Skip to main content

Harness Agents

Last updated on

Harness Agents let you bring powerful AI automation directly into your pipelines — without losing control, security, or governance. Using your own models (OpenAI, Anthropic, Gemini) or Harness AI, agents analyze, fix, refactor, and optimize code and configs within the same guardrails you already trust for CI/CD. Each agent is a reusable template governed by RBAC, OPA policies, audit logs, and GitX versioning.

StatLabelDetails
13+Agents AvailablePre-built catalog spanning code quality, security, and productivity
BYOMBring Your Own ModelOpenAI, Anthropic, Gemini, MCP
GovernedEnterprise ControlsRBAC, OPA, Audit Logs
Multi-SCMSource ControlGitHub, GitLab, Bitbucket, Harness Code

How Agents Work

Agents follow a consistent execution flow from trigger to pull request. Every agent adheres to this lifecycle regardless of its specific task.

  1. Trigger — An agent is triggered from the Harness UI, API, or automatically in response to events (e.g., CI failure, new PR).
  2. Clone — The agent clones the target repository using configured SCM credentials.
  3. Analyze — AI analyzes the codebase, logs, or PR diff to understand context.
  4. Execute — The coding agent performs the task — writing code, generating tests, or creating fixes.
  5. Review — Changes are pushed to a new branch and a pull request is created for human review.
  6. No Auto-Merge — All agent-generated changes require human approval before merging.
PR-Based Workflow

Agents follow a strict PR-based workflow. No changes are ever auto-merged — every modification goes through your team's standard review process.


AI Model Connectors (Bring Your Own Model)

Agents use AIModel connectors to communicate with LLMs. You can connect SaaS providers, self-hosted endpoints, or MCP servers. Each connector respects Harness RBAC and scoping (Account / Org / Project) and can run on Delegates (inside your network) or on the Harness Platform.

ProviderSaaSSelf-HostedMCP Support
OpenAIYesYes (custom endpoint)Yes
AnthropicYesYes (custom endpoint)Yes
GeminiYesYes (custom endpoint)Yes

Each connector requires a token (stored as a Harness secret) and an optional endpoint for self-hosted or gateway URLs.

connector-anthropic-saas.yaml
connector:
name: Anthropic_SaaS
identifier: Anthropic_SaaS
type: AIModel
spec:
provider: Anthropic
credentials:
type: Token
tokenRef: account.anthropic_api_key
connector-anthropic-selfhosted.yaml
connector:
name: Anthropic_SelfHosted
identifier: Anthropic_SelfHosted
orgIdentifier: default
projectIdentifier: default
type: AIModel
spec:
provider: Anthropic
credentials:
type: Token
tokenRef: account.anthropic_api_key
endpoint: https://anthropic.mycompany.internal/v1

Connector Scoping

AIModel connectors follow the same scoping rules as all Harness connectors. Define them at Account, Org, or Project level depending on your team's access needs. Once created, a connector can be passed as an llm input to any agent.


System Agents vs Custom Agents

Agents come in two flavors: System Agents shipped by Harness and Custom Agents built by your team. Both are implemented as pipeline templates and governed by the same RBAC and policy controls.

AspectSystem AgentsCustom Agents
SourceShipped and maintained by HarnessBuilt by your team
EditableNo (fork to customize)Yes
DeliveryAuto-loaded as pipeline templatesCreated via agent steps + standard steps
VersioningManaged by Harness releasesVersioned via GitX
ScopeAccount / Org / ProjectAccount / Org / Project
CustomizationFork, then modify prompts, containers, stepsFull control over all components

Forking System Agents

You can fork any System Agent to create a Custom Agent that you fully control. This lets you adjust prompts, target languages, containers, and approval flows while starting from a proven template. Forked agents can be stored in Git using GitX and versioned like any other pipeline template.


Template Architecture

Each agent template is a directory under templates/ containing the files that define the agent's identity, pipeline logic, and documentation.

FileRequiredPurpose
metadata.jsonYesName, description, semantic version
pipeline.yamlYesHarness CI pipeline v1 YAML defining stages, steps, containers, and inputs
wiki.MDOptionalUser-facing documentation with overview, capabilities, and troubleshooting
logo.svgOptionalVisual icon displayed in the Harness UI
metadata.json
{
"name": "code review",
"description": "Reviews code changes in pull requests and posts intelligent feedback",
"version": "1.0.0"
}
pipeline.yaml
pipeline:
clone:
depth: 50
stages:
- name: agent-stage
steps:
- name: analyze
run:
container:
image: agent-container:latest
env:
API_KEY: <+inputs.apiKey>
script: |
# Agent logic here
platform:
os: linux
arch: arm64
inputs:
apiKey:
type: secret
description: API key for AI service

Agent Catalog

Harness provides a growing catalog of pre-built agents spanning code quality, security, developer productivity, and library upgrades. Each agent is a self-contained template that can be configured, triggered independently, or forked and customized.

AgentCategoryDescriptionKey Capability
Code ReviewCode QualityReviews PR changes and posts intelligent feedback3-stage review process with AI-generated comments
Code CoverageCode QualityGenerates comprehensive unit tests for 90%+ coverageUp to 300 AI iterations, auto-posted coverage reports
AutofixCode QualityDiagnoses and fixes CI pipeline failures automaticallyTwo-stage AI: remediation agent + coding agent
Zero Day RemediationSecurityRemediates critical vulnerabilities across multiple reposCVE-based fixes across Java, JS, Python, Go, C#
Manifest RemediatorSecurityAnalyzes K8s/Helm deployment failures and generates fixesRoot cause analysis from execution logs
Feature Flag CleanupProductivityRemoves stale feature flags from codebasesAI-powered flag reference detection and removal
React UpgradeProductivityAutomates React upgrades and code modificationsAccepts custom prompts for any upgrade task
OnboardingProductivityImports repos into Harness and auto-generates CI pipelinesUses Sonnet for analysis, Opus for pipeline generation
Library Upgrade — JavaUpgradesScans Maven/Gradle projects for outdated dependenciesUpdates pom.xml / build.gradle with optional test runs
Library Upgrade — PythonUpgradesReviews Python dependencies (requirements/Poetry/Pipenv)Regenerates lockfiles and opens a PR
Helm Chart AutofixSecurityTroubleshoots failed Helm releases and diagnoses misconfigurationsProposes fixed templates and values as a PR
Unified AgentOrchestrationCentral orchestration agent for services, environments, connectors, secrets, and pipelinesCan create and update pipelines in-line
Vulnerability RemediationSecurityTakes SAST/SCA scan results and generates targeted fixesWires fixes back to the failing pipeline

Input Types

Agents use three standardized input types to accept configuration values. These types ensure consistent handling of plain text, encrypted credentials, and platform integrations across all agent templates.

TypeDescriptionExample
stringPlain text values like repo names, branch names, URLsrepo, branch, prompt
secretEncrypted credentials, never logged or exposedanthropicKey, harnessKey, repoAccessToken
connectorPre-configured Harness connectors for SCM and AI servicesllmConnector, gitConnector
pipeline.yaml
pipeline:
inputs:
llmConnector:
type: connector
description: LLM connector for AI operations
gitConnector:
type: connector
description: Git connector for repository access
repo:
type: string
description: Repository name
branch:
type: string
description: Target branch
default: main
harnessKey:
type: secret
description: Harness API key for platform operations

Inputs are referenced in pipeline YAML via expression syntax. Use <+inputs.inputName> to reference an input value, <+steps.stepName.output.outputVariables.VAR> for step outputs, and built-in variables like <+account.identifier> for platform context.


Using Agents in Pipelines

Agents appear in the Step Palette under an Agents / AI section. When you add an Agent step to a pipeline, you choose the agent (System or Custom), configure its inputs (LLM connector, prompt, repo details), and optionally add approval steps before the agent applies changes.

Agent Template Definition

An agent template declares its inputs including the LLM connector, repository details, and a prompt. The oneof field constrains which connector types are valid.

agent-template.yaml
agent:
name: pr_autofix
inputs:
ref:
type: string
pr:
type: string
prompt:
type: string
default: "Detect and fix common issues (lint, import, simple bugs)."
llm:
type: connector
oneof: [claude, openai, gemini]
repo:
type: connector
oneof: [GitHub]

Referencing an Agent in a Pipeline

Reference an agent by name and template from within any pipeline stage. Agent inputs can be fixed in YAML or provided at runtime.

pipeline-with-agent.yaml
pipeline:
stages:
- name: autofix-pr
steps:
- agent:
name: autofix
template: pr-autofix
on-failure:
strategy: always-run

Agent Steps

Agents are built from reusable AI steps implemented as containers (similar to Drone plugins). Step types include ai-code-review, ai-autofix, ai-dep-upgrade, ai-error-analyzer, and ai-ff-cleanup. Each step receives LLM credentials, repo context, and task-specific inputs. These steps can be used directly or composed into higher-level agents.


SCM Integration

Agents support multiple SCM providers with automatic detection. The platform determines the correct SCM provider and authentication method based on the repository configuration.

SCM ProviderPush SupportPR CreationAuto-Detection
Harness CodeYesYes (via API)Yes
GitHubYesYesYes
GitLabYesYesYes
BitbucketYesYesYes

Agents analyze the git remote URL to determine the SCM provider and configure authentication accordingly. The create-pr-plugin container handles multi-SCM PR creation, abstracting provider-specific API differences into a single unified step.

Input Patterns

Two input patterns exist across agents: newer agents use connector-based inputs (llmConnector, gitConnector) while older agents use direct secret inputs (anthropicKey). Both patterns are fully supported.


Governance, RBAC & Security

Agents respect all the controls you already expect from Harness. Every AI action is a pipeline step — fully auditable, subject to OPA policies, and eligible for template approval workflows.

RBAC Permissions

PermissionDescription
ViewSee agent templates and execution history
CreateCreate new custom agents
EditModify custom agent templates (System Agents cannot be edited)
ExecuteRun agents via UI, YAML, or API
DeleteRemove custom agent templates

Scoping

ScopeVisibility
AccountGlobal across the entire account
OrgShared across all projects in an organization
ProjectVisible only within that project

Security Principles

  • No hardcoded secrets — All credentials are passed via Harness secrets or connectors
  • PR-based review — All changes go through pull requests; no direct commits to main branches
  • No auto-merge — Agent-generated PRs always require human approval
  • OPA policy enforcement — Agent steps are subject to OPA policies like any other pipeline step
  • Full audit trail — Every agent execution is logged with inputs, outputs, and user context
  • Container isolation — Each agent step runs in an isolated container with no persistent state
Secret Management

Never commit API keys or secrets directly in agent templates. Always use Harness secrets (type: secret) or connectors (type: connector) for sensitive values.


Calling Agents via API

In addition to using agents from the UI or YAML, you can invoke agents programmatically via the Harness API. Since agents are pipelines with AI steps, they use the same API surface as standard pipeline executions.

  • Trigger an agent run — Start an agent execution with specified inputs
  • Pass inputs — Provide connector, repo, prompt, and other parameters
  • Track execution — Monitor status and outputs like any other pipeline

Getting Started

  1. Create an AIModel connector for your LLM provider
  2. Explore System Agents in the Step Palette
  3. Try PR Autofix or Code Review on a non-critical repo
  4. Add approval steps for governance
  5. Fork a System Agent to customize it for your environment