Skip to main content

CI Steps Reference

Last updated on

Harness CI steps provide purpose-built actions for building, testing, scanning, and publishing artifacts within your pipelines. Each step is a versioned template referenced using the uses: keyword with a set of typed inputs.


Build & Push to Docker

Template: buildAndPushToDocker@1.0.0 · Module: CI

Build a Docker image from a Dockerfile and push it to a Docker registry. Uses buildx (with caching enabled) or kaniko (without caching). Supported on Linux only.

InputTypeRequiredDescription
connectorconnector (Docker)YesSelect the Harness Docker connector
repostringYesDocker repository (format: hub-user/repo-name)
tagsarrayYesOne or more tags for the Docker image
cachingbooleanYes (default: true)Enable Docker layer caching
dockerfilestringNoDockerfile name (default: root folder Dockerfile)
contextstringNoBuild context directory
targetstringNoDocker target build stage
buildargskey-value-pairsNoDocker build-time variables (--build-arg)
labelskey-value-pairsNoMetadata labels for the image
cacherepostringNoRemote cache repository name
baseimageconnectorconnector (Docker)NoAuthenticated connector for base images
envvarskey-value-pairsNoEnvironment variables
example.yaml
steps:
- name: Build and Push
uses: buildAndPushToDocker@1.0.0
with:
connector: account.dockerhub
repo: myorg/myapp
tags:
- latest
- <+pipeline.sequenceId>
caching: true
dockerfile: Dockerfile
context: .
buildargs:
NODE_ENV: production
Caching Behavior

When caching is enabled, the step uses buildx with layer caching for faster builds. When disabled, it falls back to kaniko.


Build & Push to ECR

Template: buildAndPushToECR@1.0.0 · Module: CI

Build a Docker image and push to AWS Elastic Container Registry. Supported on Linux only.

InputTypeRequiredDescription
connectorconnector (AWS)YesAWS connector
repostringYesECR repository name
tagsarrayYesImage tags
regionstringYesAWS region
account_idstringYesAWS account ID
cachingbooleanYesEnable layer caching
dockerfilestringNoDockerfile name
contextstringNoBuild context directory
targetstringNoDocker target build stage
buildargskey-value-pairsNoDocker build-time variables (--build-arg)
labelskey-value-pairsNoMetadata labels for the image
example.yaml
steps:
- name: Push to ECR
uses: buildAndPushToECR@1.0.0
with:
connector: account.aws_prod
repo: myapp
region: us-east-1
account_id: "123456789012"
tags:
- <+pipeline.sequenceId>

Build & Push to GAR

Template: buildAndPushToGAR@1.0.0 · Module: CI

Build a Docker image and push to Google Artifact Registry. Supported on Linux only.

InputTypeRequiredDescription
connectorconnector (GCP)YesGCP connector
repostringYesGAR repository (format: region-docker.pkg.dev/project/repo)
tagsarrayYesImage tags
projectstringYesGCP project ID
example.yaml
steps:
- name: Push to GAR
uses: buildAndPushToGAR@1.0.0
with:
connector: account.gcp
repo: us-docker.pkg.dev/my-project/my-repo/myapp
project: my-project
tags:
- latest

Build & Push to Harness Artifact Registry

Template: buildAndPushToHarness@1.0.0 · Module: CI

Build a Docker image and push to Harness Artifact Registry. Supports Linux only.

InputTypeRequiredDescription
connectorconnector (Docker)YesHarness Docker connector
repostringYesHarness artifact repository
tagsarrayYesImage tags
example.yaml
steps:
- name: Push to Harness AR
uses: buildAndPushToHarness@1.0.0
with:
connector: account.harness_docker
repo: myorg/myapp
tags:
- <+pipeline.sequenceId>

Build Intelligence

Template: BuildIntelligence@1.0.2 · Module: CI

Automatically caches build outputs to improve build times. Supported on Cloud and Kubernetes build infrastructure. Runs as a background step that sets up the Harness cache server alongside your build.

  • Runs as a background step
  • Sets up a cache server container (harness/harness-cache-server)
  • Supports Gradle plugin integration (v0.0.4)
  • Works on Cloud and Kubernetes infrastructure
example.yaml
steps:
- name: Build Intelligence
uses: BuildIntelligence@1.0.2
Background Service

Build Intelligence runs as a background service. Add it at the beginning of your stage before other build steps to enable automatic caching.


Git Clone

Template: gitCloneStep@1.0.0 · Module: CI

Clone repository code for use in subsequent pipeline steps.

InputTypeRequiredDescription
connectorconnector (Git)YesGit connector
repostringYesRepository URL
branchstringNoBranch to clone
depthintegerNoClone depth (shallow clone)
pathstringNoTarget directory
example.yaml
steps:
- name: Clone Repo
uses: gitCloneStep@1.0.0
with:
connector: account.github
repo: https://github.com/myorg/myapp
branch: main
depth: 1

Run Step (v2)

Template: run_v2@1.0.1 · Module: CI

Generic script execution step for running commands in your pipeline. Supports multiple shells and containerized execution. This is the enhanced version of the built-in run step with additional containerization support.

example.yaml
steps:
- name: Run Tests
uses: run_v2@1.0.1
with:
script: |
npm install
npm test

Cache Management Steps

Six steps for saving and restoring caches across pipeline runs, supporting AWS S3, Google Cloud Storage, and Harness-managed storage.

StepTemplate IDVersionDescription
Save Cache to S3saveCacheToS31.0.0Preserve files in AWS S3
Restore Cache from S3restoreCacheFromS31.0.0Restore files from AWS S3
Save Cache to GCSsaveCacheToGCS1.0.0Preserve files in Google Cloud Storage
Restore Cache from GCSrestoreCacheFromGCS1.0.0Restore files from Google Cloud Storage
Save Cache to HarnessSaveCacheToHarness1.0.2Save cache to Harness storage
Restore Cache from HarnessRestoreCacheFromHarness1.0.2Restore cache from Harness storage
example.yaml
steps:
- name: Restore Cache
uses: RestoreCacheFromHarness@1.0.2
with:
key: node-modules-{{ checksum "package-lock.json" }}
paths:
- node_modules
- run: npm test
- name: Save Cache
uses: SaveCacheToHarness@1.0.2
with:
key: node-modules-{{ checksum "package-lock.json" }}
paths:
- node_modules

Artifact Upload Steps

Three steps for uploading build artifacts to external storage providers.

StepTemplate IDVersionDescription
Upload to S3uploadArtifactsToS31.0.0Upload artifacts to AWS S3
Upload to GCSuploadArtifactsToGCS1.0.0Upload artifacts to Google Cloud Storage
Upload to JFroguploadArtifactsToJfrogArtifactory1.0.0Upload Docker images to JFrog Artifactory
example.yaml
steps:
- name: Upload to S3
uses: uploadArtifactsToS3@1.0.0
with:
connector: account.aws
bucket: my-build-artifacts
source: ./dist/**
target: builds/<+pipeline.sequenceId>/

Security Scanning Steps

Integrate security scanning directly into your CI pipelines to detect vulnerabilities and hardcoded secrets early in the development lifecycle.

Bandit Security Scan

Template: banditStep@1.0.0

Performs Python security vulnerability scanning using Bandit static analysis. Supports orchestrated scan and manual upload modes. Target types include repository scanning with auto or manual target and variant detection.

Gitleaks Security Scan

Template: gitleaksStep@1.0.0

Performs secret detection scanning using Gitleaks. Identifies hardcoded secrets, API keys, and passwords in your codebase. Supports orchestrated scan and manual upload modes.

example.yaml
steps:
- name: Python Security Scan
uses: banditStep@1.0.0
with:
mode: orchestratedScan
type: repository
detection: auto
- name: Secret Detection
uses: gitleaksStep@1.0.0
with:
mode: orchestratedScan
type: repository
detection: auto

SBOM Orchestration

Template: sbomOrchestrationStep@1.0.0 · Module: CI

Generates or ingests Software Bill of Materials (SBOM) with optional attestation and drift detection.

InputTypeRequiredDescription
modechoiceYesgeneration or ingestion
toolchoiceYesSyft or cdxgen (visible in generation mode)
formatchoiceYesspdx-json or cyclonedx-json
sourcechoiceYesartifact-registry, third-party, repository, or harness
example.yaml
steps:
- name: Generate SBOM
uses: sbomOrchestrationStep@1.0.0
with:
mode: generation
tool: Syft
format: spdx-json
source: artifact-registry
image: myorg/myapp:latest