Skip to content
Home SAST Tools Horusec
Horusec

Horusec

Category: SAST
License: Free/OSS (Apache 2.0)
GitHub (1200★)
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 13, 2026
2 min read
Key Takeaways
  • Horusec orchestrates 20+ security tools in a single scan, covering 18+ languages including Java, Python, Go, JavaScript, C#, and PHP.
  • Open-source under Apache 2.0 by ZupIT with 1,200 GitHub stars, including a web dashboard for centralized findings management.
  • Combines results from multiple analyzers (Semgrep, Bandit, GoSec, etc.) with deduplication across overlapping tool coverage.
  • CLI-first design integrates into CI/CD pipelines with Docker support and configurable severity thresholds per project.

Horusec is an open-source SAST orchestration tool that coordinates 20+ security engines into a unified vulnerability report. Created by ZupIT, it supports 18+ languages and includes a web dashboard for vulnerability management.

With over 1,200 GitHub stars, Horusec provides multi-language scanning by orchestrating established tools like Bandit, Brakeman, GoSec, and SpotBugs rather than building its own analysis engine.

Horusec Manager dashboard showing vulnerability metrics and severity breakdown across repositories

What is Horusec?

Rather than implementing its own analysis engine, Horusec runs established security tools and consolidates their findings. OWASP recommends using multiple static analysis tools for broader coverage, since each tool has different strengths and detection capabilities. Horusec automates this by detecting languages in your repository and selecting the appropriate scanners. Results merge into a single report with deduplication and unified severity ratings.

20+ Security Tools
Orchestrates Bandit (Python), Brakeman (Ruby), GoSec (Go), SpotBugs (Java), Checkov (IaC), and many more. Language auto-detection selects the right tools.
Secrets Detection
Built-in scanner identifies hardcoded API keys, database credentials, private keys, and cloud provider credentials across all file types.
Web Dashboard
Horusec Manager provides centralized vulnerability management, workspace organization, false positive tracking, trend analysis, and role-based access control.

Key features

Multi-tool orchestration

LanguageTools used
PythonBandit, Safety
GoGoSec, Nancy
JavaScript/TypeScriptnpm-audit, ESLint security
Java/KotlinSpotBugs, Dependency-Check
RubyBrakeman, Bundler-audit
C#Security Code Scan
InfrastructureCheckov, TFSec, Trivy

Horusec vulnerability management screen for classifying and triaging security findings

Detection depends on underlying tools
Horusec’s detection quality depends on the security tools it orchestrates. For Python, you get Bandit’s detection capabilities. For Ruby, Brakeman’s. The value is in unified reporting and management, not deeper analysis than individual tools provide.

Getting started

1
Install the CLI — Use brew install horusec on macOS, or the install script for Linux: curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/main/deployments/scripts/install.sh | bash
2
Run your first scan — Execute horusec start in your project directory. Horusec auto-detects languages and runs appropriate scanners.
3
Review findings — Results display in the terminal with severity levels. Use -o json for JSON output or -o sarif for SARIF format.
4
Deploy the dashboard — For team use, deploy Horusec Manager with Docker Compose from the horusec-operator repository.

When to use Horusec

Horusec is a good fit for teams with multi-language codebases that want a single scanning command instead of managing multiple tools individually. The Apache 2.0 license makes it suitable for any organization.

For single-language projects, the specialized underlying tools (Bandit, Brakeman, etc.) may be more appropriate run directly. For commercial support and deeper analysis, consider Checkmarx or Semgrep.

Best for
Teams with multi-language codebases that want unified security scanning from 20+ tools with a single command and a web dashboard.

Frequently Asked Questions

What is Horusec?
Horusec is an open-source security orchestration tool by ZupIT that coordinates 20+ SAST engines (Bandit, Brakeman, GoSec, and others) into a unified vulnerability report. It supports 18+ languages and includes a web dashboard for vulnerability management. Licensed under Apache 2.0.
Is Horusec free?
Yes. Horusec is completely free and open-source under the Apache 2.0 license. It has over 1,200 GitHub stars and 37 contributors.
How does Horusec orchestrate multiple tools?
Horusec detects languages in your repository and runs the appropriate security tools for each: Bandit for Python, Brakeman for Ruby, GoSec for Go, SpotBugs for Java, and others. Results are deduplicated and merged into a single report with unified severity ratings.
How we review tools Suggest an edit

Other SAST Tools

Bandit
Bandit

Open-Source Python Scanner

Codacy
Codacy

40+ Languages with AI Code Protection

detect-secrets
detect-secrets

Baseline secret management

Gitleaks
Gitleaks

Git secret scanner

Semgrep
Semgrep

Fast Open-Source with Custom Rules

SonarLint
SonarLint

Real-time IDE analysis

See all SAST tools

Complement with SCA

Pair static analysis with dependency scanning for broader coverage.

AN
Anchore

SBOM-First Container Security Platform

Anchore Grype
Anchore Grype

Fast Container Vulnerability Scanner

See all SCA tools

Learn More

What is SAST? What is DAST? What is IAST? What is RASP? SAST vs DAST vs IAST SAST vs SCA

Explore our Application Security Testing resource hub