agentsecops/sast-horusec
skills/secsdlc/sast-horusec/SKILL.md
Multi-language static application security testing using Horusec with support for 18+ programming languages and 20+ security analysis tools. Performs SAST scans, secret detection in git history, and provides vulnerability findings with severity classification. Use when: (1) Analyzing code for security vulnerabilities across multiple languages simultaneously, (2) Detecting exposed secrets and credentials in git history, (3) Integrating SAST into CI/CD pipelines for secure SDLC, (4) Performing comprehensive security analysis during development, (5) Managing false positives and prioritizing security findings.
$ install --global
skillsauthnpx skillsauth add agentsecops/secopsagentkit sast-horusecInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 30, 2026, 5:07 PM54.6s5 files scanned
SKILL.md
- name:
- sast-horusec
- description:
- >
- and provides vulnerability findings with severity classification. Use when:
- (1) Analyzing code
- version:
- 0.1.0
- maintainer:
- asrour
- category:
- secsdlc
- tags:
- [sast, horusec, vulnerability-scanning, multi-language, secrets-detection, static-analysis, secure-sdlc]
- frameworks:
- [OWASP, CWE]
- tools:
- [docker, git]
- - https:
- //docs.horusec.io/
Horusec SAST Scanner
Overview
Horusec is an open-source security analysis tool that performs static code analysis across 18+ programming languages using 20+ integrated security tools. It identifies vulnerabilities during development, scans git history for exposed secrets, and integrates seamlessly into CI/CD pipelines for secure SDLC practices.
Supported Languages
C#, Java, Kotlin, Python, Ruby, Golang, Terraform, JavaScript, TypeScript, Kubernetes, PHP, C, HTML, JSON, Dart, Elixir, Shell, Nginx
Quick Start
Run Horusec scan on current project:
# Using Docker (recommended)
docker run -v /var/run/docker.sock:/var/run/docker.sock \
-v $(pwd):/src horuszup/horusec-cli:latest horusec start -p /src -P $(pwd)
# Local installation
horusec start -p ./path/to/project
Core Workflows
Workflow 1: Local Security Scan
For developers performing pre-commit security analysis:
- Navigate to project directory
- Run Horusec scan:
horusec start -p . -o json -O horusec-report.json - Review JSON output for vulnerabilities
- Filter by severity (HIGH, MEDIUM, LOW, INFO)
- Address critical and high-severity findings
- Re-scan to validate fixes
Workflow 2: CI/CD Pipeline Integration
Progress: [ ] 1. Add Horusec to CI/CD pipeline configuration [ ] 2. Configure output format (JSON for automated processing) [ ] 3. Set severity threshold for build failures [ ] 4. Run scan on each commit or pull request [ ] 5. Parse results and fail build on high-severity findings [ ] 6. Generate security reports for audit trail [ ] 7. Track remediation progress over time
Work through each step systematically. Check off completed items.
Workflow 3: Git History Secret Scanning
For detecting exposed credentials and secrets:
- Run Horusec with git history analysis enabled:
horusec start -p . --enable-git-history-analysis - Review detected secrets and credentials
- Rotate compromised credentials immediately
- Add detected patterns to
.gitignoreand.horusec/config.json - Use git-filter-branch or BFG Repo-Cleaner to remove from history (if needed)
- Document incident and update security procedures
Workflow 4: False Positive Management
When managing scan results and reducing noise:
- Run initial scan and export results:
horusec start -p . -o json -O results.json - Review findings and identify false positives
- Create or update
.horusec/config.jsonwith ignore rules:{ "horusecCliRiskAcceptHashes": ["hash1", "hash2"], "horusecCliFilesOrPathsToIgnore": ["**/test/**", "**/vendor/**"] } - Re-run scan to verify false positives are suppressed
- Document risk acceptance decisions for compliance
- Periodically review ignored findings
Configuration
Create .horusec/config.json in project root for custom configuration:
{
"horusecCliCertInsecureSkipVerify": false,
"horusecCliCertPath": "",
"horusecCliContainerBindProjectPath": "",
"horusecCliCustomImages": {},
"horusecCliCustomRulesPath": "",
"horusecCliDisableDocker": false,
"horusecCliFalsePositiveHashes": [],
"horusecCliFilesOrPathsToIgnore": [
"**/node_modules/**",
"**/vendor/**",
"**/*_test.go",
"**/test/**"
],
"horusecCliHeaders": {},
"horusecCliHorusecApiUri": "",
"horusecCliJsonOutputFilePath": "./horusec-report.json",
"horusecCliLogFilePath": "./horusec.log",
"horusecCliMonitorRetryInSeconds": 15,
"horusecCliPrintOutputType": "text",
"horusecCliProjectPath": ".",
"horusecCliRepositoryAuthorization": "",
"horusecCliRepositoryName": "",
"horusecCliReturnErrorIfFoundVulnerability": false,
"horusecCliRiskAcceptHashes": [],
"horusecCliTimeoutInSecondsAnalysis": 600,
"horusecCliTimeoutInSecondsRequest": 300,
"horusecCliToolsConfig": {},
"horusecCliWorkDir": ".horusec"
}
Output Formats
Horusec supports multiple output formats for different use cases:
text- Human-readable console output (default)json- Structured JSON for CI/CD integrationsonarqube- SonarQube-compatible format
Specify with -o flag:
horusec start -p . -o json -O report.json
Common Patterns
Pattern 1: Fail Build on High Severity
Configure CI/CD to fail on critical findings:
horusec start -p . \
--return-error-if-found-vulnerability \
--severity-threshold="MEDIUM"
Exit code will be non-zero if vulnerabilities at or above threshold are found.
Pattern 2: Multi-Project Monorepo Scanning
Scan multiple projects in monorepo structure:
# Scan specific subdirectories
for project in service1 service2 service3; do
horusec start -p ./$project -o json -O horusec-$project.json
done
Pattern 3: Custom Rules Integration
Add custom security rules:
- Create custom rules file (YAML format)
- Configure path in
.horusec/config.json:{ "horusecCliCustomRulesPath": "./custom-rules.yaml" } - Run scan with custom rules applied
Security Considerations
- Sensitive Data Handling: Horusec scans for exposed secrets. Ensure scan results are stored securely and access is restricted to authorized personnel only
- Access Control: Limit access to Horusec configuration files and scan results. Use read-only mounts in Docker for source code scanning
- Audit Logging: Log all scan executions, findings, and risk acceptance decisions for compliance auditing
- Compliance: Integrates with SOC2, PCI-DSS, and GDPR compliance by identifying vulnerabilities and tracking remediation
- Safe Defaults: Configure severity thresholds appropriate for your risk tolerance. Start with MEDIUM or HIGH to reduce noise
Integration Points
CI/CD Integration
GitHub Actions:
- name: Run Horusec Security Scan
run: |
docker run -v /var/run/docker.sock:/var/run/docker.sock \
-v $(pwd):/src horuszup/horusec-cli:latest \
horusec start -p /src -o json -O horusec-report.json \
--return-error-if-found-vulnerability
GitLab CI:
horusec-scan:
image: horuszup/horusec-cli:latest
script:
- horusec start -p . -o json -O horusec-report.json
artifacts:
reports:
horusec: horusec-report.json
Jenkins:
stage('Security Scan') {
steps {
sh 'docker run -v $(pwd):/src horuszup/horusec-cli:latest horusec start -p /src'
}
}
VS Code Extension
Horusec provides a VS Code extension for real-time security analysis during development. Install from VS Code marketplace.
Vulnerability Management
Horusec can integrate with centralized vulnerability management platforms via:
- JSON output parsing
- Horusec Platform (separate web-based management tool)
- Custom integrations using API
Troubleshooting
Issue: Docker Socket Permission Denied
Solution: Ensure Docker socket has proper permissions:
sudo chmod 666 /var/run/docker.sock
# Or run with sudo (not recommended for CI/CD)
Issue: False Positives in Test Files
Solution: Exclude test directories in configuration:
{
"horusecCliFilesOrPathsToIgnore": ["**/test/**", "**/*_test.go", "**/tests/**"]
}
Issue: Scan Timeout on Large Repositories
Solution: Increase timeout values in configuration:
{
"horusecCliTimeoutInSecondsAnalysis": 1200,
"horusecCliTimeoutInSecondsRequest": 600
}
Issue: Missing Vulnerabilities for Specific Language
Solution: Verify language is supported and Docker images are available:
horusec version --check-for-updates
docker pull horuszup/horusec-cli:latest
Advanced Usage
Running Without Docker
Install Horusec CLI directly (requires all security tool dependencies):
# macOS
brew install horusec
# Linux
curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/main/deployments/scripts/install.sh | bash
# Windows
# Download from GitHub releases
Then run:
horusec start -p . --disable-docker
Note: Running without Docker requires manual installation of all security analysis tools (Bandit, Brakeman, GoSec, etc.)
Severity Filtering
Filter results by severity in output:
# Only show HIGH and CRITICAL
horusec start -p . --severity-threshold="HIGH"
# Show all findings
horusec start -p . --severity-threshold="INFO"
Custom Docker Images
Override default security tool images in configuration:
{
"horusecCliCustomImages": {
"python": "my-registry/custom-bandit:latest",
"go": "my-registry/custom-gosec:latest"
}
}
Report Analysis
Parse JSON output for automated processing:
# Extract high-severity findings
cat horusec-report.json | jq '.analysisVulnerabilities[] | select(.severity == "HIGH")'
# Count vulnerabilities by language
cat horusec-report.json | jq '.analysisVulnerabilities | group_by(.language) | map({language: .[0].language, count: length})'
# List unique CWE IDs
cat horusec-report.json | jq '[.analysisVulnerabilities[].securityTool] | unique'
References
- Horusec GitHub Repository
- Horusec Documentation
- OWASP Top 10
- CWE - Common Weakness Enumeration
Related Skills
agentsecops/privesc-linpeas
testing
VerifiedTrustedCommunity
Linux privilege escalation enumeration and attack surface analysis using LinPEAS (Linux Privilege Escalation Awesome Script). Automates post-exploitation discovery of escalation vectors, misconfigurations, and credential exposure on Linux targets. Use when: (1) Enumerating privilege escalation vectors after initial access on a Linux system, (2) Identifying SUID/SGID binaries, sudo misconfigurations, and capability abuses, (3) Hunting for credentials in config files, history, and logs, (4) Detecting container breakout opportunities and writable service files, (5) Mapping kernel exploits and CVE exposure for a target system, (6) Conducting authorized CTF, red team, or penetration test post-exploitation phases.
110SKILL.mdUpdated Apr 16, 2026
agentsecops/ot-security-assessment
development
VerifiedTrustedCommunity
Operational Technology (OT) security assessment using a two-stage methodology: (1) Identification/Discovery of OT devices and protocols, and (2) Vulnerability Assessment using online sources and Metasploit. Use when: (1) Conducting authorized OT/ICS security assessments, (2) Identifying and enumerating OT protocols (Modbus, S7, IEC 104, DNP3, BACnet, EtherNet/IP), (3) Discovering industrial control devices and PLCs, (4) Assessing OT protocol vulnerabilities and security weaknesses, (5) Performing compliance scanning aligned with IEC 62443 standards, (6) Validating network segmentation and access controls in OT environments.
110SKILL.mdUpdated Apr 16, 2026
agentsecops/vuln-defectdojo
tools
VerifiedTrustedCommunity
Vulnerability management and findings aggregation using DefectDojo. Centralizes security findings from all SecOpsAgentKit scanners (Semgrep, Bandit, ZAP, Trivy, Grype, Gitleaks, Nuclei, Checkov, Horusec) into a unified platform with automatic deduplication, SLA tracking, risk-based prioritization, and compliance reporting. Use when: (1) Aggregating findings from multiple scanners across products and pipelines, (2) Tracking remediation status and SLA compliance against policy thresholds, (3) Deduplicating overlapping findings across security tools, (4) Generating vulnerability reports for compliance audits (SOC2, PCI-DSS, GDPR), (5) Managing security debt and vulnerability backlog across teams and applications.
110SKILL.mdUpdated Apr 16, 2026
agentsecops/pytm
tools
VerifiedTrustedCommunity
Python-based threat modeling using pytm library for programmatic STRIDE analysis, data flow diagram generation, and automated security threat identification. Use when: (1) Creating threat models programmatically using Python code, (2) Generating data flow diagrams (DFDs) with automatic STRIDE threat identification, (3) Integrating threat modeling into CI/CD pipelines and shift-left security practices, (4) Analyzing system architecture for security threats across trust boundaries, (5) Producing threat reports with STRIDE categories and mitigation recommendations, (6) Maintaining threat models as code for version control and automation.
82SKILL.mdUpdated Mar 27, 2026