{"id":18830530,"url":"https://github.com/zupit/horusec-engine","last_synced_at":"2025-08-20T22:32:19.745Z","repository":{"id":37033819,"uuid":"287102391","full_name":"ZupIT/horusec-engine","owner":"ZupIT","description":"Horusec analysis engine","archived":false,"fork":false,"pushed_at":"2025-08-13T06:07:55.000Z","size":1873,"stargazers_count":22,"open_issues_count":6,"forks_count":17,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-08-13T08:18:31.613Z","etag":null,"topics":["cd","ci","cli","golang","hacktoberfest","java","javascript","kotlin","netcore","python","ruby","sast","security","security-development","terraform"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ZupIT.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-08-12T19:49:19.000Z","updated_at":"2025-02-12T17:04:39.000Z","dependencies_parsed_at":"2023-11-21T09:30:39.081Z","dependency_job_id":"325dcf84-9eae-46d8-9fbd-07b9a9e12243","html_url":"https://github.com/ZupIT/horusec-engine","commit_stats":null,"previous_names":["zupit/horus-engine"],"tags_count":30,"template":false,"template_full_name":null,"purl":"pkg:github/ZupIT/horusec-engine","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ZupIT%2Fhorusec-engine","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ZupIT%2Fhorusec-engine/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ZupIT%2Fhorusec-engine/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ZupIT%2Fhorusec-engine/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ZupIT","download_url":"https://codeload.github.com/ZupIT/horusec-engine/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ZupIT%2Fhorusec-engine/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271397965,"owners_count":24752641,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-20T02:00:09.606Z","response_time":69,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cd","ci","cli","golang","hacktoberfest","java","javascript","kotlin","netcore","python","ruby","sast","security","security-development","terraform"],"created_at":"2024-11-08T01:49:21.186Z","updated_at":"2025-08-20T22:32:19.482Z","avatar_url":"https://github.com/ZupIT.png","language":"Go","readme":"\u003cp align=\"center\" margin=\"20 0\"\u003e\u003ca href=\"https://horusec.io/\"\u003e\n    \u003cimg src=\"https://github.com/ZupIT/horusec-devkit/blob/main/assets/horusec_logo.png?raw=true\" \n            alt=\"logo_header\" width=\"65%\" style=\"max-width:100%;\"/\u003e\u003c/a\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n    \u003ca href=\"https://github.com/ZupIT/horusec-engine/pulse\" alt=\"activity\"\u003e\n        \u003cimg src=\"https://img.shields.io/github/commit-activity/m/ZupIT/horusec-engine?label=activity\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/ZupIT/horusec-engine/graphs/contributors\" alt=\"contributors\"\u003e\n        \u003cimg src=\"https://img.shields.io/github/contributors/ZupIT/horusec-engine?label=contributors\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/ZupIT/horusec-engine/actions/workflows/lint.yml\" alt=\"lint\"\u003e\n        \u003cimg src=\"https://img.shields.io/github/workflow/status/ZupIT/horusec-engine/Lint?label=lint\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/ZupIT/horusec-engine/actions/workflows/test.yml\" alt=\"test\"\u003e\n        \u003cimg src=\"https://img.shields.io/github/workflow/status/ZupIT/horusec-engine/Test?label=test\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/ZupIT/horusec-engine/actions/workflows/security.yml\" alt=\"security\"\u003e\n        \u003cimg src=\"https://img.shields.io/github/workflow/status/ZupIT/horusec-engine/Security?label=security\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/ZupIT/horusec-engine/actions/workflows/coverage.yml\" alt=\"coverage\"\u003e\n        \u003cimg src=\"https://img.shields.io/github/workflow/status/ZupIT/horusec-engine/Coverage?label=coverage\"/\u003e\u003c/a\u003e\n    \u003ca href=\"https://opensource.org/licenses/Apache-2.0\" alt=\"license\"\u003e\n        \u003cimg src=\"https://img.shields.io/badge/license-Apache%202-blue\"/\u003e\u003c/a\u003e\n\n# **Horusec Engine**\n\n## **Table of contents**\n### 1. [**About**](#about)\n### 2. [**Usage**](#usage)\n\u003e#### 2.1. [**Why does this engine help me?**](#why-does-this-engine-help-me)\n\u003e#### 2.2. [**Examples**](#examples)\n### 3. [**Documentation**](#documentation)\n### 4. [**Issues**](#issues)\n### 5. [**Contributing**](#contributing)\n### 6. [**License**](#license)\n### 7. [**Community**](#community)\n\n## **About**\n\nThis repository contains the standalone SAST engine used by [Horusec](https://github.com/ZupIT/horusec). \nBy now we only have a pattern matching rule implementation, but a semantic analysis is already is being planned.\n\nThis is an internal repository of the [Horusec CLI](https://github.com/ZupIT/horusec), so we don't guarantee\ncompatibility between versions.\n\n### **What is a SAST tool?**\n\nA Static Application Security Testing tool is an automated scanner for security issues in your source code. \nThe main goal is to identify, as soon as possible in your development lifecycle, any possible threat to your\ninfrastructure and your user's data. SAST tools don't actually find vulnerabilities because the tool never executes the\nprogram being analyzed, therefore, you still have to keep testing your applications with more traditional pen testing\nand any other tests that you can execute.\n\n## **Usage**\n\nTo use this implementation will be needed to create a new engine instance informing the goroutines pool size and the\nslice of the extensions that should be analyzed. After the analysis is finished, a slice of findings will be returned.\n\n#### **1. Goroutines Pool**\n\nThe pool size informed during instantiation will directly affect memory usage and analysis time. The larger the pool,\nthe shorter the analysis time, but the greater the amount of memory required.\n\n#### **2. Rule**\n\nContains all the data needed to identify and report a vulnerability. All rules are defined by a generic interface with\na `Run` function. The idea is that we have several specific implementations of rules, like the one we currently have in\nthe text package, but each one with it own specific strategy.\n\n#### **3. Finding**\n\nIt contains all the possible vulnerabilities found after the analysis, it also has the necessary data to identify and\ntreat the vulnerability.\n\n### **Example**\n\n```go\n    eng := engine.NewEngine(10, \".java\")\n\n    rules := []engine.Rule{\n        \u0026text.Rule{\n            Metadata: engine.Metadata{\n                ID:          \"HORUSEC-EXAMPLE-1\",\n                Name:        \"Hello World\",\n                Description: \"This is a example of the engine usage\",\n                Severity:    \"HIGH\",\n                Confidence:  \"HIGH\",\n            },\n            Type: text.OrMatch,\n            Expressions: []*regexp.Regexp{\n                regexp.MustCompile(`System\\.out\\.println\\(\"Hello World\"\\);`),\n             },\n        },\n        ...\n    }\n\n    findings, err := eng.Run(context.Background(), \"path-to-analyze\", rules...)\n    if err != nil {\n        return err\n    }\n\n    for _, finding := range findings {\n        // do something\n    }\n```\n\n## **Documentation**\n\nFor more information about Horusec, please check out the [**documentation**](https://horusec.io/docs/).\n\n## **Issues**\n\nTo open or track an issue for this project, in order to better coordinate your discussions, we recommend that you use the [**Issues tab**](https://github.com/ZupIT/horusec/issues) in the main [**Horusec**](https://github.com/ZupIT/horusec) repository.\n\n## **Contributing**\n\nIf you want to contribute to this repository, access our \n[**Contributing Guide**](https://github.com/ZupIT/horusec-engine/blob/main/CONTRIBUTING.md).\n\n### **Developer Certificate of Origin - DCO**\n\nThis is a security layer for the project and for the developers. It is mandatory.\n\nFollow one of these two methods to add DCO to your commits:\n\n**1. Command line**\nFollow the steps:\n**Step 1:** Configure your local git environment adding the same name and e-mail configured at your GitHub account. \nIt helps to sign commits manually during reviews and suggestions.\n\n ```\ngit config --global user.name “Name”\ngit config --global user.email “email@domain.com.br”\n```\n\n**Step 2:** Add the Signed-off-by line with the `'-s'` flag in the git commit command:\n\n```\n$ git commit -s -m \"This is my commit message\"\n```\n\n**2. GitHub website**\nYou can also manually sign your commits during GitHub reviews and suggestions, follow the steps below:\n\n**Step 1:** When the commit changes box opens, manually type or paste your signature in the comment box, see the \nexample:\n\n```\nSigned-off-by: Name \u003c e-mail address \u003e\n```\n\nFor this method, your name and e-mail must be the same registered on your GitHub account.\n\n## **License**\n\n[**Apache License 2.0**](https://github.com/ZupIT/horusec-engine/blob/main/LICENSE).\n\n## **Community**\n\nDo you have any question about Horusec? Let's chat in our [**forum**](https://forum.zup.com.br/).\n\nThis project exists thanks to all the contributors. You rock! ❤️🚀\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzupit%2Fhorusec-engine","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzupit%2Fhorusec-engine","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzupit%2Fhorusec-engine/lists"}