🧩 Introduction
Infrastructure as Code (IaC) has transformed how teams provision and manage infrastructure. By treating infrastructure configurations like code, we gain consistency, speed, and repeatability. However, with this agility comes the responsibility of securing that code — just like we do with traditional application code. That’s where SAST tools come in. In this article, we’ll explore how to apply Static Application Security Testing (SAST) using Horusec to scan IaC codebases and keep your infrastructure safe 🛡️.
In this article, we’ll learn how to:
- Set up Horusec to scan any IaC codebase.
- Apply it locally and in CI/CD.
- Use it with other SAST tools.
- Automate reporting and exports.
💡 What is Horusec?
Horusec is a powerful, open-source security tool that performs static analysis across multiple languages and IaC formats (like Terraform and Kubernetes YAML files). It's designed to find vulnerabilities before code reaches production 🏭.
⚙️ Key Features:
- 🌐 Multi-language & IaC support (Terraform, Dockerfile, YAML, etc.)
- 🔄 CI/CD integration with GitHub Actions, GitLab CI, Jenkins, and others
- 📊 Clear vulnerability reports with severity levels and recommendations
- 🧠 Developer-friendly: runs locally or in pipelines without complex setup
📥 Installing Horusec CLI
You can install Horusec using a simple script:
curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/main/deployments/scripts/install.sh | bash -s latest
Or via Docker 🐳:
docker run -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd):/src horuszup/horusec-cli:latest horusec start -p
🔍 Scanning Infrastructure as Code
Once installed, scanning your code is as easy as running:
horusec start -p .
Horusec will inspect all supported files in the current directory and display a summary of issues found 📋.
⚡ Integrating into CI/CD (GitHub Actions Example)
Let’s automate this! Here's how to run Horusec as part of your GitHub Actions pipeline:
name: Horusec Security Scan
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
horusec_scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Install Horusec
run: |
curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/main/deployments/scripts/install.sh | bash -s latest
- name: Run Horusec Scan
run: |
horusec start -p . -e="true"
This setup scans your repo on every push or pull request to main, helping you catch security issues early 🚨.
🧪 Example: Terraform (Without docker)
You can see the example in my repository on Github.
Just run horusec start -p . and let it detect issues like:
- Hardcoded secrets 🔑
- Insecure resource definitions 🔓
- Misconfigured ports or permissions 🔐
📊 Analyzing the Results
Horusec categorizes vulnerabilities by severity:
- 🟥 Critical
- 🟧 High
- 🟨 Medium
- 🟩 Low
- 🟦 Info
Each issue includes:
- File and line number 📍
- Description and recommendation 📘
- CWE ID (Common Weakness Enumeration) for deeper learning 🔍
📊 Reports & Outputs
Horusec supports multiple output formats:
- json – for custom parsing or dashboards.
- html – for visual inspection.
- sarif – compatible with GitHub Security tab.
Example to export an HTML report:
horusec start -p . -o html -O report.html
Open report.html in any browser to see a full security summary.
✅ Best Practices
- 🔁 Run Horusec on each commit or pull request
- 🚫 Block merge if critical vulnerabilities are found
- 📚 Train your team to understand IaC security risks
- 🧩 Use Horusec alongside other tools (e.g., Snyk, Checkov)
🔗 References
🧠 Conclusion
IaC enables rapid infrastructure deployment — but speed without security is a recipe for risk. Using Horusec as part of your SAST approach allows you to catch vulnerabilities early, automate scans, and ensure compliance across your entire infrastructure pipeline. Give it a try and secure your code from commit to cloud 🌩️🔒
Have you tried it yet? Got any questions? Drop them in the comments below — I’d love to hear from you! 👇