horusec v2.7 RC3 releases: improves identification of vulnerabilities in your project
What is Horusec?
Horusec is an open-source tool that performs a static code analysis to identify security flaws during the development process. Currently, the languages for analysis are C#, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, Dart. The tool has options to search for key leaks and security flaws in all files of your project, as well as in Git history. Horusec can be used by the developer through the CLI and by the DevSecOps team on CI /CD mats. See in our DOCUMENTATION the complete list of tools and languages that we perform analysis.
Horusec manager
- Separate repositories by companies
- Manage users who have access to your company (users must be pre-registered on horusec to be invited to a pre-existing company)
- Manage the repositories available in your company for analysis
- Manage users who have access to company repositories
- Manage your access tokens for the specific repository (required to identify which repository this analysis belongs to and save to our system)
- Visually view all existing vulnerabilities in your company and/or its repository
How does Horusec work?
Horusec performs a SAST analysis of your project from the code perspective.
The tool uses:
- Horusec-CLI when you run the commands performs security analysis and the vulnerabilities identification and classification.
- Web application is the CLI extension used to manage and classify the vulnerabilities found in your application. See the structure in the image below:
When Horusec starts an analysis, it follows the steps below:
- 1- When you start an analysis through Horusec-CLI, it will identify what are the current languages in your project;
- 2- Now, the tool will start the analysis according to the identified languages, searching for vulnerabilities;
- 3- When the analysis finishes, it will start 3 actions:
- 3.1- Show the analyis’ output in your interface or in the file;
- 3.2- If you have been using the CI/CD process in your pipeline and you want to abort the operations, a return type
exit 1will be sent and it won’t go on until all the vulnerabilities are corrected. If there isn’t any vulnerabilities, a status typeexit 0will be returned and it will proceed to the next step.
- 3.3- Send to Horusec-Manager(web platform) where you can see all the vulnerabilities found, in an analytical way, you can also manage your project;
- 3.1- Show the analyis’ output in your interface or in the file;
Changelog v2.7 RC3
What’s Changed
- phpcs:chore – Update PHP_CodeSniffer to show severity and code (#935) @wiliansilvazup
- formatters/tfsec:bugfix – vulnerabilities were being ignored due missing severity (#934) @nathanmartinszup
- engine/swift:bugfix – improving HS-SWIFT-24 rule to avoid false positives (#930) @nathanmartinszup
- trivy:bugfix – adding func to avoid hash changes in trivy formatter (#929) @nathanmartinszup
- formatters:fix – not show which tool generate the error (#932) @matheusalcantarazup
- bundler:chore – improve tests and code cleaning (#925) @matheusalcantarazup
Install & Use
Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
