In this section, you will find examples and options to use Horusec-CLI.

Global flags

The current global flags on CLI are:

Flag Name Short Flag name Default value Description
log-level - info

This configuration will define which log level you want to view, it can be:

  • "panic"
  • fatal"
  • "error"
  • "warn"
  • "info"
  • "debug"
  • "trace"
config-file-path - Actual work directory /horusec-config.json Directory where the configuration file is. You can perform some configurations with this file, for example, using the configuration file.


CLI is divided in 3 main commands:


Command used to verify the current Horusec version. To use it, just run:

horusec version


Command used to generate a configuration file in the current directory and it has some customization options in the analysis made by Horusec.

horusec generate


Command used to start an analysis searching possible vulnerabilities and/or to alter some configurations.

When you run the start command, there are some configuration it can be changed. These configurations can happen of 3 ways:

horusec start

Use options for the start command

1. Configuration file

On this case, all flags configuration can be performed through a file called horusec-config.json

See next, an example of a configuration file:

    "horusecCliCertInsecureSkipVerify": false,
    "horusecCliCertPath": "",
    "horusecCliContainerBindProjectPath": "",
    "horusecCliCustomImages": {
        "c": "",
        "csharp": "",
        "dart": "",
        "elixir": "",
        "generic": "",
        "go": "",
        "hcl": "",
        "java": "",
        "javascript": "",
        "kotlin": "",
        "leaks": "",
        "php": "",
        "python": "",
        "ruby": "",
        "shell": "",
        "yaml": ""
    "horusecCliCustomRulesPath": "",
    "horusecCliDisableDocker": false,
    "horusecCliEnableCommitAuthor": false,
    "horusecCliEnableGitHistoryAnalysis": false,
    "horusecCliEnableInformationSeverity": false,
    "horusecCliFalsePositiveHashes": [],
    "horusecCliFilesOrPathsToIgnore": [
    "horusecCliFilterPath": "",
    "horusecCliHeaders": {},
    "horusecCliHorusecApiUri": "",
    "horusecCliJsonOutputFilepath": "",
    "horusecCliMonitorRetryInSeconds": 15,
    "horusecCliPrintOutputType": "text",
    "horusecCliProjectPath": "./",
    "horusecCliRepositoryAuthorization": "00000000-0000-0000-0000-000000000000",
    "horusecCliRepositoryName": "",
    "horusecCliReturnErrorIfFoundVulnerability": false,
    "horusecCliRiskAcceptHashes": [],
    "horusecCliSeveritiesToIgnore": [
    "horusecCliTimeoutInSecondsAnalysis": 600,
    "horusecCliTimeoutInSecondsRequest": 300,
    "horusecCliToolsConfig": {
        "Bandit": {
            "istoignore": false
        "Brakeman": {
            "istoignore": false
        "Eslint": {
            "istoignore": false
        "Flawfinder": {
            "istoignore": false
        "GitLeaks": {
            "istoignore": false
        "GoSec": {
            "istoignore": false
        "HorusecCsharp": {
            "istoignore": false
        "HorusecDart": {
            "istoignore": false
        "HorusecJava": {
            "istoignore": false
        "HorusecKotlin": {
            "istoignore": false
        "HorusecKubernetes": {
            "istoignore": false
        "HorusecLeaks": {
            "istoignore": false
        "HorusecNodeJS": {
            "istoignore": false
        "NpmAudit": {
            "istoignore": false
        "PhpCS": {
            "istoignore": false
        "Safety": {
            "istoignore": false
        "SecurityCodeScan": {
            "istoignore": false
        "Semgrep": {
            "istoignore": false
        "ShellCheck": {
            "istoignore": false
        "TfSec": {
            "istoignore": false
        "YarnAudit": {
            "istoignore": false
    "horusecCliToolsToIgnore": [],
    "horusecCliWorkDir": {
        "go": [],
        "csharp": [],
        "ruby": [],
        "python": [],
        "java": [],
        "kotlin": [],
        "javaScript": [],
        "leaks": [],
        "hcl": [],
        "php": [],
        "c": [],
        "yaml": [],
        "generic": []

By default, Horusec will search for this automated configuration file in the same folder the horusec.start command is executed.

Therefore, you should be in the root of your project, just like the start command.

2. Environment variable

Here, you can use some environment variables to alter Horusec’s configuration options.

export HORUSEC_CLI_REPOSITORY_AUTHORIZATION="00000000-0000-0000-0000-000000000000"
export HORUSEC_CLI_FILES_OR_PATHS_TO_IGNORE="*tmp* **/.vscode/**"

3. Flags

You can pass some flags to alter your values.

For example, it is possible to use a flag horusec start --ignore="**/*test.go" or even use a short flag horusec start -i **/*test.go.

On the table below, you can see all the available flags. To see it better, just swipe right:

Enviroment variable Configuration file attribute Flag name Short flag name Default value Description
HORUSEC_CLI_MONITOR_RETRY_IN_SECONDS horusecCliMonitorRetryInSeconds monitor-retry-count m 15 This configuration will identify how much seconds I want to verify if my analysis is near the limit time. The minimal time is 10.
HORUSEC_CLI_SEVERITIES_TO_IGNORE horusecCliSeveritiesToIgnore ignore-severity s INFO Esta configuração identifica quais níveis de severidade você deseja ignorar, pode ser entre: CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN, INFO
HORUSEC_CLI_PRINT_OUTPUT_TYPE horusecCliPrintOutputType output-format o text The exit can be changed among json or sonarqube or text
HORUSEC_CLI_TYPES_OF_VULNERABILITIES_TO_IGNORE horusecCliTypesOfVulnerabilitiesToIgnore ignore-severity s

You can specify some type of vulnerability to not apply with an error. The available types are: "LOW, MEDIUM, HIGH". Example: LOW , MEDIUM all the vulnerabilities of the configured type are ignored.

HORUSEC_CLI_JSON_OUTPUT_FILEPATH horusecCliJsonOutputFilepath json-output-file O In case the exit is sonarqube or json it must have a name to be saved.
HORUSEC_CLI_FILES_OR_PATHS_TO_IGNORE horusecCliFilesOrPathsToIgnore ignore i

You can specify some absolute path of files and

folders and even patterns to ignore in the analysis dispatch. Ex.: /home/user/go/project/helpers/ , /home/user/go/project/utils/logger.go, **/*tests.go This example shows all the files inside the helpers folder that are ignored. The logger.go is ignored and all of the finished files in tests.go. By default, Horusec doesn't make image, videos, binary and IDE folders, dependencies folders like modules and vendor analysis.

HORUSEC_CLI_HORUSEC_API_URI horusecCliHorusecApiUri horusec-url u This configuration identifies where the URL is where the horusec-api is hosted.
HORUSEC_CLI_TIMEOUT_IN_SECONDS_REQUEST horusecCliTimeoutInSecondsRequest request-timeout r 300 This configuration will identify how much time I want to wait in seconds to send the horusec-api object to analysis. The minimum time is 10.
HORUSEC_CLI_TIMEOUT_IN_SECONDS_ANALYSIS horusecCliTimeoutInSecondsAnalysis analysis-timeout t 600 This configuration will identify how much time I want to wait in seconds to make an analysis that includes: "getting a project, "sending to analysis", "containers exit" and "getting an answer". The minimum time is 10.
HORUSEC_CLI_REPOSITORY_AUTHORIZATION horusecCliRepositoryAuthorization authorization a 00000000-0000-0000-0000-000000000000 To run the analysis, you need an authorization token. You can get this token, generating a new token in the horusec repository. For more information, see here .
HORUSEC_CLI_RETURN_ERROR_IF_FOUND_VULNERABILITY horusecCliReturnErrorIfFoundVulnerability return-error e false This configuration if you want to return the exit (1) if you find any vulnerability in the analysis. (Used in pipelines).
HORUSEC_CLI_PROJECT_PATH horusecCliProjectPath project-path p ${CURRENT_DIRECTORY} This configuration works if you want to change the analysis directory. If this value is not passed, Horusec will ask if you want to run the analysis in the current directory. If it passes, it will begin the analysis in the informed directory without asking.
HORUSEC_CLI_CERT_INSECURE_SKIP_VERIFY horusecCliCertInsecureSkipVerify insecure-skip-verify S false It is used to disable the certification validation. The use is not recommended outside test cases.
HORUSEC_CLI_CERT_PATH horusecCliCertPath certificate-path C Using to pass the certificate path. Ex.:-C="/home/example/ca.crt ".
HORUSEC_CLI_FILTER_PATH horusecCliFilterPath filter-path f This configuration works to configure the path to run the analysis and to keep the actual path in your base. Example: a project that contains backend and frontend, you want to run in base path, but you want to analyze only the frontend, it would be -f="./frontend"
HORUSEC_CLI_ENABLE_GIT_HISTORY_ANALYSIS horusecCliEnableGitHistoryAnalysis enable-git-history false This configuration works to know if you want to enable the tools and the run analysis in the gitleaks in git history, searching for vulnerabilities.
HORUSEC_CLI_ENABLE_COMMIT_AUTHOR horusecCliEnableCommitAuthor enable-commit-author G false Used to enable and disable the commit author. If the author doesn't pass, it will be empty. If it passes, you will search the git history of who is the vulnerabitity author found by Horusec. If this option is enabled the user must have git installed and the .git folder in the base where the analysis is running.
HORUSEC_CLI_REPOSITORY_NAME horusecCliRepositoryName repository-name n If the authorization token is from the organization, it must send the repository name to be analyze, if the repository does not exist in Horusec database, you will have to create a name presented in this configuration.
HORUSEC_CLI_FALSE_POSITIVE_HASHES horusecCliFalsePositiveHashes false-positive F Used to ignore the vulnerabilities in the analyis and configure with the type False positive. Pay Attention: when you add this configuration directly on CLI, it will overwrite Horusec's graphic interface configuration.
HORUSEC_CLI_RISK_ACCEPT_HASHES horusecCliRiskAcceptHashes risk-accept R Used to ignore the analysis vulnerabilities and to configure with accepted risk type. Pay attention when you add this configuration directly to CLI, the configuration will write the graphic interface configuration of Horusec.
HORUSEC_CLI_CUSTOM_RULES_PATH horusecCliCustomRulesPath custom-rules-path c Used to pass the path to the horusec custom rules file. Example: -c="./horusec/horusec-custom-rules.json".
HORUSEC_CLI_ENABLE_INFORMATION_SEVERITY horusecCliEnableInformationSeverity information-severity I false Used to enable or disable information severity vulnerabilities, information vulnerabilities can contain a lot of false positives. Ex.: I="true"
HORUSEC_CLI_CONTAINER_BIND_PROJECT_PATH horusecCliContainerBindProjectPath container-bind-project-path P Used to pass project path in host when running horusec cli inside a container.
HORUSEC_CLI_HEADERS horusecCliHeaders headers {} Used to send dynamic headers on dispatch http request to horusec api service.
horusecCliWorkDir {"go": [],"csharp": [],"ruby": [],"python": [],"java": [],"kotlin": [],"javaScript": [],"leaks": [],"hcl": [],"php": [],"c": [],"yaml": [],"generic": []} This configuration informs horusec the corrected directory to run a specific language.
horusecCliToolsConfig {"Bandit": {"istoignore": false},"Brakeman": {"istoignore": false},"Eslint": {"istoignore": false},"Flawfinder": {"istoignore": false},"GitLeaks": {"istoignore": false},"GoSec": {"istoignore": false},"HorusecCsharp": {"istoignore": false},"HorusecDart": {"istoignore": false},"HorusecJava": {"istoignore": false},"HorusecKotlin": {"istoignore": false},"HorusecKubernetes": {"istoignore": false},"HorusecLeaks": {"istoignore": false},"HorusecNodeJS": {"istoignore": false},"NpmAudit": {"istoignore": false},"PhpCS": {"istoignore": false},"Safety": {"istoignore": false},"SecurityCodeScan": {"istoignore": false},"Semgrep": {"istoignore": false},"ShellCheck": {"istoignore": false},"TfSec": {"istoignore": false},"YarnAudit": {"istoignore": false}} This configuration informs Horusec which tools are enabled to perform.
horusecCliCustomImages {"c": "","csharp": "","dart": "","elixir": "","generic": "","go": "","hcl": "","java": "","javascript": "","kotlin": "","leaks": "","php": "","python": "","ruby": "","shell": "","yaml": ""} This configuration informs Horusec where the language docker image is to rotate the analysis.
HORUSEC_CLI_REGISTRY_USERNAME This configuration informs Horusec the user to download images if you have configured on a private registry.
HORUSEC_CLI_REGISTRY_PASSWORD This configuration informs Horusec the password to download images if you have set up in a private registry.
HORUSEC_CLI_REGISTRY_ADDRESS This configuration informs Horusec the address to download images if you have configured on a private registry.


You can see next, some use examples of commands using Horusec CLI:

Example 1: Using other directory

In this example, we used:

  • flag -p to inform the where the project is;
  • flag -a passing the authorization token to send this analysis to our web interface.
horusec start -a="REPOSITORY_TOKEN" -p="/home/user/project"

Example 2: Using the whole flag name in the directory

In this example, we used:

  • flag --project-path to inform where the project is;
  • flag --authorization passing the authorization token to send the analysis to our web interface.
horusec start --authorization="REPOSITORY_TOKEN" --project-path="/home/user/project" 

Example 3: Using other whole flag name in the directory

In this example, we used:

  • flag -p to inform where the project is;
  • A flag -a passing the authorization token to send the analysis to our web interface;
  • A flag -i where we will ignore these folders and files.
horusec start -p="/home/user/project" -a="REPOSITORY_TOKEN" -i="**/node_modules/**, **/vendor/**, **/*_test.go"

Example 4: To get the JSON exit

In this example, we are using:

  • flag -p to inform where the project is;
  • flag -a passing the authorization token to send the analysis to our web interface;
  • flag -o where the output is being used is "json" and the local file output will be "./output.json”.
horusec start -p="/home/user/project" -a="REPOSITORY_TOKEN" -o="json" -O="./output.json"

Example 5: Using to get sonarqube exit

In this example, we are using:

  • A flag -p to inform where the project is;
  • A flag -a passing the authorization token to send the analysis to our web interface;
  • A flag -o where the output is being used is “sonarqube” and the local file output will be “./sonarqube.json”
horusec start -p="/home/user/project" -a="REPOSITORY_TOKEN" -o="sonarqube" -O="./sonarqube.json"

Example 6: Using as docker image locally

See, this example the horusec start command is already executed. When starting the image, just add the flag you want.

When the command is used this way, you need to create a volume of your project for the image and its destination location is recommended to always be in the /project location.

docker run -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/src horuszup/horusec-cli:latest horusec start -p /src -P $(pwd)

Example 7: Using docker image in your pipeline

Let’s use AWS Code Build as an example to perform the analysis

See, this example you have to use the sh /usr/local/bin/ command, because this script there is some necessary configurations.

To start the analysis, see the horusec start command had also started, and you just have to add the flags you want.

      - docker run -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/src/horusec horuszup/horusec-cli:latest horusec start -p /src/horusec -P $(pwd)

Last modified May 20, 2021: Fix version 1.0.0 with new links (a868f86)