• Stars
    star
    1,014
  • Rank 45,366 (Top 0.9 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 4 years ago
  • Updated 9 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.

logo_header

Table of contents

1. About

2. Getting started

2.1. Requirements

2.2. Installation

3. Usage

3.1. CLI Usage

3.2. Using Docker

3.3. Older versions

3.4. Using Horusec-Web application

3.5. Using Visual Studio Code

3.6. Using the Pipeline

4. Documentation

5. Roadmap

6. Contributing

7. Code of Conduct

8. License

9. Community




About

Horusec is an open source tool that performs a static code analysis to identify security flaws during the development process. Currently, the languages for analysis are C#, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, Dart, Elixir, Shell, Nginx. The tool has options to search for key leaks and security flaws in all your project's files, as well as in Git history. Horusec can be used by the developer through the CLI and by the DevSecOps team on CI /CD mats.

Check out our Documentation, you will see the complete list of tools and languages Horusec performs analysis.

architecture

See an Output example:

usage_gif

Getting started

Requirements

  • Docker

You need Docker installed in your machine in order to run Horusec with all the tools we use. If you don't have Docker, we have a flag -D true that will disable the dependency, but it also loses much of the analysis power. We recommend using it with Docker.

If you enable commit authors -G true, there is also a git dependency.

Installing Horusec

Mac or Linux

make install

or

curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest

Check the installation

horusec version

Windows

  • amd64

    curl -k "https://github.com/ZupIT/horusec/releases/latest/download/horusec_win_amd64.exe" -o "./horusec.exe" -L
  • arm64

    curl -k "https://github.com/ZupIT/horusec/releases/latest/download/horusec_win_arm64.exe" -o "./horusec.exe" -L

Check the installation

./horusec.exe version

And more

Usage

CLI Usage

To use horusec-cli and check the application's vulnerabilities, use the following command:

horusec start -p .

When horusec starts an analysis, it creates a folder called .horusec. This folder is the basis for not changing your code. We recommend you to add the line .horusec into your .gitignore file so that this folder does not need to be sent to your git server.

Using Docker

It is possible to use Horusec through a docker image horuszup/horusec-cli:latest.

Run the following command to do it:

docker run -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/src horuszup/horusec-cli:latest horusec start -p /src -P $(pwd)
  • We created a volume containing the project -v $(pwd):/src.

With the docker image we ended up having two paths where the project can be found.

The -p flag will represent the project path inside the container, in our example /src. The -P flag will represent the project outside the container, in our example is represented by $(pwd), will be also needed to pass the project path to mount the volume -v $(pwd):/src.

Older versions

Horusec's v1 is still available.

WARNING: The endpoint with v1 will be deprecated, please upgrade your CLI to v2. Check out more details in the documentation.

Mac or Linux

curl -fsSL https://horusec.io/bin/install.sh | bash -s latest

Windows

curl "https://horusec.io/bin/latest/win_x64/horusec.exe" -o "./horusec.exe" && ./horusec.exe version
  • The older binaries can be found at this endpoint, including the latest version of v1 v1.10.3.
  • As of v2, binaries will no longer be distributed by this endpoint, and you can find in the releases page.

Using Horusec-Web application

Manage your vulnerabilities through our web interface. You can have a dashboard of metrics about your vulnerabilities, control of false positives, authorization token, update of vulnerabilities and much more. See the web application section to keep reading about it.

Check out the example below, it is sending an analysis to Horusec web services:

horusec start -p <PATH_TO_YOUR_PROJECT> -a <YOUR_AUTHORIZATION_TOKEN>

Check out the tutorial on how to create an authorization token through Horusec Manager Web Service.

WARNING: Our web services was moved to a new repository. You need to upgrade to v2, check out how to migrate from v1 to v2.

Using Visual Studio Code

You can analyze your project using Horusec's Visual Studio Code extension. For more information, check out the documentation.

Using the Pipeline

You can perform an analysis of your project before you hold deployment in your environment by ensuring maximum security in your organization. For more information, check out the documentation:

Features

See below:

  • Analyzes simultaneously 18 languages with 20 different security tools to increase accuracy;
  • Search for their historical git by secrets and other contents exposed;
  • Your analysis can be fully configurable, see all CLI available resources.

Documentation

You can find Horusec's documentation on our website.

Roadmap

We have a project roadmap, you can contribute with us!

Horusec has other repositories, check them out:

Contributing

Feel free to use, recommend improvements, or contribute to new implementations.

Check out our contributing guide to learn about our development process, how to suggest bugfixes and improvements.

Developer Certificate of Origin - DCO

This is a security layer for the project and for the developers. It is mandatory.

Follow one of these two methods to add DCO to your commits:

1. Command line Follow the steps: Step 1: Configure your local git environment adding the same name and e-mail configured at your GitHub account. It helps to sign commits manually during reviews and suggestions.

git config --global user.name “Name”
git config --global user.email “[email protected]

Step 2: Add the Signed-off-by line with the '-s' flag in the git commit command:

$ git commit -s -m "This is my commit message"

2. GitHub website

You can also manually sign your commits during GitHub reviews and suggestions, follow the steps below:

Step 1: When the commit changes box opens, manually type or paste your signature in the comment box, see the example:

Signed-off-by: Name < e-mail address >

For this method, your name and e-mail must be the same registered on your GitHub account.

Code of Conduct

Please follow the Code of Conduct in all your interactions with our project.

License

Apache License 2.0.

Community

Feel free to reach out to us at:

This project exists thanks to all the contributors. You rock! ❤️ 🚀

More Repositories

1

beagle

A framework to help implement Server-Driven UI in your apps natively.
Shell
684
star
2

ritchie-cli

Ritchie CLI is an open-source tool that allows to create, store and share any kind of automation, executing them through command lines, to run operations or start workflows ⚙️ 🖥 💡
Go
560
star
3

charlescd

CharlesCD is an open source tool that makes deployments more agile, continuous and safe, which allows development teams to perform hypothesis validations with a specific group of users, simultaneously.
TypeScript
336
star
4

ritchie-formulas

This repository contains the community formulas that can be executed through Ritchie CLI once imported. This tool is an open source product that allows you to create, store and share any kind of automations, executing them through command lines, to run operations or start workflows ⚙️ 🖥 💡
Go
104
star
5

horusec-platform

Horusec Platform is a set of web services that integrate with the Horusec CLI to facilitate the visualization and management of found vulnerabilities.
Go
54
star
6

pact-framework-examples

39
star
7

beagle-web-core

Project: Produto - Beagle
TypeScript
24
star
8

beagle-web-react

Project: Produto - Beagle
TypeScript
22
star
9

horusec-engine

Horusec analysis engine
Go
21
star
10

zup-checkstyle-java

20
star
11

beagle-web-angular

Project: Produto - Beagle
TypeScript
20
star
12

beagle-ios

Swift
19
star
13

beagle-android

Kotlin
19
star
14

ritchie-formulas-demo

This repository contains some demonstration formulas that can be executed through Ritchie CLI once imported. This tool is an open source product that allows you to create, store and share any kind of automations, executing them through command lines, to run operations or start workflows ⚙️ 🖥 💡
Shell
18
star
15

nimbus-compose

Library for enabling Server Driven UI in Jetpack Compose
Kotlin
17
star
16

horusec-vscode-plugin

Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command. Now you can usage extension for vscode.
TypeScript
17
star
17

QueroTrabalharNaZUP

16
star
18

nimbus-swiftui

Library for enabling Server Driven UI in SwiftUI
Swift
14
star
19

nimbus-docs

14
star
20

vagas

vagas
14
star
21

horusec-docs

Horusec oficial documentation
HTML
11
star
22

horusec-examples-vulnerabilities

Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.
Elixir
11
star
23

horusec-operator

Horusec Kubernetes Operator
Go
9
star
24

beagle-docs

Beagle Documentation
HTML
8
star
25

owldency

Action that checks if your application uses dependencies with known vulnerabilities.
JavaScript
7
star
26

nimbus

Libraries for enabling Server Driven UI in Jetpack Compose and SwiftUI
Kotlin
7
star
27

beagle-examples

Project: Produto - Beagle
Kotlin
7
star
28

horusec-devkit

Repository containing several Horusec abstractions and reusable codes.
Go
7
star
29

nimbus-layout-compose

Layout components for Nimbus Compose (SDUI)
Kotlin
7
star
30

beagle-flutter

Dart
7
star
31

horusec-admin

Go
7
star
32

beagle-adoption-demo

Project:beagle-adoption-demo
Kotlin
7
star
33

opensource-tech-radar

The Zup Open Source Tech Radar
HTML
6
star
34

charlescd-c4model

Documentation of CharlesCD architecture using C4Model
JavaScript
5
star
35

horusec-c4model

JavaScript
4
star
36

beagle-backend-kotlin

Kotlin
4
star
37

beagle-backend-ts

TypeScript
4
star
38

beagle-helpers

beagle-helpers
Kotlin
4
star
39

horusec-intellij-plugin

Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command. Now you can usage extension for intellij.
Makefile
4
star
40

go-vault-session

Project: Produto - Microservicos
Go
3
star
41

nimbus-layout-swiftui

Layout components for Nimbus SwiftUI (SDUI)
Swift
3
star
42

horusec-jenkins-sharedlib

Horusec Library to integrate with jenkins
Groovy
3
star
43

beagle-tests

Kotlin
3
star
44

charlescd-operator

An operator that enables Hypothesis-Driven Testing
Go
3
star
45

nimbus-backend-ts

Backend library in Typescript for Nimbus SDUI
TypeScript
3
star
46

ritchie-docs

This repository contains Ritchie CLI documentation ⚙️ 🖥 💡
CSS
3
star
47

charlescd-docs

CharlesCD repository documentation.
2
star
48

ritchie-templates

Repository containing Ritchie CLI formulas templates
Shell
2
star
49

horusec-action

GitHub action for Horusec
JavaScript
2
star
50

nimbus-core-binaries

Binaries for core Nimbus Library, which is used for enabling Server Driven UI in SwiftUI
Objective-C
2
star
51

horusec-charts

Project: Core Shield - 239 SRE
2
star
52

beagle-intellij-plugin

Project:beagle-intellij-plugin-ce
Kotlin
1
star
53

horusec-docs-hugo-theme

horusec-docs-hugo-theme
CSS
1
star
54

YogaKit

Project:376 Produto - Beagle
C++
1
star
55

header-license-checker

JavaScript
1
star
56

beagle-grpc

beagle-grpc
TypeScript
1
star
57

charlescd-local-cluster

Install CharlesCD via Terraform in your local environment.
HCL
1
star
58

docs-charles

CharlesCD Documentation
HTML
1
star
59

horusec-adr

Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.
Makefile
1
star