# Run Horusec SAST Reviews Security teams need consistent static analysis across mixed-language repositories. This skill guides Horusec scans, CI integration, secret detection, report review, and false positive handling. ## Install ```bash npx skillstore add agentsecops/sast-horusec ``` ## Metadata - - Slug: agentsecops-sast-horusec - - Version: 0.1.0 - - Author: AgentSecOps - - GitHub username: AgentSecOps - - License: MIT - - Repository: https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/secsdlc/sast-horusec - - Ref: main - - Supported tools: Claude, Codex, Claude Code - - Risk level: high - - Risk factors: external\_commands, network, filesystem, env\_access, scripts - - Quality score: 38 - - Quality tier: warning - - Public page: https://skillstore.pages.dev/skills/agentsecops-sast-horusec - - Manifest: https://skillstore.pages.dev/api/skills/agentsecops-sast-horusec/manifest ## Capabilities - Explains local Horusec scan workflows for multi-language repositories. - Shows CI/CD integration patterns for GitHub Actions, GitLab CI, and Jenkins. - Covers git history secret scanning and credential rotation steps. - Describes severity thresholds, JSON output, and report parsing workflows. - Provides examples for false positive management with Horusec configuration. ## Use Cases - Pre-Commit Security Review: Run Horusec locally before opening a pull request and review high-severity findings first. - Pipeline Security Gate: Add SAST, dependency, secret, container, and IaC scans to CI with retained security artifacts. - Security Triage Workflow: Review Horusec output, separate true positives from false positives, and document accepted risk. ## Prompt Templates ### Run a Basic Scan ``` Use the Horusec workflow to scan this repository. Explain the command, expected output, and first triage steps. ``` ### Review SAST Findings ``` Analyze this Horusec report. Prioritize findings by severity, confidence, exploitability, and remediation effort. ``` ### Add CI Security Scanning ``` Create a safe CI plan for Horusec scanning. Include permissions, artifact handling, failure thresholds, and developer feedback. ``` ### Tune Enterprise Policy ``` Design a Horusec policy for a multi-repository organization. Cover exclusions, false positive governance, secret response, and audit evidence. ``` ## Limitations - It depends on Horusec, Docker, git, and related scanners being installed or available. - It does not verify whether every referenced scanner image or installer is trusted. - It can produce false positives that need human security review. - Some included Docker and installer commands require safer hardening before use. ## Best Practices - Run scans in isolated environments with least-privilege access to source code and secrets. - Treat Horusec reports as sensitive because findings can expose secret locations and vulnerable paths. - Document every false positive decision with owner, reason, expiration date, and review cadence. ## Anti Patterns - Do not mount the host Docker socket into scanner containers unless risk is formally accepted. - Do not pipe remote installer scripts directly to a shell in production workflows. - Do not suppress findings permanently without evidence, ownership, and periodic review. ## Security Audit - - Safe to publish: false - - Audited at: 2026-06-28T06:08:26.229\+00:00 - - Summary: Static analysis flagged many command, network, environment, filesystem, and script patterns. Most findings are documentation examples or legitimate SAST workflow guidance, but the Docker socket mount, world-writable Docker socket advice, and pipe-to-shell installers are confirmed high-risk operational patterns. No evidence found of prompt injection or confirmed malicious intent, so the skill is not blocked but should not publish without revisions. ## Stats - - Views: 354 - - Downloads: 4 - - Favorites: 0 - - Popularity score: 0