ReddRadar
Agent skill
sast-horusec
Multi-language static application security testing using Horusec with support for 18+ programming languages and 20+ security analysis tools. Performs SAST scans, secret detection in git history, and provides vulnerability findings with severity classification. Use when: (1) Analyzing code for security vulnerabilities across multiple languages simultaneously, (2) Detecting exposed secrets and credentials in git history, (3) Integrating SAST into CI/CD pipelines for secure SDLC, (4) Performing comprehensive security analysis during development, (5) Managing false positives and prioritizing security findings.
Install this agent skill to your Project
npx add-skill https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/secsdlc/sast-horusec
SKILL.md
Horusec SAST Scanner
Overview
Horusec is an open-source security analysis tool that performs static code analysis across 18+ programming languages using 20+ integrated security tools. It identifies vulnerabilities during development, scans git history for exposed secrets, and integrates seamlessly into CI/CD pipelines for secure SDLC practices.
Supported Languages
C#, Java, Kotlin, Python, Ruby, Golang, Terraform, JavaScript, TypeScript, Kubernetes, PHP, C, HTML, JSON, Dart, Elixir, Shell, Nginx
Quick Start
Run Horusec scan on current project:
# Using Docker (recommended)
docker run -v /var/run/docker.sock:/var/run/docker.sock \
-v $(pwd):/src horuszup/horusec-cli:latest horusec start -p /src -P $(pwd)
# Local installation
horusec start -p ./path/to/project
Core Workflows
Workflow 1: Local Security Scan
For developers performing pre-commit security analysis:
- Navigate to project directory
- Run Horusec scan:
bash
horusec start -p . -o json -O horusec-report.json - Review JSON output for vulnerabilities
- Filter by severity (HIGH, MEDIUM, LOW, INFO)
- Address critical and high-severity findings
- Re-scan to validate fixes
Workflow 2: CI/CD Pipeline Integration
Progress: [ ] 1. Add Horusec to CI/CD pipeline configuration [ ] 2. Configure output format (JSON for automated processing) [ ] 3. Set severity threshold for build failures [ ] 4. Run scan on each commit or pull request [ ] 5. Parse results and fail build on high-severity findings [ ] 6. Generate security reports for audit trail [ ] 7. Track remediation progress over time
Work through each step systematically. Check off completed items.
Workflow 3: Git History Secret Scanning
For detecting exposed credentials and secrets:
- Run Horusec with git history analysis enabled:
bash
horusec start -p . --enable-git-history-analysis - Review detected secrets and credentials
- Rotate compromised credentials immediately
- Add detected patterns to
.gitignoreand.horusec/config.json - Use git-filter-branch or BFG Repo-Cleaner to remove from history (if needed)
- Document incident and update security procedures
Workflow 4: False Positive Management
When managing scan results and reducing noise:
- Run initial scan and export results:
bash
horusec start -p . -o json -O results.json - Review findings and identify false positives
- Create or update
.horusec/config.jsonwith ignore rules:json{ "horusecCliRiskAcceptHashes": ["hash1", "hash2"], "horusecCliFilesOrPathsToIgnore": ["**/test/**", "**/vendor/**"] } - Re-run scan to verify false positives are suppressed
- Document risk acceptance decisions for compliance
- Periodically review ignored findings
Configuration
Create .horusec/config.json in project root for custom configuration:
{
"horusecCliCertInsecureSkipVerify": false,
"horusecCliCertPath": "",
"horusecCliContainerBindProjectPath": "",
"horusecCliCustomImages": {},
"horusecCliCustomRulesPath": "",
"horusecCliDisableDocker": false,
"horusecCliFalsePositiveHashes": [],
"horusecCliFilesOrPathsToIgnore": [
"**/node_modules/**",
"**/vendor/**",
"**/*_test.go",
"**/test/**"
],
"horusecCliHeaders": {},
"horusecCliHorusecApiUri": "",
"horusecCliJsonOutputFilePath": "./horusec-report.json",
"horusecCliLogFilePath": "./horusec.log",
"horusecCliMonitorRetryInSeconds": 15,
"horusecCliPrintOutputType": "text",
"horusecCliProjectPath": ".",
"horusecCliRepositoryAuthorization": "",
"horusecCliRepositoryName": "",
"horusecCliReturnErrorIfFoundVulnerability": false,
"horusecCliRiskAcceptHashes": [],
"horusecCliTimeoutInSecondsAnalysis": 600,
"horusecCliTimeoutInSecondsRequest": 300,
"horusecCliToolsConfig": {},
"horusecCliWorkDir": ".horusec"
}
Output Formats
Horusec supports multiple output formats for different use cases:
text- Human-readable console output (default)json- Structured JSON for CI/CD integrationsonarqube- SonarQube-compatible format
Specify with -o flag:
horusec start -p . -o json -O report.json
Common Patterns
Pattern 1: Fail Build on High Severity
Configure CI/CD to fail on critical findings:
horusec start -p . \
--return-error-if-found-vulnerability \
--severity-threshold="MEDIUM"
Exit code will be non-zero if vulnerabilities at or above threshold are found.
Pattern 2: Multi-Project Monorepo Scanning
Scan multiple projects in monorepo structure:
# Scan specific subdirectories
for project in service1 service2 service3; do
horusec start -p ./$project -o json -O horusec-$project.json
done
Pattern 3: Custom Rules Integration
Add custom security rules:
- Create custom rules file (YAML format)
- Configure path in
.horusec/config.json:json{ "horusecCliCustomRulesPath": "./custom-rules.yaml" } - Run scan with custom rules applied
Security Considerations
- Sensitive Data Handling: Horusec scans for exposed secrets. Ensure scan results are stored securely and access is restricted to authorized personnel only
- Access Control: Limit access to Horusec configuration files and scan results. Use read-only mounts in Docker for source code scanning
- Audit Logging: Log all scan executions, findings, and risk acceptance decisions for compliance auditing
- Compliance: Integrates with SOC2, PCI-DSS, and GDPR compliance by identifying vulnerabilities and tracking remediation
- Safe Defaults: Configure severity thresholds appropriate for your risk tolerance. Start with MEDIUM or HIGH to reduce noise
Integration Points
CI/CD Integration
GitHub Actions:
- name: Run Horusec Security Scan
run: |
docker run -v /var/run/docker.sock:/var/run/docker.sock \
-v $(pwd):/src horuszup/horusec-cli:latest \
horusec start -p /src -o json -O horusec-report.json \
--return-error-if-found-vulnerability
GitLab CI:
horusec-scan:
image: horuszup/horusec-cli:latest
script:
- horusec start -p . -o json -O horusec-report.json
artifacts:
reports:
horusec: horusec-report.json
Jenkins:
stage('Security Scan') {
steps {
sh 'docker run -v $(pwd):/src horuszup/horusec-cli:latest horusec start -p /src'
}
}
VS Code Extension
Horusec provides a VS Code extension for real-time security analysis during development. Install from VS Code marketplace.
Vulnerability Management
Horusec can integrate with centralized vulnerability management platforms via:
- JSON output parsing
- Horusec Platform (separate web-based management tool)
- Custom integrations using API
Troubleshooting
Issue: Docker Socket Permission Denied
Solution: Ensure Docker socket has proper permissions:
sudo chmod 666 /var/run/docker.sock
# Or run with sudo (not recommended for CI/CD)
Issue: False Positives in Test Files
Solution: Exclude test directories in configuration:
{
"horusecCliFilesOrPathsToIgnore": ["**/test/**", "**/*_test.go", "**/tests/**"]
}
Issue: Scan Timeout on Large Repositories
Solution: Increase timeout values in configuration:
{
"horusecCliTimeoutInSecondsAnalysis": 1200,
"horusecCliTimeoutInSecondsRequest": 600
}
Issue: Missing Vulnerabilities for Specific Language
Solution: Verify language is supported and Docker images are available:
horusec version --check-for-updates
docker pull horuszup/horusec-cli:latest
Advanced Usage
Running Without Docker
Install Horusec CLI directly (requires all security tool dependencies):
# macOS
brew install horusec
# Linux
curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/main/deployments/scripts/install.sh | bash
# Windows
# Download from GitHub releases
Then run:
horusec start -p . --disable-docker
Note: Running without Docker requires manual installation of all security analysis tools (Bandit, Brakeman, GoSec, etc.)
Severity Filtering
Filter results by severity in output:
# Only show HIGH and CRITICAL
horusec start -p . --severity-threshold="HIGH"
# Show all findings
horusec start -p . --severity-threshold="INFO"
Custom Docker Images
Override default security tool images in configuration:
{
"horusecCliCustomImages": {
"python": "my-registry/custom-bandit:latest",
"go": "my-registry/custom-gosec:latest"
}
}
Report Analysis
Parse JSON output for automated processing:
# Extract high-severity findings
cat horusec-report.json | jq '.analysisVulnerabilities[] | select(.severity == "HIGH")'
# Count vulnerabilities by language
cat horusec-report.json | jq '.analysisVulnerabilities | group_by(.language) | map({language: .[0].language, count: length})'
# List unique CWE IDs
cat horusec-report.json | jq '[.analysisVulnerabilities[].securityTool] | unique'
References
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
AgentSecOps/SecOpsAgentKit
policy-opa
Policy-as-code enforcement and compliance validation using Open Policy Agent (OPA). Use when: (1) Enforcing security and compliance policies across infrastructure and applications, (2) Validating Kubernetes admission control policies, (3) Implementing policy-as-code for compliance frameworks (SOC2, PCI-DSS, GDPR, HIPAA), (4) Testing and evaluating OPA Rego policies, (5) Integrating policy checks into CI/CD pipelines, (6) Auditing configuration drift against organizational security standards, (7) Implementing least-privilege access controls.
AgentSecOps/SecOpsAgentKit
ir-velociraptor
Endpoint visibility, digital forensics, and incident response using Velociraptor Query Language (VQL) for evidence collection and threat hunting at scale. Use when: (1) Conducting forensic investigations across multiple endpoints, (2) Hunting for indicators of compromise or suspicious activities, (3) Collecting endpoint telemetry and artifacts for incident analysis, (4) Performing live response and evidence preservation, (5) Monitoring endpoints for security events, (6) Creating custom forensic artifacts for specific threat scenarios.
AgentSecOps/SecOpsAgentKit
forensics-osquery
SQL-powered forensic investigation and system interrogation using osquery to query operating systems as relational databases. Enables rapid evidence collection, threat hunting, and incident response across Linux, macOS, and Windows endpoints. Use when: (1) Investigating security incidents and collecting forensic artifacts, (2) Threat hunting across endpoints for suspicious activity, (3) Analyzing running processes, network connections, and persistence mechanisms, (4) Collecting system state during incident response, (5) Querying file hashes, user activity, and system configuration for compromise indicators, (6) Building detection queries for continuous monitoring with osqueryd.
AgentSecOps/SecOpsAgentKit
detection-sigma
Generic detection rule creation and management using Sigma, the universal SIEM rule format. Sigma provides vendor-agnostic detection logic for log analysis across multiple SIEM platforms. Use when: (1) Creating detection rules for security monitoring, (2) Converting rules between SIEM platforms (Splunk, Elastic, QRadar, Sentinel), (3) Threat hunting with standardized detection patterns, (4) Building detection-as-code pipelines, (5) Mapping detections to MITRE ATT&CK tactics, (6) Implementing compliance-based monitoring rules.
AgentSecOps/SecOpsAgentKit
skill-name
[REQUIRED] Comprehensive description of what this skill does and when to use it. Include: (1) Primary functionality, (2) Specific use cases, (3) Security operations context. Must include specific "Use when:" clause for skill discovery. Example: "SAST vulnerability analysis and remediation guidance using Semgrep and industry security standards. Use when: (1) Analyzing static code for security vulnerabilities, (2) Prioritizing security findings by severity, (3) Providing secure coding remediation, (4) Integrating security checks into CI/CD pipelines." Maximum 1024 characters.
AgentSecOps/SecOpsAgentKit
pytm
Python-based threat modeling using pytm library for programmatic STRIDE analysis, data flow diagram generation, and automated security threat identification. Use when: (1) Creating threat models programmatically using Python code, (2) Generating data flow diagrams (DFDs) with automatic STRIDE threat identification, (3) Integrating threat modeling into CI/CD pipelines and shift-left security practices, (4) Analyzing system architecture for security threats across trust boundaries, (5) Producing threat reports with STRIDE categories and mitigation recommendations, (6) Maintaining threat models as code for version control and automation.
Didn't find tool you were looking for?