DEV.co
Open-Source Security · ZupIT

horusec

Horusec is an open-source SAST (Static Application Security Testing) tool that scans code across 18 languages using 20 different security analysis engines in a single command. It integrates into CI/CD pipelines, Git history, and offers both CLI and web dashboard interfaces for vulnerability management.

Source: GitHub — github.com/ZupIT/horusec
1.3k
GitHub stars
217
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryZupIT/horusec
OwnerZupIT
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars1.3k
Forks217
Open issues112
Latest releasev2.8.0 (2022-06-08)
Last updated2026-05-24
Sourcehttps://github.com/ZupIT/horusec

What horusec is

Written in Go, Horusec performs multi-tool static analysis orchestration via Docker containers, supporting C#, Java, Kotlin, Python, Ruby, Go, Terraform, JavaScript, TypeScript, Kubernetes, PHP, C, HTML, JSON, Dart, Elixir, Shell, and Nginx. It includes Git secret scanning and configurable rule sets, with options to submit findings to a managed web platform or retain results locally.

Quickstart

Get the horusec source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/ZupIT/horusec.gitcd horusec# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

DevSecOps CI/CD Integration

Embed Horusec into pipelines to enforce security gates before deployment. Its multi-tool orchestration and configurable output formats (JSON, SARIF) support automated policy enforcement across diverse codebases.

Polyglot Legacy Portfolio Scanning

Organizations with mixed language stacks (Java, Python, Go, C#, Terraform) can use a single tool to standardize vulnerability detection rather than maintaining separate per-language scanners.

Git History Secret Leak Detection

Scan repositories for exposed credentials and secrets in commit history, useful for incident response and compliance audits where retroactive detection across git logs is required.

Implementation considerations

  • Docker is required for full analysis; projects must have Docker runtime available in build/dev environments or accept reduced detection accuracy with -D true flag.
  • Latest release (v2.8.0) is from June 2022; review whether 3+ year gap to current development state impacts your compatibility needs—active GitHub commits as of May 2026 suggest ongoing work, but verify integration stability.
  • Configuration via CLI flags and YAML config files; teams need to establish baseline rule sets and false positive suppression policies before mass deployment to avoid alert fatigue.
  • Secrets scanning requires Git history access; ensure CI runners have appropriate Git credentials and history depth for meaningful leak detection.
  • Output submission to Horusec Platform (web dashboard) is optional; evaluate whether local JSON/SARIF exports or managed platform integration fits your security posture and toolchain.

When to avoid it — and what to weigh

  • Need Real-Time Interactive Source Analysis — Horusec is a batch SAST tool; it is not designed for interactive IDE-assisted code review or real-time linting feedback beyond its VSCode extension.
  • Require Commercial SLA or Vendor Support — This is community-maintained Apache-licensed software. ZupIT provides no documented commercial support, SLAs, or guaranteed response times. Critical issues depend on community response.
  • Heavy False Positive Tuning in Restricted Environments — Configuration and rule suppression require CLI flags and config files; there is no GUI-based false positive management without using the optional Horusec Platform (separate deployment).
  • Dependent on Containerized Tool Chain — Full analysis power requires Docker. Using the -D flag to disable Docker significantly reduces detection capability, making it unsuitable where lightweight, containerless scanning is mandatory.

License & commercial use

Apache License 2.0 permits free use, modification, and distribution in both commercial and private projects without restriction, provided you retain license and copyright notices. No patent grant is explicitly included.

Apache-2.0 is a permissive OSI license and allows commercial use without license fees. However, there is no vendor-backed support, indemnification, or warranty. Use in production requires internal security review and your own maintenance commitment. Evaluate whether the optional Horusec Platform (separate offering) provides sufficient commercial guarantees for your risk tolerance.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceModerate
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Horusec is a static analysis tool, not a runtime security solution. It identifies common vulnerability patterns using rule sets from underlying tools (e.g., gosec, Semgrep, eslint-plugin-security). Detection accuracy depends on rule currency and false positive rates of orchestrated tools—not independently verified by Devco. Ensure rule sets for supported tools are regularly updated. The tool itself should be verified for integrity via release signature validation if available. Running it with Docker isolation is recommended to limit execution scope.

Alternatives to consider

Snyk

Commercial SaaS with vendor support, priority issue resolution, and integrated dependency/container scanning. Broader language coverage and real-time feedback in IDEs. Higher cost; less suitable for on-prem air-gapped environments.

GitHub Advanced Security (CodeQL + Dependabot)

Native to GitHub workflows, strong language coverage, integrated into PR reviews. Free for public repos; paid for private. Tightly coupled to GitHub; less portable to other Git platforms or on-prem setups.

SonarQube

On-prem or SaaS option, multi-language support, mature rule engine, and false positive tuning via GUI. Higher operational overhead and licensing cost. Better suited for large enterprises with dedicated security teams.

Software development agency

Build on horusec with DEV.co software developers

Horusec is free and open-source. Evaluate it in your CI/CD environment, review rule accuracy against your codebase, and determine whether community support and optional managed platform fit your security posture.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

horusec FAQ

Does Horusec replace my SIEM or vulnerability management platform?
No. Horusec is a scanner that produces JSON/SARIF output. You must integrate it with a SIEM, ticketing system, or dashboard (e.g., Horusec Platform, Defect Dojo, or your own) for centralized tracking and remediation workflows.
What happens if the underlying security tools (gosec, Semgrep, etc.) have false positives?
You suppress them via Horusec CLI flags and config files. There is no GUI for bulk suppression without deploying the optional Horusec Platform. Rules are inherited from upstream tool versions; you must update Horusec to get rule improvements.
Can I use Horusec without Docker?
Yes, use the -D true flag, but detection accuracy is significantly reduced. Docker is recommended because it isolates and runs each underlying tool consistently; without it, only tools present in your PATH are used.
Is there a supported version or LTS release?
No. Horusec is community-maintained with no published LTS or support roadmap. v2.8.0 (June 2022) is the latest tag, but active commits suggest development continues. Verify stability for your use case before pinning to production versions.

Custom software development services

From first prototype to production, DEV.co delivers software development services around tools like horusec. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.

Ready to Add Multi-Language Security Scanning to Your Pipeline?

Horusec is free and open-source. Evaluate it in your CI/CD environment, review rule accuracy against your codebase, and determine whether community support and optional managed platform fit your security posture.