Git Product home page Git Product logo

horusec-engine's Introduction

logo_header

Horusec Engine

Table of contents

About

This repository contains the standalone SAST engine used by Horusec. By now we only have a pattern matching rule implementation, but a semantic analysis is already is being planned.

This is an internal repository of the Horusec CLI, so we don't guarantee compatibility between versions.

What is a SAST tool?

A Static Application Security Testing tool is an automated scanner for security issues in your source code. The main goal is to identify, as soon as possible in your development lifecycle, any possible threat to your infrastructure and your user's data. SAST tools don't actually find vulnerabilities because the tool never executes the program being analyzed, therefore, you still have to keep testing your applications with more traditional pen testing and any other tests that you can execute.

Usage

To use this implementation will be needed to create a new engine instance informing the goroutines pool size and the slice of the extensions that should be analyzed. After the analysis is finished, a slice of findings will be returned.

1. Goroutines Pool

The pool size informed during instantiation will directly affect memory usage and analysis time. The larger the pool, the shorter the analysis time, but the greater the amount of memory required.

2. Rule

Contains all the data needed to identify and report a vulnerability. All rules are defined by a generic interface with a Run function. The idea is that we have several specific implementations of rules, like the one we currently have in the text package, but each one with it own specific strategy.

3. Finding

It contains all the possible vulnerabilities found after the analysis, it also has the necessary data to identify and treat the vulnerability.

Example

    eng := engine.NewEngine(10, ".java")

    rules := []engine.Rule{
        &text.Rule{
            Metadata: engine.Metadata{
                ID:          "HORUSEC-EXAMPLE-1",
                Name:        "Hello World",
                Description: "This is a example of the engine usage",
                Severity:    "HIGH",
                Confidence:  "HIGH",
            },
            Type: text.OrMatch,
            Expressions: []*regexp.Regexp{
                regexp.MustCompile(`System\.out\.println\("Hello World"\);`),
             },
        },
        ...
    }

    findings, err := eng.Run(context.Background(), "path-to-analyze", rules...)
    if err != nil {
        return err
    }

    for _, finding := range findings {
        // do something
    }

Documentation

For more information about Horusec, please check out the documentation.

Issues

To open or track an issue for this project, in order to better coordinate your discussions, we recommend that you use the Issues tab in the main Horusec repository.

Contributing

If you want to contribute to this repository, access our Contributing Guide.

Developer Certificate of Origin - DCO

This is a security layer for the project and for the developers. It is mandatory.

Follow one of these two methods to add DCO to your commits:

1. Command line Follow the steps: Step 1: Configure your local git environment adding the same name and e-mail configured at your GitHub account. It helps to sign commits manually during reviews and suggestions.

git config --global user.name “Name”
git config --global user.email “[email protected]

Step 2: Add the Signed-off-by line with the '-s' flag in the git commit command:

$ git commit -s -m "This is my commit message"

2. GitHub website You can also manually sign your commits during GitHub reviews and suggestions, follow the steps below:

Step 1: When the commit changes box opens, manually type or paste your signature in the comment box, see the example:

Signed-off-by: Name < e-mail address >

For this method, your name and e-mail must be the same registered on your GitHub account.

License

Apache License 2.0.

Community

Do you have any question about Horusec? Let's chat in our forum.

This project exists thanks to all the contributors. You rock! ❤️🚀

horusec-engine's People

Contributors

guilhermefsantoszup avatar guilhermepaulozup avatar henriquezup avatar iancardosozup avatar igorreiszup avatar jessica-tw avatar lucasbrunozup avatar matheusalcantarazup avatar nathanmartinszup avatar nathannascimentozup avatar renovate[bot] avatar wiliansilvazup avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.