{"id":14957726,"url":"https://github.com/zupit/horusec","last_synced_at":"2025-05-14T07:08:40.553Z","repository":{"id":36997287,"uuid":"293792548","full_name":"ZupIT/horusec","owner":"ZupIT","description":"Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.","archived":false,"fork":false,"pushed_at":"2025-05-06T20:41:34.000Z","size":77512,"stargazers_count":1216,"open_issues_count":117,"forks_count":195,"subscribers_count":50,"default_branch":"main","last_synced_at":"2025-05-06T21:36:11.567Z","etag":null,"topics":["analysis","cd","ci","cli","golang","hacktoberfest","java","kotlin","netcore","python","ruby","sast","sast-analysis","scanner","security","security-development","security-flaws","static-analysis","terraform","vulnerabilities"],"latest_commit_sha":null,"homepage":"https://horusec.io/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ZupIT.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-09-08T11:41:20.000Z","updated_at":"2025-05-05T14:08:47.000Z","dependencies_parsed_at":"2023-10-25T21:32:56.987Z","dependency_job_id":"e56ad62a-96d8-4989-89de-9a7978d5d228","html_url":"https://github.com/ZupIT/horusec","commit_stats":{"total_commits":687,"total_committers":44,"mean_commits":"15.613636363636363","dds":0.8209606986899564,"last_synced_commit":"873d4104a6aa89be8f86d93db8e416909d9add87"},"previous_names":[],"tags_count":72,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ZupIT%2Fhorusec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ZupIT%2Fhorusec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ZupIT%2Fhorusec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ZupIT%2Fhorusec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ZupIT","download_url":"https://codeload.github.com/ZupIT/horusec/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254092775,"owners_count":22013290,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["analysis","cd","ci","cli","golang","hacktoberfest","java","kotlin","netcore","python","ruby","sast","sast-analysis","scanner","security","security-development","security-flaws","static-analysis","terraform","vulnerabilities"],"created_at":"2024-09-24T13:15:28.641Z","updated_at":"2025-05-14T07:08:40.533Z","avatar_url":"https://github.com/ZupIT.png","language":"Go","readme":"\u003cp align=\"center\" margin=\"20 0\"\u003e\u003ca href=\"https://horusec.io/\"\u003e\n    \u003cimg src=\"assets/horusec_logo.png\" alt=\"logo_header\" width=\"65%\" style=\"max-width:100%;\"/\u003e\u003c/a\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n    \u003ca href=\"https://github.com/ZupIT/horusec/releases\" alt=\"version\"\u003e\n        \u003cimg src=\"https://img.shields.io/github/v/release/ZupIT/horusec?label=version\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/ZupIT/horusec/pulse\" alt=\"activity\"\u003e\n        \u003cimg src=\"https://img.shields.io/github/commit-activity/m/ZupIT/horusec?label=activity\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/ZupIT/horusec/graphs/contributors\" alt=\"contributors\"\u003e\n        \u003cimg src=\"https://img.shields.io/github/contributors/ZupIT/horusec?label=contributors\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/ZupIT/horusec/actions/workflows/lint.yml\" alt=\"lint\"\u003e\n        \u003cimg src=\"https://img.shields.io/github/workflow/status/ZupIT/horusec/Lint?label=lint\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/ZupIT/horusec/actions/workflows/test.yml\" alt=\"test\"\u003e\n        \u003cimg src=\"https://img.shields.io/github/workflow/status/ZupIT/horusec/Test?label=test\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/ZupIT/horusec/actions/workflows/security.yml\" alt=\"security\"\u003e\n        \u003cimg src=\"https://img.shields.io/github/workflow/status/ZupIT/horusec/Security?label=security\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/ZupIT/horusec/actions/workflows/coverage.yml\" alt=\"coverage\"\u003e\n        \u003cimg src=\"https://img.shields.io/github/workflow/status/ZupIT/horusec/Coverage?label=coverage\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/ZupIT/horusec/actions/workflows/e2e.yml\" alt=\"e2e\"\u003e\n        \u003cimg src=\"https://img.shields.io/github/workflow/status/ZupIT/horusec/e2e?label=e2e\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/ZupIT/horusec/actions/workflows/build.yaml\" alt=\"build\"\u003e\n        \u003cimg src=\"https://img.shields.io/github/workflow/status/ZupIT/horusec/Build?label=build\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://opensource.org/licenses/Apache-2.0\" alt=\"license\"\u003e\n        \u003cimg src=\"https://img.shields.io/badge/license-Apache%202-blue\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://bestpractices.coreinfrastructure.org/projects/5146\"\u003e\u003cimg src=\"https://bestpractices.coreinfrastructure.org/projects/5146/badge\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n## **Table of contents**\n### 1. [**About**](#about)\n### 2. [**Getting started**](#getting-started)\n\u003e#### 2.1.   [**Requirements**](#requirements)\n\u003e#### 2.2.  [**Installation**](#installing-horusec)\n### 3. [**Usage**](#usage)\n\u003e#### 3.1. [**CLI Usage**](#cli-usage)\n\u003e#### 3.2. [**Using Docker**](#using-docker)\n\u003e#### 3.3. [**Older versions**](#older-versions)\n\u003e#### 3.4. [**Using Horusec-Web application**](#using-horusec-web-application)\n\u003e#### 3.5.  [**Using Visual Studio Code**](#using-visual-studio-code)\n\u003e#### 3.6. [**Using the Pipeline**](#using-the-pipeline)\n### 4. [**Documentation**](#documentation)       \n### 5. [**Roadmap**](#roadmap)\n### 6. [**Contributing**](#contributing)\n### 7. [**Code of Conduct**](#code-of-conduct)\n### 8. [**License**](#license)\n### 9. [**Community**](#community)\n\n\n\n\u003cbr\u003e\n\u003cbr\u003e\n\u003cbr\u003e\n\n# **About**\nHorusec is an open source tool that performs a static code analysis to identify security flaws during the development process. Currently, the languages for analysis are C#, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, Dart, Elixir, Shell, Nginx. \nThe tool has options to search for key leaks and security flaws in all your project's files, as well as in Git history. Horusec can be used by the developer through the CLI and by the DevSecOps team on CI /CD mats. \n\nCheck out our [**Documentation**](https://docs.horusec.io/docs/overview/), you will see the complete list of tools and languages Horusec performs analysis.\n\n\u003cp align=\"center\" margin=\"20 0\"\u003e\u003cimg src=\"assets/horusec-complete-architecture.png\" alt=\"architecture\" width=\"100%\" style=\"max-width:100%;\"/\u003e\u003c/p\u003e\n\n### **See an Output example:**\n\n\u003cimg src=\"assets/usage_horusec.gif\" alt=\"usage_gif\" width=\"100%\" style=\"max-width:100%;\"/\u003e\n\n# **Getting started**\n\n## **Requirements**\n\n- Docker\n\nYou need Docker installed in your machine in order to run Horusec with all the tools we use.\nIf you don't have Docker, we have a [**flag**](https://docs.horusec.io/docs/cli/commands-and-flags/#3-flags) `-D true` that will disable the dependency, but it also loses much of the analysis power. \nWe recommend using it with Docker.\n\nIf you enable commit authors `-G true`, there is also a `git` dependency.\n\n## **Installing Horusec**\n### **Mac or Linux**\n```\nmake install\n```\n\nor\n\n```sh\ncurl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest\n```\n\n#### **Check the installation**\n```bash\nhorusec version\n```\n\n### **Windows**\n- **amd64**\n    ```sh\n    curl -k \"https://github.com/ZupIT/horusec/releases/latest/download/horusec_win_amd64.exe\" -o \"./horusec.exe\" -L\n    ```\n\n- **arm64**\n    ```sh\n    curl -k \"https://github.com/ZupIT/horusec/releases/latest/download/horusec_win_arm64.exe\" -o \"./horusec.exe\" -L\n    ```\n\n#### **Check the installation**\n```bash\n./horusec.exe version\n```\n\n### **And more**\n\n- You can find all binaries with versions in our [**releases page**](https://github.com/ZupIT/horusec/releases).\n\n- For more details on how to install, check out the [**documentation**](https://docs.horusec.io/docs/cli/installation) \n\n\n## **Usage**\n### **CLI Usage**\nTo use horusec-cli and check the application's vulnerabilities, use the following command:\n```bash\nhorusec start -p .\n```\n\u003e When horusec starts an analysis, it creates a folder called **`.horusec`**. This folder is the basis for not changing your code. We recommend you to add the line **`.horusec`** into your **`.gitignore`** file so that this folder does not need to be sent to your git server.\n\n### **Using Docker**\nIt is possible to use Horusec through a docker image **`horuszup/horusec-cli:latest`**.\n\nRun the following command to do it:\n```sh\ndocker run -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/src horuszup/horusec-cli:latest horusec start -p /src -P $(pwd)\n```\n\n- We created a volume containing the project `-v $(pwd):/src`.\n\nWith the docker image we ended up having two paths where the project can be found.\n\nThe `-p` flag will represent the project path inside the container, in our example `/src`.\nThe `-P` flag will represent the project outside the container, in our example is represented by `$(pwd)`,\nwill be also needed to pass the project path to mount the volume `-v $(pwd):/src`.\n\n### **Older versions**\n\nHorusec's v1 is still available.\n\n**WARNING:** The endpoint with v1 will be deprecated, please upgrade your CLI to v2. Check out more details in the [**documentation**](https://docs.horusec.io/docs/migrate-v1-to-v2/). \n\n### **Mac or Linux**\n``` sh\ncurl -fsSL https://horusec.io/bin/install.sh | bash -s latest\n```\n\n### **Windows**\n```sh\ncurl \"https://horusec.io/bin/latest/win_x64/horusec.exe\" -o \"./horusec.exe\" \u0026\u0026 ./horusec.exe version\n```\n\n- The older binaries can be found at this endpoint, including the latest version of v1 **`v1.10.3`**. \n- As of v2, binaries will no longer be distributed by this endpoint, and you can find in the [**releases page**](https://github.com/ZupIT/horusec/releases).\n\n### **Using Horusec-Web application**\nManage your vulnerabilities through our web interface. You can have a dashboard of metrics about your vulnerabilities, control of false positives, authorization token, update of vulnerabilities and much more.\nSee the [**web application**](https://github.com/ZupIT/horusec-platform) section to keep reading about it.\n\nCheck out the example below, it is sending an analysis to Horusec web services:\n```bash\nhorusec start -p \u003cPATH_TO_YOUR_PROJECT\u003e -a \u003cYOUR_AUTHORIZATION_TOKEN\u003e\n```\n\nCheck out [**the tutorial on how to create an authorization token through Horusec Manager Web Service**](https://docs.horusec.io/docs/tutorials/how-to-create-an-authorization-token).\n\n**WARNING:** Our web services was moved to a [**new repository**](https://github.com/ZupIT/horusec-platform). You need to upgrade to v2, check out [**how to migrate from v1 to v2**](https://docs.horusec.io/docs/migrate-v1-to-v2).\n\n### **Using Visual Studio Code**\nYou can analyze your project using Horusec's Visual Studio Code extension.\nFor more information, [**check out the documentation**](https://docs.horusec.io/docs/extensions/visual-studio-code/).\n\n### **Using the Pipeline**\nYou can perform an analysis of your project before you hold deployment in your environment by ensuring maximum security in your organization.\nFor more information, [**check out the documentation**](https://docs.horusec.io/docs/cli/installation/#installation-via-pipeline):\n\n### **Features**\nSee below: \n- Analyzes simultaneously 18 languages with 20 different security tools to increase accuracy;\n- Search for their historical git by secrets and other contents exposed;\n- Your analysis can be fully configurable, [**see all CLI available resources**](https://docs.horusec.io/docs/cli/commands-and-flags/#3-flags).\n\n## **Documentation**\nYou can find Horusec's documentation on our [**website**](https://docs.horusec.io/docs/overview/).\n\n## **Roadmap**\nWe have a project [**roadmap**](ROADMAP.md), you can contribute with us!\n\nHorusec has other repositories, check them out:\n\n- [**Horusec Platform**](https://github.com/ZupIT/horusec-platform)\n- [**Horusec DevKit**](https://github.com/ZupIT/horusec-devkit)\n- [**Horusec Engine**](https://github.com/ZupIT/horusec-engine)\n- [**Horusec Operator**](https://github.com/ZupIT/horusec-operator)\n- [**Horusec VsCode**](https://github.com/ZupIT/horusec-vscode-plugin)\n\n## **Contributing**\n\nFeel free to use, recommend improvements, or contribute to new implementations.\n\nCheck out our [**contributing guide**](CONTRIBUTING.md) to learn about our development process, how to suggest bugfixes and improvements. \n\n### **Developer Certificate of Origin - DCO**\n\n This is a security layer for the project and for the developers. It is mandatory.\n \nFollow one of these two methods to add DCO to your commits:\n \n**1. Command line**\n Follow the steps: \n **Step 1:** Configure your local git environment adding the same name and e-mail configured at your GitHub account. It helps to sign commits manually during reviews and suggestions.\n\n ```\ngit config --global user.name “Name”\ngit config --global user.email “email@domain.com.br”\n```\n**Step 2:** Add the Signed-off-by line with the `'-s'` flag in the git commit command:\n\n```\n$ git commit -s -m \"This is my commit message\"\n```\n**2. GitHub website**\n\nYou can also manually sign your commits during GitHub reviews and suggestions, follow the steps below: \n\n**Step 1:** When the commit changes box opens, manually type or paste your signature in the comment box, see the example:\n\n```\nSigned-off-by: Name \u003c e-mail address \u003e\n```\n\nFor this method, your name and e-mail must be the same registered on your GitHub account.\n\n## **Code of Conduct**\nPlease follow the [**Code of Conduct**](https://github.com/ZupIT/horusec/blob/main/CODE_OF_CONDUCT.md) in all your interactions with our project.\n\n## **License**\n [**Apache License 2.0**](LICENSE).\n\n## **Community**\n\nFeel free to reach out to us at:\n\n- [**GitHub Issues**](https://github.com/ZupIT/horusec/issues)\n- If you have any questions or ideas, let's chat in our [**Zup Open Source Forum**](https://forum.zup.com.br).\n\n\nThis project exists thanks to all the contributors. You rock! ❤️ 🚀\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzupit%2Fhorusec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzupit%2Fhorusec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzupit%2Fhorusec/lists"}