horusec v2.7 RC3 releases: improves identification of vulnerabilities in your project
What is Horusec?
- Separate repositories by companies
- Manage users who have access to your company (users must be pre-registered on horusec to be invited to a pre-existing company)
- Manage the repositories available in your company for analysis
- Manage users who have access to company repositories
- Manage your access tokens for the specific repository (required to identify which repository this analysis belongs to and save to our system)
- Visually view all existing vulnerabilities in your company and/or its repository
How does Horusec work?
Horusec performs a SAST analysis of your project from the code perspective.
The tool uses:
- Horusec-CLI when you run the commands performs security analysis and the vulnerabilities identification and classification.
- Web application is the CLI extension used to manage and classify the vulnerabilities found in your application. See the structure in the image below:
When Horusec starts an analysis, it follows the steps below:
- 1- When you start an analysis through Horusec-CLI, it will identify what are the current languages in your project;
- 2- Now, the tool will start the analysis according to the identified languages, searching for vulnerabilities;
- 3- When the analysis finishes, it will start 3 actions:
- 3.1- Show the analyis’ output in your interface or in the file;
- 3.2- If you have been using the CI/CD process in your pipeline and you want to abort the operations, a return type
exit 1will be sent and it won’t go on until all the vulnerabilities are corrected. If there isn’t any vulnerabilities, a status type
exit 0will be returned and it will proceed to the next step.
- 3.3- Send to Horusec-Manager(web platform) where you can see all the vulnerabilities found, in an analytical way, you can also manage your project;
Changelog v2.7 RC3
- phpcs:chore – Update PHP_CodeSniffer to show severity and code (#935) @wiliansilvazup
- formatters/tfsec:bugfix – vulnerabilities were being ignored due missing severity (#934) @nathanmartinszup
- engine/swift:bugfix – improving HS-SWIFT-24 rule to avoid false positives (#930) @nathanmartinszup
- trivy:bugfix – adding func to avoid hash changes in trivy formatter (#929) @nathanmartinszup
- formatters:fix – not show which tool generate the error (#932) @matheusalcantarazup
- bundler:chore – improve tests and code cleaning (#925) @matheusalcantarazup
Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA