Resources

In this section, you will find examples and options to use Horusec-CLI.

Global flags

The current global flags on CLI are:

Flag Name	Short Flag name	Default value	Description
log-level	-	info	This configuration will define which log level you want to view, it can be: "panic" fatal" "error" "warn" "info" "debug" "trace"
config-file-path	-	Actual work directory /horusec-config.json	Directory where the configuration file is. You can perform some configurations with this file, for example, using the configuration file.

Flag Name

Short Flag name

Default value

Description

log-level

info

This configuration will define which log level you want to view, it can be:

"panic"
fatal"
"error"
"warn"
"info"
"debug"
"trace"

config-file-path

Actual work directory /horusec-config.json

Directory where the configuration file is. You can perform some configurations with this file, for example, using the configuration file.

Commands

CLI is divided in 3 main commands:

Version

Command used to verify the current Horusec version. To use it, just run:

horusec version

Generate

Command used to generate a configuration file in the current directory and it has some customization options in the analysis made by Horusec.

These configuration options are flags that you can check on the table in the end of the page, the third use option is the Start command.

horusec generate

Start

Command used to start an analysis searching possible vulnerabilities and/or to alter some configurations.

When you run the start command, there are some configuration it can be changed. These configurations can happen of 3 ways:

horusec start

Use options for the start command

1. Configuration file

On this case, all flags configuration can be performed through a file called horusec-config.json

See next, an example of a configuration file:

{
    "horusecCliCertInsecureSkipVerify": false,
    "horusecCliCertPath": "",
    "horusecCliContainerBindProjectPath": "",
    "horusecCliCustomImages": {
        "c": "",
        "csharp": "",
        "dart": "",
        "elixir": "",
        "generic": "",
        "go": "",
        "hcl": "",
        "java": "",
        "javascript": "",
        "kotlin": "",
        "leaks": "",
        "php": "",
        "python": "",
        "ruby": "",
        "shell": "",
        "yaml": ""
    },
    "horusecCliCustomRulesPath": "",
    "horusecCliDisableDocker": false,
    "horusecCliEnableCommitAuthor": false,
    "horusecCliEnableGitHistoryAnalysis": false,
    "horusecCliEnableInformationSeverity": false,
    "horusecCliFalsePositiveHashes": [],
    "horusecCliFilesOrPathsToIgnore": [
        "*tmp*",
        "**/.vscode/**"
    ],
    "horusecCliFilterPath": "",
    "horusecCliHeaders": {},
    "horusecCliHorusecApiUri": "http://0.0.0.0:8000",
    "horusecCliJsonOutputFilepath": "",
    "horusecCliMonitorRetryInSeconds": 15,
    "horusecCliPrintOutputType": "text",
    "horusecCliProjectPath": "./",
    "horusecCliRepositoryAuthorization": "00000000-0000-0000-0000-000000000000",
    "horusecCliRepositoryName": "",
    "horusecCliReturnErrorIfFoundVulnerability": false,
    "horusecCliRiskAcceptHashes": [],
    "horusecCliSeveritiesToIgnore": [
        "INFO"
    ],
    "horusecCliTimeoutInSecondsAnalysis": 600,
    "horusecCliTimeoutInSecondsRequest": 300,
    "horusecCliToolsConfig": {
        "Bandit": {
            "istoignore": false
        },
        "Brakeman": {
            "istoignore": false
        },
        "Eslint": {
            "istoignore": false
        },
        "Flawfinder": {
            "istoignore": false
        },
        "GitLeaks": {
            "istoignore": false
        },
        "GoSec": {
            "istoignore": false
        },
        "HorusecCsharp": {
            "istoignore": false
        },
        "HorusecDart": {
            "istoignore": false
        },
        "HorusecJava": {
            "istoignore": false
        },
        "HorusecKotlin": {
            "istoignore": false
        },
        "HorusecKubernetes": {
            "istoignore": false
        },
        "HorusecLeaks": {
            "istoignore": false
        },
        "HorusecNodeJS": {
            "istoignore": false
        },
        "NpmAudit": {
            "istoignore": false
        },
        "PhpCS": {
            "istoignore": false
        },
        "Safety": {
            "istoignore": false
        },
        "SecurityCodeScan": {
            "istoignore": false
        },
        "Semgrep": {
            "istoignore": false
        },
        "ShellCheck": {
            "istoignore": false
        },
        "TfSec": {
            "istoignore": false
        },
        "YarnAudit": {
            "istoignore": false
        }
    },
    "horusecCliToolsToIgnore": [],
    "horusecCliWorkDir": {
        "go": [],
        "csharp": [],
        "ruby": [],
        "python": [],
        "java": [],
        "kotlin": [],
        "javaScript": [],
        "leaks": [],
        "hcl": [],
        "php": [],
        "c": [],
        "yaml": [],
        "generic": []
    }
}

By default, Horusec will search for this automated configuration file in the same folder the horusec.start command is executed.

Therefore, you should be in the root of your project, just like the start command.

2. Environment variable

Here, you can use some environment variables to alter Horusec’s configuration options.

It’s important to remember the environment variables overwrite the configuration files options.

export HORUSEC_CLI_HORUSEC_API_URI="http://0.0.0.0:8000"
export HORUSEC_CLI_TIMEOUT_IN_SECONDS_REQUEST="300"
export HORUSEC_CLI_TIMEOUT_IN_SECONDS_ANALYSIS="600"
export HORUSEC_CLI_MONITOR_RETRY_IN_SECONDS="15"
export HORUSEC_CLI_REPOSITORY_AUTHORIZATION="00000000-0000-0000-0000-000000000000"
export HORUSEC_CLI_PRINT_OUTPUT_TYPE="text"
export HORUSEC_CLI_JSON_OUTPUT_FILEPATH=""
export HORUSEC_CLI_SEVERITIES_TO_IGNORE="INFO"
export HORUSEC_CLI_FILES_OR_PATHS_TO_IGNORE="*tmp* **/.vscode/**"
export HORUSEC_CLI_RETURN_ERROR_IF_FOUND_VULNERABILITY="false"
export HORUSEC_CLI_PROJECT_PATH="./"
export HORUSEC_CLI_FILTER_PATH=""
export HORUSEC_CLI_ENABLE_GIT_HISTORY_ANALYSIS="false"
export HORUSEC_CLI_CERT_INSECURE_SKIP_VERIFY="false"
export HORUSEC_CLI_CERT_PATH=""
export HORUSEC_CLI_ENABLE_COMMIT_AUTHOR="false"
export HORUSEC_CLI_REPOSITORY_NAME="config"
export HORUSEC_CLI_FALSE_POSITIVE_HASHES=""
export HORUSEC_CLI_RISK_ACCEPT_HASHES=""
export HORUSEC_CLI_TOOLS_TO_IGNORE=""
export HORUSEC_CLI_HEADERS=""
export HORUSEC_CLI_CONTAINER_BIND_PROJECT_PATH=""
export HORUSEC_CLI_DISABLE_DOCKER="false"
export HORUSEC_CLI_CUSTOM_RULES_PATH=""
export HORUSEC_CLI_ENABLE_INFORMATION_SEVERITY="false"

3. Flags

You can pass some flags to alter your values.

For example, it is possible to use a flag horusec start --ignore="**/*test.go" or even use a short flag horusec start -i **/*test.go.

The flags overwrite the environment variables options and the file configuration.

On the table below, you can see all the available flags. To see it better, just swipe right:

Enviroment variable	Configuration file attribute	Flag name	Short flag name	Default value	Description
HORUSEC_CLI_MONITOR_RETRY_IN_SECONDS	horusecCliMonitorRetryInSeconds	monitor-retry-count	m	15	This configuration will identify how much seconds I want to verify if my analysis is near the limit time. The minimal time is 10.
HORUSEC_CLI_SEVERITIES_TO_IGNORE	horusecCliSeveritiesToIgnore	ignore-severity	s	INFO	Esta configuração identifica quais níveis de severidade você deseja ignorar, pode ser entre: CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN, INFO
HORUSEC_CLI_PRINT_OUTPUT_TYPE	horusecCliPrintOutputType	output-format	o	text	The exit can be changed among `json` or `sonarqube` or `text`
HORUSEC_CLI_TYPES_OF_VULNERABILITIES_TO_IGNORE	horusecCliTypesOfVulnerabilitiesToIgnore	ignore-severity	s		You can specify some type of vulnerability to not apply with an error. The available types are: "LOW, MEDIUM, HIGH". Example: LOW , MEDIUM all the vulnerabilities of the configured type are ignored.
HORUSEC_CLI_JSON_OUTPUT_FILEPATH	horusecCliJsonOutputFilepath	json-output-file	O		In case the exit is `sonarqube` or `json` it must have a name to be saved. Ex.:`./output.json`
HORUSEC_CLI_FILES_OR_PATHS_TO_IGNORE	horusecCliFilesOrPathsToIgnore	ignore	i		You can specify some absolute path of files and folders and even patterns to ignore in the analysis dispatch. Ex.: `/home/user/go/project/helpers/ , /home/user/go/project/utils/logger.go, */tests.go` This example shows all the files inside the helpers folder that are ignored. The logger.go is ignored and all of the finished files in tests.go. By default, Horusec doesn't make image, videos, binary and IDE folders, dependencies folders like modules and vendor analysis.
HORUSEC_CLI_HORUSEC_API_URI	horusecCliHorusecApiUri	horusec-url	u	http://0.0.0.0:8000	This configuration identifies where the URL is where the horusec-api is hosted.
HORUSEC_CLI_TIMEOUT_IN_SECONDS_REQUEST	horusecCliTimeoutInSecondsRequest	request-timeout	r	300	This configuration will identify how much time I want to wait in seconds to send the horusec-api object to analysis. The minimum time is 10.
HORUSEC_CLI_TIMEOUT_IN_SECONDS_ANALYSIS	horusecCliTimeoutInSecondsAnalysis	analysis-timeout	t	600	This configuration will identify how much time I want to wait in seconds to make an analysis that includes: "getting a project, "sending to analysis", "containers exit" and "getting an answer". The minimum time is 10.
HORUSEC_CLI_REPOSITORY_AUTHORIZATION	horusecCliRepositoryAuthorization	authorization	a	00000000-0000-0000-0000-000000000000	To run the analysis, you need an authorization token. You can get this token, generating a new token in the horusec repository. For more information, see here .
HORUSEC_CLI_RETURN_ERROR_IF_FOUND_VULNERABILITY	horusecCliReturnErrorIfFoundVulnerability	return-error	e	false	This configuration if you want to return the exit (1) if you find any vulnerability in the analysis. (Used in pipelines).
HORUSEC_CLI_PROJECT_PATH	horusecCliProjectPath	project-path	p	${CURRENT_DIRECTORY}	This configuration works if you want to change the analysis directory. If this value is not passed, Horusec will ask if you want to run the analysis in the current directory. If it passes, it will begin the analysis in the informed directory without asking.
HORUSEC_CLI_CERT_INSECURE_SKIP_VERIFY	horusecCliCertInsecureSkipVerify	insecure-skip-verify	S	false	It is used to disable the certification validation. The use is not recommended outside test cases.
HORUSEC_CLI_CERT_PATH	horusecCliCertPath	certificate-path	C		Using to pass the certificate path. Ex.:`-C="/home/example/ca.crt ".`
HORUSEC_CLI_FILTER_PATH	horusecCliFilterPath	filter-path	f		This configuration works to configure the path to run the analysis and to keep the actual path in your base. Example: a project that contains backend and frontend, you want to run in base path, but you want to analyze only the frontend, it would be `-f="./frontend"`
HORUSEC_CLI_ENABLE_GIT_HISTORY_ANALYSIS	horusecCliEnableGitHistoryAnalysis	enable-git-history		false	This configuration works to know if you want to enable the tools and the run analysis in the gitleaks in git history, searching for vulnerabilities.
HORUSEC_CLI_ENABLE_COMMIT_AUTHOR	horusecCliEnableCommitAuthor	enable-commit-author	G	false	Used to enable and disable the commit author. If the author doesn't pass, it will be empty. If it passes, you will search the git history of who is the vulnerabitity author found by Horusec. If this option is enabled the user must have git installed and the `.git` folder in the base where the analysis is running.
HORUSEC_CLI_REPOSITORY_NAME	horusecCliRepositoryName	repository-name	n		If the authorization token is from the organization, it must send the repository name to be analyze, if the repository does not exist in Horusec database, you will have to create a name presented in this configuration.
HORUSEC_CLI_FALSE_POSITIVE_HASHES	horusecCliFalsePositiveHashes	false-positive	F		Used to ignore the vulnerabilities in the analyis and configure with the type `False positive`. Pay Attention: when you add this configuration directly on CLI, it will overwrite Horusec's graphic interface configuration.
HORUSEC_CLI_RISK_ACCEPT_HASHES	horusecCliRiskAcceptHashes	risk-accept	R		Used to ignore the analysis vulnerabilities and to configure with `accepted risk` type. Pay attention when you add this configuration directly to CLI, the configuration will write the graphic interface configuration of Horusec.
HORUSEC_CLI_CUSTOM_RULES_PATH	horusecCliCustomRulesPath	custom-rules-path	c		Used to pass the path to the horusec custom rules file. Example: -c="./horusec/horusec-custom-rules.json".
HORUSEC_CLI_ENABLE_INFORMATION_SEVERITY	horusecCliEnableInformationSeverity	information-severity	I	false	Used to enable or disable information severity vulnerabilities, information vulnerabilities can contain a lot of false positives. Ex.: `I="true"`
HORUSEC_CLI_CONTAINER_BIND_PROJECT_PATH	horusecCliContainerBindProjectPath	container-bind-project-path	P		Used to pass project path in host when running horusec cli inside a container.
HORUSEC_CLI_HEADERS	horusecCliHeaders	headers		{}	Used to send dynamic headers on dispatch http request to horusec api service.
	horusecCliWorkDir			{"go": [],"csharp": [],"ruby": [],"python": [],"java": [],"kotlin": [],"javaScript": [],"leaks": [],"hcl": [],"php": [],"c": [],"yaml": [],"generic": []}	This configuration informs horusec the corrected directory to run a specific language.
	horusecCliToolsConfig			{"Bandit": {"istoignore": false},"Brakeman": {"istoignore": false},"Eslint": {"istoignore": false},"Flawfinder": {"istoignore": false},"GitLeaks": {"istoignore": false},"GoSec": {"istoignore": false},"HorusecCsharp": {"istoignore": false},"HorusecDart": {"istoignore": false},"HorusecJava": {"istoignore": false},"HorusecKotlin": {"istoignore": false},"HorusecKubernetes": {"istoignore": false},"HorusecLeaks": {"istoignore": false},"HorusecNodeJS": {"istoignore": false},"NpmAudit": {"istoignore": false},"PhpCS": {"istoignore": false},"Safety": {"istoignore": false},"SecurityCodeScan": {"istoignore": false},"Semgrep": {"istoignore": false},"ShellCheck": {"istoignore": false},"TfSec": {"istoignore": false},"YarnAudit": {"istoignore": false}}	This configuration informs Horusec which tools are enabled to perform.
	horusecCliCustomImages			{"c": "","csharp": "","dart": "","elixir": "","generic": "","go": "","hcl": "","java": "","javascript": "","kotlin": "","leaks": "","php": "","python": "","ruby": "","shell": "","yaml": ""}	This configuration informs Horusec where the language docker image is to rotate the analysis.
HORUSEC_CLI_REGISTRY_USERNAME					This configuration informs Horusec the user to download images if you have configured on a private registry.
HORUSEC_CLI_REGISTRY_PASSWORD					This configuration informs Horusec the password to download images if you have set up in a private registry.
HORUSEC_CLI_REGISTRY_ADDRESS					This configuration informs Horusec the address to download images if you have configured on a private registry.

Examples

You can see next, some use examples of commands using Horusec CLI:

Example 1: Using other directory

In this example, we used:

flag -p to inform the where the project is;
flag -a passing the authorization token to send this analysis to our web interface.

horusec start -a="REPOSITORY_TOKEN" -p="/home/user/project"

Example 2: Using the whole flag name in the directory

In this example, we used:

flag --project-path to inform where the project is;
flag --authorization passing the authorization token to send the analysis to our web interface.

horusec start --authorization="REPOSITORY_TOKEN" --project-path="/home/user/project"

Example 3: Using other whole flag name in the directory

In this example, we used:

flag -p to inform where the project is;
A flag -a passing the authorization token to send the analysis to our web interface;
A flag -i where we will ignore these folders and files.

horusec start -p="/home/user/project" -a="REPOSITORY_TOKEN" -i="**/node_modules/**, **/vendor/**, **/*_test.go"

Example 4: To get the JSON exit

In this example, we are using:

flag -p to inform where the project is;
flag -a passing the authorization token to send the analysis to our web interface;
flag -o where the output is being used is "json" and the local file output will be "./output.json”.

horusec start -p="/home/user/project" -a="REPOSITORY_TOKEN" -o="json" -O="./output.json"

Example 5: Using to get sonarqube exit

In this example, we are using:

A flag -p to inform where the project is;
A flag -a passing the authorization token to send the analysis to our web interface;
A flag -o where the output is being used is “sonarqube” and the local file output will be “./sonarqube.json”

horusec start -p="/home/user/project" -a="REPOSITORY_TOKEN" -o="sonarqube" -O="./sonarqube.json"

Example 6: Using as docker image locally

See, this example the horusec start command is already executed. When starting the image, just add the flag you want.

When the command is used this way, you need to create a volume of your project for the image and its destination location is recommended to always be in the /project location.

docker run -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/src horuszup/horusec-cli:latest horusec start -p /src -P $(pwd)

Example 7: Using docker image in your pipeline

Let’s use AWS Code Build as an example to perform the analysis

See, this example you have to use the sh /usr/local/bin/horusec-cli.sh command, because this script there is some necessary configurations.

To start the analysis, see the horusec start command had also started, and you just have to add the flags you want.

In pipelines it is extremely important to have the privileged configuration enabled, without this is not possible to carry out the analysis as expected.

  build:
    commands:
      - docker run -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/src/horusec horuszup/horusec-cli:latest horusec start -p /src/horusec -P $(pwd)

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified May 20, 2021: Fix version 1.0.0 with new links (a868f86)