Table of contents
Check out our Documentation, you will see the complete list of tools and languages Horusec performs analysis.
See an Output example:
You need Docker installed in your machine in order to run Horusec with all the tools we use. If you don't have Docker, we have a flag
-D true that will disable the dependency, but it also loses much of the analysis power. We recommend using it with Docker.
If you enable commit authors
-G true, there is also a
Mac or Linux
curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest
curl "https://github.com/ZupIT/horusec/releases/latest/download/horusec_win_x64.exe" -o "./horusec.exe" -L && ./horusec.exe version
You can find all binaries with versions in our releases page.
For more details on how to install, check out the documentation
Check the installation
To use horusec-cli and check the application's vulnerabilities, use the following command:
horusec start -p .
When horusec starts an analysis, it creates a folder called
.horusec. This folder is the basis for not changing your code. We recommend you to add the line
.gitignorefile so that this folder does not need to be sent to your git server.
It is possible to use Horusec through a docker image
Run the following command to do it:
docker run -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/src horuszup/horusec-cli:latest horusec start -p /src -P $(pwd)
- We created a volume containing the project
With the docker image we ended up having two paths where the project can be found.
-p flag will represent the project path inside the container, in our example
-P flag will represent the project outside the container, in our example is represented by
$(pwd), will be also needed to pass the project path to mount the volume
Horusec's v1 is still available.
WARNING: The endpoint with v1 will be deprecated, please upgrade your CLI to v2. Check out more details in the documentation.
Mac or Linux
curl -fsSL https://horusec.io/bin/install.sh | bash -s latest
curl "https://horusec.io/bin/latest/win_x64/horusec.exe" -o "./horusec.exe" && ./horusec.exe version
- The older binaries can be found at this endpoint, including the latest version of v1
- As of v2, binaries will no longer be distributed by this endpoint, and you can find in the releases page.
Using Horusec-Web application
Manage your vulnerabilities through our web interface. You can have a dashboard of metrics about your vulnerabilities, control of false positives, authorization token, update of vulnerabilities and much more. See the web application section to keep reading about it.
Check out the example below, it is sending an analysis to Horusec web services:
horusec start -p <PATH_TO_YOUR_PROJECT> -a <YOUR_AUTHORIZATION_TOKEN>
Using Visual Studio Code
You can analyze your project using Horusec's Visual Studio Code extension. For more information, check out the documentation.
Using the Pipeline
You can perform an analysis of your project before you hold deployment in your environment by ensuring maximum security in your organization. For more information, check out the documentation:
- Analyzes simultaneously 18 languages with 20 different security tools to increase accuracy;
- Search for their historical git by secrets and other contents exposed;
- Your analysis can be fully configurable, see all CLI available resources.
You can find Horusec's documentation on our website.
We have a project roadmap, you can contribute with us!
Horusec has other repositories, check them out:
Feel free to use, recommend improvements, or contribute to new implementations.
Check out our contributing guide to learn about our development process, how to suggest bugfixes and improvements.
Developer Certificate of Origin - DCO
This is a security layer for the project and for the developers. It is mandatory.
Follow one of these two methods to add DCO to your commits:
1. Command line Follow the steps: Step 1: Configure your local git environment adding the same name and e-mail configured at your GitHub account. It helps to sign commits manually during reviews and suggestions.
git config --global user.name “Name” git config --global user.email “[email protected]”
Step 2: Add the Signed-off-by line with the
'-s' flag in the git commit command:
$ git commit -s -m "This is my commit message"
2. GitHub website
You can also manually sign your commits during GitHub reviews and suggestions, follow the steps below:
Step 1: When the commit changes box opens, manually type or paste your signature in the comment box, see the example:
Signed-off-by: Name < e-mail address >
For this method, your name and e-mail must be the same registered on your GitHub account.
Code of Conduct
Please follow the Code of Conduct in all your interactions with our project.
Feel free to reach out to us at:
This project exists thanks to all the contributors. You rock!