb76cff383f2851e198c3 Built: Wed Jun 08 13:57:08 2022 Distribution: normal

    • Operating System:

    docker run horuszup/horusec-cli:latest cat /etc/os-release provides the following output:

    NAME="Alpine Linux" ID=alpine VERSION_ID=3.15.0 PRETTY_NAME="Alpine Linux v3.15" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://bugs.alpinelinux.org/"

    I'm running Docker over (lsb_release -a output): Distributor ID: Ubuntu Description: Ubuntu 20.04.5 LTS Release: 20.04 Codename: focal

    • Network plugin / Tool and version (if this is a network-related / tool bug):
    • Others:
    opened by brunobehnken 0
  • Adicinar usuario ao grupo, utilizando o keycloak

    Adicinar usuario ao grupo, utilizando o keycloak

    Não conseguimos adicionar novos usuario ao repositorio, quando clicamos em "convidar" e vamos em usuario, ele não aparece os usuario cadstardo no keycloak, ai não conseguimos adicionar.

    opened by Lucas-Almeida-hub 0
Releases(alpha)
Owner
ZUP IT INNOVATION
ZUP IT INNOVATION
An open-source, distributed, cloud-native CD (Continuous Delivery) product designed for developersAn open-source, distributed, cloud-native CD (Continuous Delivery) product designed for developers

Developer-oriented Continuous Delivery Product ⁣ English | 简体中文 Table of Contents Zadig Table of Contents What is Zadig Quick start How to use? How to

null 0 Oct 19, 2021
Kubei is a flexible Kubernetes runtime scanner, scanning images of worker and Kubernetes nodes providing accurate vulnerabilities assessment, for more information checkout:

Kubei is a vulnerabilities scanning and CIS Docker benchmark tool that allows users to get an accurate and immediate risk assessment of their kubernet

Portshift 818 Dec 7, 2022
Vulnerability-exporter - A Prometheus Exporter for managing vulnerabilities in kubernetes by using trivy

Kubernetes Vulnerability Exporter A Prometheus Exporter for managing vulnerabili

null 24 Dec 4, 2022
go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.

go-opa-validate go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data. Installation Usage Cont

chenk 6 Nov 17, 2022
Moby: an open-source project created by Docker to enable and accelerate software containerization

The Moby Project Moby is an open-source project created by Docker to enable and accelerate software containerization. It provides a "Lego set" of tool

null 0 Dec 10, 2021
Karpenter: an open-source node provisioning project built for Kubernetes

Karpenter is an open-source node provisioning project built for Kubernetes. Its goal is to improve the efficiency and cost of running workloads on Kub

Rohan 2 Dec 1, 2022
Bubbly is an open-source platform that gives you confidence in your continuous release process.

Bubbly Bubbly - Release Readiness in a Bubble Bubbly emerged from a need that many lean software teams practicing Continuous Integration and Delivery

Valocode 35 Nov 29, 2022
Vilicus is an open source tool that orchestrates security scans of container images(docker/oci) and centralizes all results into a database for further analysis and metrics.

Vilicus Table of Contents Overview How does it work? Architecture Development Run deployment manually Usage Example of analysis Overview Vilicus is an

Ederson Brilhante 79 Nov 17, 2022
Open Source runtime tool which help to detect malware code execution and run time mis-configuration change on a kubernetes cluster

Kube-Knark Project Trace your kubernetes runtime !! Kube-Knark is an open source tracer uses pcap & ebpf technology to perform runtime tracing on a de

Chen Keinan 32 Sep 19, 2022
💧 Visual Data Preparation (VDP) is an open-source tool to seamlessly integrate Vision AI with the modern data stack

Website | Community | Blog Get Early Access Visual Data Preparation (VDP) is an open-source tool to streamline the end-to-end visual data processing p

Instill AI 627 Dec 7, 2022
Kusk makes your OpenAPI definition the source of truth for API resources in your cluster

Kusk - use OpenAPI to configure Kubernetes What is Kusk? Developers deploying their REST APIs in Kubernetes shouldn't have to worry about managing res

kubeshop 8 Nov 9, 2022
Open Source runtime scanner for Linux containers (LXD), It performs security audit checks based on CIS Linux containers Benchmark specification

lxd-probe Scan your Linux container runtime !! Lxd-Probe is an open source audit scanner who perform audit check on a linux container manager and outp

Chen Keinan 14 May 16, 2022
KubeCube is an open source enterprise-level container platform

KubeCube English | 中文文档 KubeCube is an open source enterprise-level container platform that provides enterprises with visualized management of Kuberne

KubeCube IO 329 Dec 3, 2022
Devtron is an open source software delivery workflow for kubernetes written in go.

Devtron is an open source software delivery workflow for kubernetes written in go.

Devtron Labs 2.7k Dec 8, 2022
TriggerMesh open source event-driven integration platform powered by Kubernetes and Knative.

TriggerMesh open source event-driven integration platform powered by Kubernetes and Knative. TriggerMesh allows you to declaratively define event flows between sources and targets as well as add even filter, splitting and processing using functions.

TriggerMesh 356 Dec 7, 2022
Fleet - Open source device management, built on osquery.

Fleet - Open source device management, built on osquery.

Fleet Device Management 1000 Dec 8, 2022
Open Source runtime scanner for OpenShift cluster and perform security audit checks based on CIS RedHat OpenShift Benchmark specification

OpenShift-Ordeal Scan your Openshift cluster !! OpenShift-Ordeal is an open source audit scanner who perform audit check on OpenShift Cluster and outp

chenk 5 Sep 6, 2022