¶ Horusec
https://github.com/ZupIT/horusec
Horusec is an open source tool that performs a static code analysis to identify security flaws during the development process.
Currently, the languages for analysis are C#, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, Dart, Elixir, Shell, Nginx.
The tool has options to search for key leaks and security flaws in all your project's files, as well as in Git history. Horusec can be used by the developer through the CLI and by the DevSecOps team on CI /CD mats.
¶ How it work's
Horusec performs a SAST analysis of your project from the code perspective.
The tool uses:
Horusec-CLI when you run the commands performs security analysis and the vulnerabilities identification and classification.
Web application is the CLI extensions used to manage and classify the vulnerabilities found in your application. See the structure in the image below:
When Horusec starts an analysis, it follows the steps below:
-
- When you start an analysis through Horusec-CLI, it will identify what are the current languages in your project;
-
- Now, the tool will start the analysis according to the identified languages, searching for vulnerabilities;
-
- When the analysis finish, it will start 3 actions:
-
3.1 Show the analyis' output in your interface or in the file;
-
3.2 If you have been using the CI/CD process in your pipeline and you want to abort the operations, a return type exit 1 will be send and it won’t go on until all the vulnerabilities are corrected. If there isn’t any vulnerabilities, a status type exit 0 will be returned and it will proceed to the next step.
-
3.3 Send to Horusec-Manager(web platform) where you can see all the vulnerabilities found, in an analytical way, you can also manage your project;
¶ Findings Examples
¶ Specification
Horusec performs 3 types of analysis to identify if there are any security flaws:
-
SAST (Static Application Security Testing). The SAST does static code vulnerability analysis. They can be done in source code, byte code or binary.
-
Leaks. The “Leaks checks the source code for possible leaks of credentials, private keys or hard coded passwords.
-
Dependency audit. You analyze the project’s dependencies to check for vulnerabilities in third-party libraries.
¶ Where can you use Horusec
¶ Locally
Horusec has an intuitive CLI, made for developers where is possible to perform local analysis.
¶ CI/CD pipeline
It is possible to add Horusec to the Continuous Integration or Continuous Deploy pipeline, ensuring one more security layer in your project, besides preventing a malicious code to enter in production.
¶ IDE extensions
It is common to use IDE (Integrated Development Environment) to use plugins and extensions to help you in the development. It is possible to perform analysis through extensions with Horusec.
¶ When you can use Horusec
It promotes the culture of secure development by applying the logic of “security by design”
It brings you security, ensuring that possible unknown vulnerabilities will be found by analyzing Horusec.
- Improves your experience
It ensures the safety of projects in the CI and CD process and it reduces the costs of correcting a vulnerability.