Other Tools
Other Tools
There are SAST tools which Horusec works in vulnerabilities identification. Check them below:
Bandit
Bandit is a tool able to find common security problems on Python code. To understand better Bandit’s criteria, you can access the rules list applied to analysis.
Brakeman
Brakeman is a static analysis tool, that verifies the Ruby on Rails applications to search for any security vulnerabilities.
If you want to understand more about Brakemen criteria, access the vulnerabilities list that can found by the tool.
Flawfinder
Flawfinder is an open source tool that scans and repots potencial security flaws on C/C++ source code. Besides searching for vulnerabilities, this tool can also serve as a simple introduction to static source code analysis.
GoSec
Gosec is a tool that checks the source code in order to search for security issues, inspecting the Go AST in application using GoLang.
If you want to know more about Gosec criteria, access the rules list the tool applies in its analysis.
GitLeaks
GitLeaks is a SAST tool to dectect encrypted code like passwords, API keys and tokens in all git repository history.
If you want to know more about GitLeaks criteria, access the rules list that the tool applies in its analysis.
NpmAudit
NpmAudit is a security tool that makes dependencies audit if you use npm packages on Javascript projects.
For that, it sends a description of the configured dependencies in your project to the default register and requests a report of the known vulnerabilities.
PHP Code Sniffer
PHP Code Sniffer is a set of PHP_CodeSniffer rules that identifies vulnerabilities and weaknesses related to PHP code security.
Safety
Safety is a tool that verifies your installed dependencies and search security vulnerabilities in Python applications. By default, it uses Safety DB an open Python vulnerabilities database.
Security Code Scan
Security Code Scan is a security tool for applications that use .NetCore or .Net.
There are two ways to use it, both applied on Horusec analysis:
- To developers;
- To auditors.
If you want to know more about the Security Code Scan, access the rules list the tool applies in its analysis.
Semgrep
Semgrep is a SAST tool, that excels at expressing code standards — without complicated queries — and surfacing bugs early at editor, commit, and CI time. Precise rules look like the code you’re searching; no more traversing abstract syntax trees or wrestling with regexes.
If you want to know more about Semgrep criteria, access the rules list that the tool applies in its analysis.
TFSec
TFSec is a security tool that uses static analysis of terraform templates to detect security issues. See below the rules list this tool applies in its analysis:
YarnAudit
YarnAudit is a security tool that makes dependency audit on yarn packages on Javascript projects.
It sends a description of the configured dependencies of your project to the default register and requests a report of the vulnerabilities.
ShellCheck
ShellCheck is a GPLv3 security tool that offers warnings and suggestions for bash/shell/bat scripts. It points out to the user:
- syntax issues that cause a shell to give cryptic error messages;
- semantic problems that cause a shell to behave strangely and counter-intuitively;
- subtle caveats, corner cases and pitfalls that may cause a working script to fail.
MixAudit
MixAudit is security tool for Elixir programming language that provides a mix deps.audit task to scan dependencies for security vulnerabilities.
MixAudit builds two lists when it’s executed in a project:
- A list of security advisories fetched from the elixir-security-advisories repository.
- A list of Mix dependencies from the various mix.lock files in the project.
After that, it loops through each project dependency and tries to find security advisories that apply to it.
Sobelow
Sobelow is a static security tool focused on the analysis of the Phoenix framework and its Elixir programming language.
It is a useful tool for getting a quick view of points-of-interest and it can be used to prevent the introduction of a number of common vulnerabilities. Potential vulnerabilities are flagged in different colors according to confidence in their insecurity.
Sobelow detects some types of the following security issues like:
- Insecure configuration;
- Known-vulnerable dependencies;
- Cross-Site scripting
- SQL injection;
- Command injection;
- Code execution;
- Denial of service;
- Transversal directory ;
- Unsafe serialization.
Bundler Audit
The Bundler Audit It is a security tool for Ruby’s dependence audit in order to ensure that applications run the same code on all machines. It does this by managing the gems that the application depends on. Given a list of gems, it can automatically download and install those gems, as well as any other gems needed by the gems that are listed. Before installing gems, it checks the versions of every gem to make sure that they are compatible, and can all be loaded at the same time. After the gems have been installed, Bundler can help you update some or all of them when new versions become available. Finally, it records the exact versions that have been installed, so that others can install the exact same gems.
Owasp Dependency Check
Owasp Dependency Check is a tool that detects publicly vulnerabilities contained in a project’s dependencies. It determines if there is an identifier for any dependency, when found, it will generate a report including the associated CVE.
This tool is disabled by default on Horusec, because it increases the analysis time. If you want to enable it, just use the flag -w true
or -w
.
DotNet CLI
The dotnet list package
command is an option to list all the NuGet’s packages references for a project or a solution. You can also list all the vulnerabilities dependencies of your project.
Nancy
Nancy is a tool to verify vulnerabilities and its Golang’s dependencies.
Trivy
Trivy is a simple and comprehensive vulnerability/misconfiguration scanner for containers and other artifacts. A software vulnerability is a glitch or a weakness present in the software or in an Operating System. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and language-specific packages (Bundler, Composer, npm, yarn, etc.). Trivy also scans Infrastructure as Code (IaC) files such as Terraform and Kubernetes, to detect potential configuration issues that expose your deployments to the risk of attack.
Checkov
Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform, Terraform plan, Cloudformation, Kubernetes, Dockerfile, Serverless or ARM Templates and detects security and compliance misconfigurations using graph-based scanning. Checkov also powers Bridgecrew, the developer-first platform that codifies and streamlines cloud security throughout the development lifecycle. Bridgecrew identifies, fixes, and prevents misconfigurations in cloud resources and infrastructure-as-code files.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.