SecHub Getting Started Guide

About SecHub

SecHub stands for "Security Hub" and serves as an unified API to scan for various security issues. With SecHub, users don’t need to worry about the specific scanning product used on the server side; they simply configure their desired security goals.

The SecHub server alone does NOT provide a security infrastructure but orchestrates different security products/tools.

Please check our ready to use security open source tools: PDS solutions for integration with SecHub server.

It was designed to be very easy to integrate into existing build / contionus integration (CI) pipelines and helps to provide SecDevOps.

You can get more documentation from the SecHub web page .

The project is hosted at https://github.com/mercedes-benz/sechub

About documentation

This documentation is part of SecHub.

Key	Value	Information
LICENSE	MIT License	Please look at https://github.com/mercedes-benz/sechub/blob/master/LICENSE

Key

Value

Information

LICENSE

MIT License

Please look at https://github.com/mercedes-benz/sechub/blob/master/LICENSE

Documentation version: Server 2.11.1 - Build date: 2025-06-20 13:10 (UTCZ)

1. Introduction

This tutorial teaches you how to setup a SecHub environment and to do a scan using SecHub.

You will learn:

How to start a SecHub environment and PDS with a SAST scanner using SecHub’s Helm charts and container images
Scan vulnerable source code.
Install and use SecHub’s extension for VsCodium (Optional)

Figure 1. Setup Overview

This Diagram roughly explains how SecHub functions, behind the scenes.

The SecHub server is responsible for taking jobs and passing them to one or more PDS for processing. Once the job finishes on the PDS side, they are fetched and processed by SecHub.

This tutorial is tested on Debian/Ubuntu!
It should also work on different Linux distributions.

2. Prerequisites

You are going to need:

2.1. Tools

git
jq
kubectl
helm
SecHub Client (On Debian you can use the SecHub Client OS package for your architecture.)

See [Appendix] below for installing the SecHub client manually.

Optional:

VSCodium
SecHub Extension for VSCodium

2.2. Access to a Kubernetes

For local testing you could use Kind with cloud-provider-kind, Minikube, Docker Desktop, K3s …

The SecHub team uses Kind for development
and experienced port problems with K3s.

Create a Kube config file for access to your Kubernetes and point the environment variable KUBECONFIG to it.
Example:
export KUBECONFIG="$HOME/.kube/kind-config"`

In your terminal type: kubectl get ns to verify the connectivity. This should list the namespaces of your Kubernetes cluster.

3. Run SecHub

After issuing below commands, a new namespace "sechub-testing" will be created in your Kubernetes. Everything outside this namespace will be left untouched.

3.1. Clone the repository

In your terminal type:

git clone https://github.com/mercedes-benz/sechub.git
cd sechub

This makes a local copy of the SecHub project on your computer and goes to the project’s folder

3.2. Start SecHub environment and create a basic setup

cd sechub-solutions-shared/setup-with-kubernetes
./00_prepare_build.sh
./01_init.sh
./10_deploy_sechub_server.sh
./20_deploy_pds-multi.sh
./30_deploy_web-ui.sh
./40_apply-profiles.sh

This starts the SecHub server and a PDS with a SAST scanner.
Additionally scan profiles are created. We will use one of them later.

3.3. Setup a project in SecHub

The following call will create a SecHub project named "demo" and assigns the scan profile "sast-python" to it:

./50_create_SecHub_project.sh demo sast-python

Now you are ready to do scans!

4. Scan using SecHub Client

4.1. Environment vaiables

Some environment variables have to be set. Specifically SECHUB_SERVER, SECHUB_USERID, SECHUB_APITOKEN, SECHUB_TRUSTALL. Make sure that the SecHub client executable "sechub" is in the PATH.

SECHUB_IP_ADDRESS=$(kubectl --namespace=sechub-testing get svc/sechub-server -o=jsonpath='{.status.loadBalancer.ingress[0].ip}')
export SECHUB_SERVER=https://$SECHUB_IP_ADDRESS:8443
export SECHUB_USERID=sechubadm
export SECHUB_APITOKEN=demo
export SECHUB_TRUSTALL=true

4.2. Scan

We have prepared a mini-example with vulnerabe Python code in the "demo" folder.

Please have a look at the sechub.json. Here it is defined what should be scanned, and what should be skipped.

Now you can do a scan:

cd demo
sechub scan

This will run a SAST scan via SecHub and create a file which contains a report of the findings from the scan (JSON format).
If you want the report in HTML format instead, add -reportformat html as an option:

sechub -reportformat html scan

4.3. SecHub Web-UI

The URL of the SecHub Web-UI can be retrieved like this:

WEB_UI_IP=$(kubectl --namespace=sechub-testing get svc/web-ui -o=jsonpath='{.status.loadBalancer.ingress[0].ip}')
WEB_UI_URL="https://$WEB_UI_IP:4443/"
echo $WEB_UI_URL

After successful login with sechubadm / demo you must open the URL manually. Then the SecHub Web-UI should work.

5. Optional

5.1. SecHub’s IDE plugins

SecHub’s IDE plugins help you to work faster with the SecHub report. You can jump to the exact code lines and fix the problem.

5.1.1. Eclipse Plugin

You can get the SecHub plugin the usual way from the Eclipse Marketplace.

5.1.2. IntelliJ Plugin

You can get the SecHub plugin the usual way from the IntelliJ Marketplace.

5.1.3. VS-Codium / Visual Studio Code Plugin

You can get the plugin from the OpenVSX Registry.

To install it, search for sechub in the Extensions manager and choose the one from "mercedes-benz".

For Visual Studio Code users: Download the Plugin and install it manually from file.

6. Appendix

6.1. Installing the SecHub Client maually

The command below, will download the latest version and put it in your /usr/local/bin folder.

# Get latest version
CLIENT_VERSION=`curl -s https://mercedes-benz.github.io/sechub/latest/client-download.html | grep https://github.com/mercedes-benz/sechub/ | awk -F '-' '{print $NF}' | sed 's/.zip">//'`

# Download the zipped binary
wget https://github.com/mercedes-benz/sechub/releases/download/v$CLIENT_VERSION-client/sechub-cli-$CLIENT_VERSION.zip

# Verify the binary
wget https://github.com/mercedes-benz/sechub/releases/download/v$CLIENT_VERSION-client/sechub-cli-$CLIENT_VERSION.zip.sha256
sha256sum --check sechub-cli-$CLIENT_VERSION.zip.sha256

# Extract
unzip sechub-cli-$CLIENT_VERSION.zip

# Depending on your architecture and OS, you will have to copy a different binary file:
# Example for Linux x86-64
sudo cp platform/linux-amd64/sechub /usr/local/bin

# Cleanup
rm -rf sechub-cli-$CLIENT_VERSION.zip sechub-cli-$CLIENT_VERSION.zip.sha256 platform/