Commands & Flags
In this section, you will find examples and options to use Horusec-CLI.
Global flags
The current global flags on CLI are:
| Flag Name | Short Flag name | Default value | Description |
|---|---|---|---|
| log-level | - | info |
This configuration will define which log level you want to view, it can be:
|
| config-file-path | - | Actual work directory /horusec-config.json | Directory where the configuration file is. You can perform some configurations with this file, for example, using the configuration file. |
Commands
CLI is divided in 3 main commands:
Version
Command used to verify the current Horusec version. To use it, just run:
horusec version
Generate
Command used to generate a configuration file in the current directory and it has some customization options in the analysis made by Horusec.
These configuration options are flags that you can check on the table in the end of the page, the third use option is the Start command.
horusec generate
Start
Command used to start an analysis searching possible vulnerabilities and/or to alter some configurations.
When you run the start command, there are some configuration it can be changed. These configurations can happen of 3 ways:
horusec start
Horusec CLI works directly with Docker environment variables. For more information about these variables and a description of each one of them, check out Docker’s documentation.
Use options for the start command
1. Configuration file
On this case, all flags configuration can be performed through a file called horusec-config.json
See next, an example of a configuration file:
{
"horusecCliCertInsecureSkipVerify": false,
"horusecCliCertPath": "",
"horusecCliContainerBindProjectPath": "",
"horusecCliCustomImages": {
"c": "",
"csharp": "",
"dart": "",
"elixir": "",
"generic": "",
"go": "",
"hcl": "",
"java": "",
"javascript": "",
"kotlin": "",
"leaks": "",
"php": "",
"python": "",
"ruby": "",
"shell": "",
"yaml": ""
},
"horusecCliCustomRulesPath": "",
"horusecCliDisableDocker": false,
"horusecCliEnableCommitAuthor": false,
"horusecCliEnableGitHistoryAnalysis": false,
"horusecCliEnableInformationSeverity": false,
"horusecCliEnableOwaspDependencyCheck": false,
"horusecCliFalsePositiveHashes": [],
"horusecCliLogFilePath": "./tmp",
"horusecCliFilesOrPathsToIgnore":
[
"*tmp*",
"**/.vscode/**"
],
"horusecCliEnableShellcheck": false,
"horusecCliFilterPath": "",
"horusecCliHeaders": {},
"horusecCliHorusecApiUri": "http://0.0.0.0:8000",
"horusecCliJsonOutputFilepath": "",
"horusecCliMonitorRetryInSeconds": 15,
"horusecCliPrintOutputType": "text",
"horusecCliProjectPath": "./",
"horusecCliRepositoryAuthorization": "00000000-0000-0000-0000-000000000000",
"horusecCliRepositoryName": "",
"horusecCliReturnErrorIfFoundVulnerability": false,
"horusecCliRiskAcceptHashes": [],
"horusecCliSeveritiesToIgnore": [
"INFO"
],
"horusecCliTimeoutInSecondsAnalysis": 600,
"horusecCliTimeoutInSecondsRequest": 300,
"horusecCliToolsConfig": {
"Bandit": {
"istoignore": false
},
"Brakeman": {
"istoignore": false
},
"Eslint": {
"istoignore": false
},
"Flawfinder": {
"istoignore": false
},
"GitLeaks": {
"istoignore": false
},
"GoSec": {
"istoignore": false
},
"HorusecCsharp": {
"istoignore": false
},
"HorusecDart": {
"istoignore": false
},
"HorusecJava": {
"istoignore": false
},
"HorusecKotlin": {
"istoignore": false
},
"HorusecKubernetes": {
"istoignore": false
},
"HorusecLeaks": {
"istoignore": false
},
"HorusecNodeJS": {
"istoignore": false
},
"NpmAudit": {
"istoignore": false
},
"PhpCS": {
"istoignore": false
},
"Safety": {
"istoignore": false
},
"SecurityCodeScan": {
"istoignore": false
},
"Semgrep": {
"istoignore": false
},
"ShellCheck": {
"istoignore": false
},
"TfSec": {
"istoignore": false
},
"YarnAudit": {
"istoignore": false
},
"DotnetCli": {
"istoignore": false
},
"Nancy": {
"istoignore": false
}
},
"horusecCliWorkDir": {
"go": [],
"csharp": [],
"ruby": [],
"python": [],
"java": [],
"kotlin": [],
"javaScript": [],
"leaks": [],
"hcl": [],
"php": [],
"c": [],
"yaml": [],
"generic": [],
"elixir": [],
"shell": [],
"dart": [],
"nginx": []
}
}
By default, Horusec will search for this automated configuration file in the same folder the horusec.start command is executed.
Therefore, you should be in the root of your project, just like the start command.
2. Environment variable
Here, you can use some environment variables to alter Horusec’s configuration options.
It’s important to remember the environment variables overwrite the configuration files options.
export HORUSEC_CLI_HORUSEC_API_URI="http://0.0.0.0:8000"
export HORUSEC_CLI_TIMEOUT_IN_SECONDS_REQUEST="300"
export HORUSEC_CLI_TIMEOUT_IN_SECONDS_ANALYSIS="600"
export HORUSEC_CLI_MONITOR_RETRY_IN_SECONDS="15"
export HORUSEC_CLI_REPOSITORY_AUTHORIZATION="00000000-0000-0000-0000-000000000000"
export HORUSEC_CLI_PRINT_OUTPUT_TYPE="text"
export HORUSEC_CLI_JSON_OUTPUT_FILEPATH=""
export HORUSEC_CLI_SEVERITIES_TO_IGNORE="INFO"
export HORUSEC_CLI_FILES_OR_PATHS_TO_IGNORE="*tmp*, **/.vscode/**"
export HORUSEC_CLI_RETURN_ERROR_IF_FOUND_VULNERABILITY="false"
export HORUSEC_CLI_PROJECT_PATH="./"
export HORUSEC_CLI_FILTER_PATH=""
export HORUSEC_CLI_ENABLE_GIT_HISTORY_ANALYSIS="false"
export HORUSEC_CLI_CERT_INSECURE_SKIP_VERIFY="false"
export HORUSEC_CLI_CERT_PATH=""
export HORUSEC_CLI_ENABLE_COMMIT_AUTHOR="false"
export HORUSEC_CLI_REPOSITORY_NAME="config"
export HORUSEC_CLI_FALSE_POSITIVE_HASHES=""
export HORUSEC_CLI_RISK_ACCEPT_HASHES=""
export HORUSEC_CLI_TOOLS_TO_IGNORE=""
export HORUSEC_CLI_HEADERS=""
export HORUSEC_CLI_CONTAINER_BIND_PROJECT_PATH=""
export HORUSEC_CLI_DISABLE_DOCKER="false"
export HORUSEC_CLI_CUSTOM_RULES_PATH=""
export HORUSEC_CLI_ENABLE_INFORMATION_SEVERITY="false"
export HORUSEC_CLI_ENABLE_OWASP_DEPENDENCY_CHECK="false"
export HORUSEC_CLI_ENABLE_SHELLCHECK="false"
export HORUSEC_CLI_LOG_FILE_PATH="./tmp"
3. Flags
You can pass some flags to alter your values.
For example, it is possible to use a flag
horusec start --ignore="**/*test.go"
or even use a short flag
horusec start -i **/*test.go.
The flags overwrite the environment variables options and the file configuration.
On the table below, you can see all the available flags. To see it better, just swipe right:
| Environment variable | Configuration file attribute | Flag name | Short flag name | Default value | Description |
|---|---|---|---|---|---|
| HORUSEC_CLI_MONITOR_RETRY_IN_SECONDS | horusecCliMonitorRetryInSeconds | monitor-retry-count | m | 15 | This configuration will identify how much seconds I want to verify if my analysis is near the limit time. The minimal time is 10. |
| HORUSEC_CLI_SEVERITIES_TO_IGNORE | horusecCliSeveritiesToIgnore | ignore-severity | s | INFO | This configuration identifies which severity level you want to ignore, it can be: CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN, INFO |
| HORUSEC_CLI_PRINT_OUTPUT_TYPE | horusecCliPrintOutputType | output-format | o | text | The exit can be changed among json or sonarqube or text
|
|
|
|||||
| HORUSEC_CLI_JSON_OUTPUT_FILEPATH | horusecCliJsonOutputFilepath | json-output-file | O | In case the exit is sonarqube or json it must have
a name to be saved.
Ex.: ./output.json
|
|
| HORUSEC_CLI_FILES_OR_PATHS_TO_IGNORE | horusecCliFilesOrPathsToIgnore | ignore | i |
You can specify some absolute path of files and folders and even patterns to ignore in the analysis dispatch. Ex.: |
|
| HORUSEC_CLI_HORUSEC_API_URI | horusecCliHorusecApiUri | horusec-url | u | http://0.0.0.0:8000 | This configuration identifies where the URL is where the horusec-api is hosted. |
| HORUSEC_CLI_TIMEOUT_IN_SECONDS_REQUEST | horusecCliTimeoutInSecondsRequest | request-timeout | r | 300 | This configuration will identify how much time I want to wait in seconds to send the horusec-api object to analysis. The minimum time is 10. |
| HORUSEC_CLI_TIMEOUT_IN_SECONDS_ANALYSIS | horusecCliTimeoutInSecondsAnalysis | analysis-timeout | t | 600 | This configuration will identify how much time I want to wait in seconds to make an analysis that includes: "getting a project, "sending to analysis", "containers exit" and "getting an answer". The minimum time is 10. |
| HORUSEC_CLI_REPOSITORY_AUTHORIZATION | horusecCliRepositoryAuthorization | authorization | a | 00000000-0000-0000-0000-000000000000 | To run the analysis, you need an authorization token. You can get this token, generating a new token in the horusec repository. For more information, see here . |
| HORUSEC_CLI_RETURN_ERROR_IF_FOUND_VULNERABILITY | horusecCliReturnErrorIfFoundVulnerability | return-error | e | false | This configuration if you want to return the exit (1) if you find any vulnerability in the analysis. (Used in pipelines). |
| HORUSEC_CLI_PROJECT_PATH | horusecCliProjectPath | project-path | p | ${CURRENT_DIRECTORY} | This configuration works if you want to change the analysis directory. If this value is not passed, Horusec will ask if you want to run the analysis in the current directory. If it passes, it will begin the analysis in the informed directory without asking. |
| HORUSEC_CLI_CERT_INSECURE_SKIP_VERIFY | horusecCliCertInsecureSkipVerify | insecure-skip-verify | S | false | It is used to disable the certification validation. The use is not recommended outside test cases. |
| HORUSEC_CLI_CERT_PATH | horusecCliCertPath | certificate-path | C | Using to pass the certificate path. Ex.:-C="/home/example/ca.crt ".
|
|
| HORUSEC_CLI_FILTER_PATH | horusecCliFilterPath | filter-path | f | This configuration works to configure the path to run the analysis and
to keep the actual path in your base. Example: a project that contains
backend and frontend, you want to run in base path, but you want to analyze
only the frontend, it would be -f="./frontend"
|
|
| HORUSEC_CLI_ENABLE_GIT_HISTORY_ANALYSIS | horusecCliEnableGitHistoryAnalysis | enable-git-history | false | This configuration works to know if you want to enable the tools and the run analysis in the gitleaks in git history, searching for vulnerabilities. | |
| HORUSEC_CLI_ENABLE_COMMIT_AUTHOR | horusecCliEnableCommitAuthor | enable-commit-author | G | false | Used to enable and disable the commit author. If the author doesn't
pass, it will be empty. If it passes, you will search the git history of
who is the vulnerabitity author found by Horusec. If this option is enabled
the user must have git installed and the .git folder in the
base where the analysis is running. |
| HORUSEC_CLI_REPOSITORY_NAME | horusecCliRepositoryName | repository-name | n | If the authorization token is from the organization, it must send the repository name to be analyze, if the repository does not exist in Horusec database, you will have to create a name presented in this configuration. | |
| HORUSEC_CLI_FALSE_POSITIVE_HASHES | horusecCliFalsePositiveHashes | false-positive | F | Used to ignore the vulnerabilities in the analyis and configure with the type False positive.
Pay Attention: when you add this configuration directly on CLI, it will overwrite Horusec's graphic interface configuration. |
|
| HORUSEC_CLI_RISK_ACCEPT_HASHES | horusecCliRiskAcceptHashes | risk-accept | R | Used to ignore the analysis vulnerabilities and to configure with accepted risk type.
Pay attention when you add this configuration directly to CLI, the configuration
will write the graphic interface configuration of Horusec. |
|
| HORUSEC_CLI_CUSTOM_RULES_PATH | horusecCliCustomRulesPath | custom-rules-path | c | Used to pass the path to the horusec custom rules file. Example: -c="./horusec/horusec-custom-rules.json". | |
| HORUSEC_CLI_ENABLE_INFORMATION_SEVERITY | horusecCliEnableInformationSeverity | information-severity | I | false | Used to enable or disable information severity vulnerabilities, information
vulnerabilities can contain a lot of false positives. Ex.: I="true"
|
| HORUSEC_CLI_CONTAINER_BIND_PROJECT_PATH | horusecCliContainerBindProjectPath | container-bind-project-path | P | Used to pass project path in host when running horusec cli inside a container. | |
| HORUSEC_CLI_HEADERS | horusecCliHeaders | headers | {} | Used to send dynamic headers on dispatch http request to horusec api service. | |
| horusecCliWorkDir | {"go": [],"csharp": [],"ruby": [],"python": [],"java": [],"kotlin": [],"javaScript": [],"leaks": [],"hcl": [],"php": [],"c": [],"yaml": [],"generic": [],"elixir": [],"shell": [],"dart": [],"nginx": []} | This configuration informs horusec the corrected directory to run a specific language. | |||
| horusecCliToolsConfig | {"Bandit": {"istoignore": false},"Brakeman": {"istoignore": false},"BundlerAudit": {"istoignore": false},"Flawfinder": {"istoignore": false},"GitLeaks": {"istoignore": false},"GoSec": {"istoignore": false},"HorusecEngine": {"istoignore": false},"MixAudit": {"istoignore": false},"NpmAudit": {"istoignore": false},"PhpCS": {"istoignore": false},"Safety": {"istoignore": false},"SecurityCodeScan": {"istoignore": false},"Semgrep": {"istoignore": false},"ShellCheck": {"istoignore": false},"Sobelow": {"istoignore": false},"TfSec": {"istoignore": false} | This configuration informs Horusec which tools are enabled to perform. | |||
| horusecCliCustomImages | {"c": "","csharp": "","elixir": "","generic": "","go": "","hcl": "","javascript": "","leaks": "","php": "","python": "","ruby": "","shell": ""} | This configuration informs Horusec where the language docker image is to rotate the analysis. | |||
| HORUSEC_CLI_REGISTRY_USERNAME | This configuration informs Horusec the user to download images if you have configured on a private registry. | ||||
| HORUSEC_CLI_REGISTRY_PASSWORD | This configuration informs Horusec the password to download images if you have set up in a private registry. | ||||
| HORUSEC_CLI_REGISTRY_ADDRESS | This configuration informs Horusec the address to download images if you have configured on a private registry. | ||||
| HORUSEC_CLI_ENABLE_OWASP_DEPENDENCY_CHECK | horusecCliEnableOwaspDependencyCheck | enable-owasp-dependency-check | -w | false | Enables the owasp dependency check tool, it performs the dependencies analysis. `Ex: -w` |
| HORUSEC_CLI_ENABLE_SHELLCHECK | horusecCliEnableShellcheck | enable-shellcheck | j | false | Enables the shellcheck tool, it checks for errors in sh files. Ex: -j. |
| HORUSEC_CLI_LOG_FILE_PATH | horusecCliLogFilePath | log-file-path | l | ./tmp/horusec/ | Change the default log file path. |
| HORUSEC_CLI_SHOW_VULNERABILITIES_TYPES | horusecCliShowVulnerabilities | show-vulnerabilities-types | Vulnerability | Used to show the vulnerabilities of the reported types. Example --show-vulnerabilities-types="Vulnerability, Risk Accepted, Corrected". | |
| GITHUB_TOKEN | This environment variable is consumed by tools that require integration with Github's APIs as the Nancy in order to avoid the "rate-limiting" error |
Examples
You can see next, some use examples of commands using Horusec CLI:
Example 1: Using other directory
In this example, we used:
flag -pto inform the where the project is;flag -apassing the authorization token to send this analysis to our web interface.
horusec start -a="REPOSITORY_TOKEN" -p="/home/user/project"
Example 2: Using the whole flag name in the directory
In this example, we used:
flag --project-pathto inform where the project is;flag --authorizationpassing the authorization token to send the analysis to our web interface.
horusec start --authorization="REPOSITORY_TOKEN" --project-path="/home/user/project"
Example 3: Using other whole flag name in the directory
In this example, we used:
flag -pto inform where the project is;- A
flag -apassing the authorization token to send the analysis to our web interface; - A
flag -iwhere we will ignore these folders and files.
horusec start -p="/home/user/project" -a="REPOSITORY_TOKEN" -i="**/node_modules/**, **/vendor/**, **/*_test.go"
Example 4: To get the JSON exit
In this example, we are using:
flag -pto inform where the project is;flag -apassing the authorization token to send the analysis to our web interface;flag -owhere the output is being used is"json"and the local file output will be"./output.json”.
horusec start -p="/home/user/project" -a="REPOSITORY_TOKEN" -o="json" -O="./output.json"
Example 5: Using to get sonarqube exit
In this example, we are using:
- A
flag -pto inform where the project is; - A
flag -apassing the authorization token to send the analysis to our web interface; - A
flag -owhere the output is being used is“sonarqube”and the local file output will be“./sonarqube.json”
horusec start -p="/home/user/project" -a="REPOSITORY_TOKEN" -o="sonarqube" -O="./sonarqube.json"
Example 6: Using as docker image locally
See, this example the horusec start command is already executed. When starting the image, just add the flag you want.
When the command is used this way, you need to create a volume of your project for the image and its destination location is recommended to always be in the /project location.
docker run -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/src horuszup/horusec-cli:latest horusec start -p /src -P $(pwd)
Example 7: Using docker image in your pipeline
Let’s use AWS Code Build as an example to perform the analysis
See, this example you have to use the sh /usr/local/bin/horusec-cli.sh command, because this script there is some necessary configurations.
To start the analysis, see the horusec start command had also started, and you just have to add the flags you want.
In pipelines it is extremely important to have the privileged configuration enabled, without this is not possible to carry out the analysis as expected.
build:
commands:
- docker run -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/src/horusec horuszup/horusec-cli:latest horusec start -p /src/horusec -P $(pwd)
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
Last modified January 17, 2022: Fixed typos on the CLI' log-level global flag description (#145) (458f1aea)