Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/zupit/horusec-engine

Horusec analysis engine
https://github.com/zupit/horusec-engine

cd ci cli golang hacktoberfest java javascript kotlin netcore python ruby sast security security-development terraform

Last synced: 17 days ago
JSON representation

Horusec analysis engine

Host: GitHub
URL: https://github.com/zupit/horusec-engine
Owner: ZupIT
License: apache-2.0
Created: 2020-08-12T19:49:19.000Z (over 4 years ago)
Default Branch: main
Last Pushed: 2024-12-04T16:00:24.000Z (about 1 month ago)
Last Synced: 2024-12-04T17:18:44.062Z (about 1 month ago)
Topics: cd, ci, cli, golang, hacktoberfest, java, javascript, kotlin, netcore, python, ruby, sast, security, security-development, terraform
Language: Go
Homepage:
Size: 1.81 MB
Stars: 21
Watchers: 11
Forks: 16
Open Issues: 6
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
- Security: SECURITY.md

Awesome Lists containing this project

README

# **Horusec Engine**

## **Table of contents**
### 1. [**About**](#about)
### 2. [**Usage**](#usage)
>#### 2.1. [**Why does this engine help me?**](#why-does-this-engine-help-me)
>#### 2.2. [**Examples**](#examples)
### 3. [**Documentation**](#documentation)
### 4. [**Issues**](#issues)
### 5. [**Contributing**](#contributing)
### 6. [**License**](#license)
### 7. [**Community**](#community)

## **About**

This repository contains the standalone SAST engine used by [Horusec](https://github.com/ZupIT/horusec).
By now we only have a pattern matching rule implementation, but a semantic analysis is already is being planned.

This is an internal repository of the [Horusec CLI](https://github.com/ZupIT/horusec), so we don't guarantee
compatibility between versions.

### **What is a SAST tool?**

A Static Application Security Testing tool is an automated scanner for security issues in your source code.
The main goal is to identify, as soon as possible in your development lifecycle, any possible threat to your
infrastructure and your user's data. SAST tools don't actually find vulnerabilities because the tool never executes the
program being analyzed, therefore, you still have to keep testing your applications with more traditional pen testing
and any other tests that you can execute.

## **Usage**

To use this implementation will be needed to create a new engine instance informing the goroutines pool size and the
slice of the extensions that should be analyzed. After the analysis is finished, a slice of findings will be returned.

#### **1. Goroutines Pool**

The pool size informed during instantiation will directly affect memory usage and analysis time. The larger the pool,
the shorter the analysis time, but the greater the amount of memory required.

#### **2. Rule**

Contains all the data needed to identify and report a vulnerability. All rules are defined by a generic interface with
a `Run` function. The idea is that we have several specific implementations of rules, like the one we currently have in
the text package, but each one with it own specific strategy.

#### **3. Finding**

It contains all the possible vulnerabilities found after the analysis, it also has the necessary data to identify and
treat the vulnerability.

### **Example**

```go
eng := engine.NewEngine(10, ".java")

rules := []engine.Rule{
&text.Rule{
Metadata: engine.Metadata{
ID: "HORUSEC-EXAMPLE-1",
Name: "Hello World",
Description: "This is a example of the engine usage",
Severity: "HIGH",
Confidence: "HIGH",
},
Type: text.OrMatch,
Expressions: []*regexp.Regexp{
regexp.MustCompile(`System\.out\.println$"Hello World"$;`),
},
},
...
}

findings, err := eng.Run(context.Background(), "path-to-analyze", rules...)
if err != nil {
return err
}

for _, finding := range findings {
// do something
}
```

## **Documentation**

For more information about Horusec, please check out the [**documentation**](https://horusec.io/docs/).

## **Issues**

To open or track an issue for this project, in order to better coordinate your discussions, we recommend that you use the [**Issues tab**](https://github.com/ZupIT/horusec/issues) in the main [**Horusec**](https://github.com/ZupIT/horusec) repository.

## **Contributing**

If you want to contribute to this repository, access our
[**Contributing Guide**](https://github.com/ZupIT/horusec-engine/blob/main/CONTRIBUTING.md).

### **Developer Certificate of Origin - DCO**

This is a security layer for the project and for the developers. It is mandatory.

Follow one of these two methods to add DCO to your commits:

**1. Command line**
Follow the steps:
**Step 1:** Configure your local git environment adding the same name and e-mail configured at your GitHub account.
It helps to sign commits manually during reviews and suggestions.

```
git config --global user.name “Name”
git config --global user.email “[email protected]”
```

**Step 2:** Add the Signed-off-by line with the `'-s'` flag in the git commit command:

```
$ git commit -s -m "This is my commit message"
```

**2. GitHub website**
You can also manually sign your commits during GitHub reviews and suggestions, follow the steps below:

**Step 1:** When the commit changes box opens, manually type or paste your signature in the comment box, see the
example:

```
Signed-off-by: Name < e-mail address >
```

For this method, your name and e-mail must be the same registered on your GitHub account.

## **License**

[**Apache License 2.0**](https://github.com/ZupIT/horusec-engine/blob/main/LICENSE).

## **Community**

Do you have any question about Horusec? Let's chat in our [**forum**](https://forum.zup.com.br/).

This project exists thanks to all the contributors. You rock! ❤️🚀