Skip to main content

Security Agents

Last updated on

Harness Security agents help teams identify and remediate vulnerabilities and deployment failures using AI. The Zero Day Remediation agent scans for and fixes critical CVEs across multiple repositories, while the Manifest Remediator analyzes Kubernetes and Helm deployment failures to generate remediation YAML.


Zero Day Remediation Agent

The Zero Day Remediation agent identifies and remediates critical vulnerabilities (0-day) across multiple repositories. It scans codebases and vulnerability databases, validates package safety, and generates fix PRs to downgrade or upgrade to safe versions.

Capabilities

  • Scans across multiple repositories (controlled by maxRepos parameter)
  • CVE-based or component-based remediation
  • Validates package rollout states, targeting rules, and activity patterns
  • Supports Java, JavaScript, TypeScript, Python, Go, and C#
  • Creates fix PRs with version updates to safe releases
  • Requires Harness Supply Chain Security module

Key Inputs

InputTypeDescription
anthropicKeysecretAnthropic API key for Claude AI
harnessKeysecretHarness API key for platform operations
repoAccessTokensecretToken for repository access across orgs
cveIdstringCVE identifier to remediate (e.g., CVE-2024-1234)
componentNamestringPackage/component name (alternative to cveId)
fixedVersionstringTarget safe version to upgrade/downgrade to
currentVersionstringCurrent vulnerable version
harnessOrgIdstringHarness organization identifier
harnessProjectIdstringHarness project identifier
targetBranchstringBranch to target for PRs (default: main)
maxReposstringMaximum number of repositories to scan
branchPrefixstringPrefix for fix branches (default: fix/)
authorNamestringGit author name for commits (default: AI Workflow)
authorEmailstringGit author email for commits (default: ai-workflow@harness.io)
searchstringFilter repositories by name pattern

Pipeline Configuration

pipeline.yaml
pipeline:
stages:
- name: zero_day_remediation
steps:
- name: remediate_vulnerabilities
run:
container:
image: harness/vulnerability-remediation-plugin:latest
with:
cve_id: <+inputs.cveId>
component_name: <+inputs.componentName>
fixed_version: <+inputs.fixedVersion>
current_version: <+inputs.currentVersion>
harness_org_id: <+inputs.harnessOrgId>
harness_project_id: <+inputs.harnessProjectId>
target_branch: <+inputs.targetBranch>
branch_prefix: <+inputs.branchPrefix>
author_name: <+inputs.authorName>
author_email: <+inputs.authorEmail>
max_repos: <+inputs.maxRepos>
search: <+inputs.search>
working_directory: /harness
detailed_logging: "true"
env:
ANTHROPIC_API_KEY: <+inputs.anthropicKey>
HARNESS_API_KEY: <+inputs.harnessKey>
REPO_ACCESS_TOKEN: <+inputs.repoAccessToken>
platform:
os: linux
arch: amd64
inputs:
anthropicKey:
type: secret
description: Anthropic API key for Claude LLM analysis
harnessKey:
type: secret
description: Harness PAT token for API operations
repoAccessToken:
type: secret
description: Git access token for repository operations
cveId:
type: string
description: CVE identifier to remediate (e.g., CVE-2021-44228)
componentName:
type: string
description: Vulnerable component name to upgrade
fixedVersion:
type: string
description: Target version to upgrade to
currentVersion:
type: string
description: Current vulnerable version
harnessOrgId:
type: string
required: true
description: Harness organization ID
harnessProjectId:
type: string
required: true
description: Harness project ID
targetBranch:
type: string
default: main
description: Target branch for pull requests
branchPrefix:
type: string
default: "fix/"
description: Prefix for fix branches
authorName:
type: string
default: "AI Workflow"
description: Git author name for commits
authorEmail:
type: string
default: "ai-workflow@harness.io"
description: Git author email for commits
maxRepos:
type: string
default: "0"
description: Maximum repositories to process (0 for unlimited)
search:
type: string
description: Filter repositories by name pattern

Supported Languages

LanguagePackage ManagerFile
JavaMaven / Gradlepom.xml / build.gradle
JavaScriptnpm / yarnpackage.json
TypeScriptnpm / yarnpackage.json
Pythonpip / poetryrequirements.txt / pyproject.toml
Gogo modulesgo.mod
C#NuGet*.csproj
Supply Chain Security Required

The Zero Day Remediation agent requires the Harness Supply Chain Security module. Ensure this module is enabled in your Harness account before configuring this agent.


Manifest Remediator Agent

The Manifest Remediator agent analyzes Kubernetes and Helm deployment failures by examining execution logs from failed pipelines. It uses AI to identify root causes and generates a manifest_remediation_results.yaml file with specific fixes and step-by-step remediation instructions.

How It Works

  1. Fetch Logs — Retrieves execution logs from the failed K8sRollingDeploy or HelmDeploy steps via the Harness API
  2. AI Analysis — Claude AI analyzes the logs to identify the root cause of the deployment failure
  3. Generate Remediation — Produces a structured YAML file with root cause analysis, recommended fixes, and configuration updates

Unique Characteristics

  • Does not clone a repository — works purely from pipeline execution logs
  • Outputs a YAML file with structured remediation guidance
  • Supports K8sRollingDeploy and HelmDeploy failure types
  • Uses Harness API to fetch pipeline execution details

Key Inputs

InputTypeDescription
anthropicKeysecretAnthropic API key for Claude AI
harnessKeysecretHarness API key for fetching execution logs
harnessExecutionIdstringFailed pipeline execution ID
harnessPipelineIdstringPipeline identifier
harnessBaseUrlstringHarness API base URL
harnessProjectIdstringHarness project identifier
harnessOrgIdstringHarness organization identifier
harnessAccountIdstringHarness account identifier

Pipeline Configuration

pipeline.yaml
pipeline:
stages:
- name: manifest_remediation
steps:
- name: PrintEnv
run:
shell: bash
script: |
echo "Harness Execution ID: <+inputs.harnessExecutionId>"
echo "Harness Pipeline ID: <+inputs.harnessPipelineId>"
echo "Harness Base URL: <+inputs.harnessBaseUrl>"
echo "Harness Project ID: <+inputs.harnessProjectId>"
echo "Harness Org ID: <+inputs.harnessOrgId>"
echo "Harness Account ID: <+inputs.harnessAccountId>"
printenv
- name: Manifest Remediator
run:
container:
image: rajpatel2/manifest-remediator:manifest-remediator
with:
detailed_logging: "true"
harness_api_key: <+inputs.harnessKey>
working_directory: /harness
harness_execution_id: <+inputs.harnessExecutionId>
harness_pipeline_id: <+inputs.harnessPipelineId>
harness_base_url: <+inputs.harnessBaseUrl>
harness_project_id: <+inputs.harnessProjectId>
harness_org_id: <+inputs.harnessOrgId>
harness_account_id: <+inputs.harnessAccountId>
env:
ANTHROPIC_API_KEY: <+inputs.anthropicKey>
- name: Output
run:
script: |-
echo "=== Manifest Remediation Results ==="
cat /harness/manifest_remediation_results.yaml
shell: bash
platform:
os: linux
arch: arm64
inputs:
anthropicKey:
type: secret
default: autofix_anthropic_api_key
harnessKey:
type: secret
default: harness_api_key
harnessExecutionId:
type: string
harnessPipelineId:
type: string
harnessBaseUrl:
type: string
harnessProjectId:
type: string
harnessOrgId:
type: string
harnessAccountId:
type: string

Example Output

manifest_remediation_results.yaml
root_cause:
type: ImagePullBackOff
description: "Container image 'myapp:v2.1.0' not found in registry"
affected_resource: deployment/myapp
namespace: production
recommended_fixes:
- action: "Update image tag to existing version"
manifest: deployment.yaml
path: spec.template.spec.containers[0].image
current_value: "myapp:v2.1.0"
suggested_value: "myapp:v2.0.9"
confidence: high
- action: "Add imagePullSecret for private registry"
manifest: deployment.yaml
path: spec.template.spec.imagePullSecrets
suggested_value:
- name: registry-credentials
confidence: medium
remediation_steps:
- "Verify image 'myapp:v2.1.0' exists in the container registry"
- "Check registry authentication credentials"
- "Update deployment manifest with correct image tag"
- "Re-run the deployment pipeline"
Post-Incident Analysis

The Manifest Remediator is ideal for post-incident analysis. Trigger it automatically when K8s or Helm deployments fail to get immediate, actionable remediation guidance without manual log diving.