Horusec is a SAST great DevSecOps tool to use for any pipeline. This is a proof of concept to embed in a Github Action.
You can put arguments as cli (--ignore="**/tmp/**"), but the better way when use a configuration file. To generate the configuration file:
horusec generateBelow is an example with Horusec configuration. If you want to see how to use in the a real project, you can see here.
on: [push]
jobs:
checking_code:
runs-on: ubuntu-latest
name: Horusec Scan
steps:
- name: Run Horusec
id: run_horusec
uses: fike/horusec-action@v0.1
with:
arguments: --config-file-path=horusec-config.jsonThe most common argument to pass is --ignore directories and target path. You can add any extra argument for Horusec supported but keep in mind that use in the argument line for your Action workflow.
Here is an example to ignore some directories and the target path is "/".
on: [push]
jobs:
checking_code:
runs-on: ubuntu-latest
name: Horusec Scan
steps:
- name: Run Horusec
id: run_horusec
uses: fike/horusec-action@v0.1
with:
arguments: -p="./" --ignore="**/.vscode/**, **/*.env, **/.mypy_cache/**, **/tests/**"By default Horusec returns 0 as error code in any case. This means that your pipeline will not Fail in case of vulnerabilites are found. To change that behaviour you hace to pass the argument -e=true.
Here is an example of how you can use the flag.
on: [push]
jobs:
checking_code:
runs-on: ubuntu-latest
name: Horusec Scan
steps:
- name: Run Horusec
id: run_horusec
uses: fike/horusec-action@v0.1
with:
arguments: -e=true -p="./"Build Action based Docker purely isn't flexible to split arguments like it's possible when build using Javascript/Typescript.
This is a proof of concept to running Horusec as a Github Action.