There are SAST tools which Horusec works in vulnerabilities identification. Check them below:
Brakeman is a static analysis tool, that verifies the Ruby on Rails applications to search for any security vulnerabilities.
If you want to understand more about Brakemen criteria, access the vulnerabilities list that can found by the tool.
Flawfinder is an open source tool that scans and repots potencial security flaws on C/C++ source code. Besides searching for vulnerabilities, this tool can also serve as a simple introduction to static source code analysis.
Gosec is a tool that checks the source code in order to search for security issues, inspecting the Go AST in application using GoLang.
If you want to know more about Gosec criteria, access the rules list the tool applies in its analysis.
If you want to know more about GitLeaks criteria, access the rules list that the tool applies in its analysis.
For that, it sends a description of the configured dependencies in your project to the default register and requests a report of the known vulnerabilities.
PHP Code Sniffer
Security Code Scan
Security Code Scan is a security tool for applications that use .NetCore or .Net.
There are two ways to use it, both applied on Horusec analysis:
- To developers;
- To auditors.
If you want to know more about the Security Code Scan, access the rules list the tool applies in its analysis.
Semgrep is a SAST tool, that excels at expressing code standards — without complicated queries — and surfacing bugs early at editor, commit, and CI time. Precise rules look like the code you’re searching; no more traversing abstract syntax trees or wrestling with regexes.
If you want to know more about Semgrep criteria, access the rules list that the tool applies in its analysis.
TFSec is a security tool that uses static analysis of terraform templates to detect security issues. See below the rules list this tool applies in its analysis:
It sends a description of the configured dependencies of your project to the default register and requests a report of the vulnerabilities.
ShellCheck is a GPLv3 security tool that offers warnings and suggestions for bash/shell/bat scripts. It points out to the user:
- syntax issues that cause a shell to give cryptic error messages;
- semantic problems that cause a shell to behave strangely and counter-intuitively;
- subtle caveats, corner cases and pitfalls that may cause a working script to fail.
MixAudit is security tool for Elixir programming language that provides a mix deps.audit task to scan dependencies for security vulnerabilities.
MixAudit builds two lists when it’s executed in a project:
- A list of security advisories fetched from the elixir-security-advisories repository.
- A list of Mix dependencies from the various mix.lock files in the project.
After that, it loops through each project dependency and tries to find security advisories that apply to it.
Sobelow is a static security tool focused on the analysis of the Phoenix framework and its Elixir programming language.
It is a useful tool for getting a quick view of points-of-interest and it can be used to prevent the introduction of a number of common vulnerabilities. Potential vulnerabilities are flagged in different colors according to confidence in their insecurity.
Sobelow detects some types of the following security issues like:
- Insecure configuration;
- Known-vulnerable dependencies;
- Cross-Site scripting
- SQL injection;
- Command injection;
- Code execution;
- Denial of service;
- Transversal directory ;
- Unsafe serialization.
The Bundler Audit It is a security tool for Ruby’s dependence audit in order to ensure that applications run the same code on all machines. It does this by managing the gems that the application depends on. Given a list of gems, it can automatically download and install those gems, as well as any other gems needed by the gems that are listed. Before installing gems, it checks the versions of every gem to make sure that they are compatible, and can all be loaded at the same time. After the gems have been installed, Bundler can help you update some or all of them when new versions become available. Finally, it records the exact versions that have been installed, so that others can install the exact same gems.
Owasp Dependency Check
Owasp Dependency Check is a tool that detects publicly vulnerabilities contained in a project’s dependencies. It determines if there is an identifier for any dependency, when found, it will generate a report including the associated CVE.
This tool is disabled by default on Horusec, because it increases the analysis time. If you want to enable it, just use the flag
-w true or
dotnet list package command is an option to list all the NuGet’s packages references for a project or a solution. You can also list all the vulnerabilities dependencies of your project.
Nancy is a tool to verify vulnerabilities and its Golang’s dependencies.
Trivy is a simple and comprehensive vulnerability/misconfiguration scanner for containers and other artifacts. A software vulnerability is a glitch or a weakness present in the software or in an Operating System. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and language-specific packages (Bundler, Composer, npm, yarn, etc.). Trivy also scans Infrastructure as Code (IaC) files such as Terraform and Kubernetes, to detect potential configuration issues that expose your deployments to the risk of attack.
Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform, Terraform plan, Cloudformation, Kubernetes, Dockerfile, Serverless or ARM Templates and detects security and compliance misconfigurations using graph-based scanning. Checkov also powers Bridgecrew, the developer-first platform that codifies and streamlines cloud security throughout the development lifecycle. Bridgecrew identifies, fixes, and prevents misconfigurations in cloud resources and infrastructure-as-code files.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.