Fix security vulnerabilities using AIDA
Harness uses state-of-the-art AI technology to streamline the process of triaging and fixing security vulnerabilities. For every vulnerability findings by the scanner and ingested into STO, Harness AI explains the issue precisely and provides detailed advice additional to the remediation suggestion provided by the scanner itself — including code changes and package upgrades — on how to fix it. It is based on large, well-trained language models. Optionally, you can regenerate advice with additional context and thereby optimize your results.
Harness AI reduces developer toil by streamlining and simplifying the process of fixing vulnerabilities. It enables developers and security personnel to manage security-issue backlogs and address critical issues promptly. It can help you create code suggestions and pull requests to remediate the issue right from STO. It can dramatically reduce your TTR, speed up your software delivery lifecycle, and improve the security posture of your applications and services.
Important notes
Before you can use Harness AI in STO, you must do the following:
- Read the AIDA Data Privacy Overview.
- Sign an End-User License Agreement with Harness.
- Enable AIDA in your Harness account. Go to Account Settings, select Default Settings, select the Harness AIDA tile, and then enable the Harness AI Development Assistant (AIDA) setting. Select Allow Overrides if you want to be able to enable/disable AIDA for individual projects.
-
AI will always provide an answer. However, if there is no known remediation within the model’s training, the answer might be invalid. For this reason, an AI suggestion might require further research to confirm its validity.
-
Before you implement an AI-generated suggestion, consider carefully the reliability and extent of the publicly-known information about the detected issue. The accuracy, reliability, and completeness of a suggestion depend on the public knowledge about that issue. An AI-generated suggestion is not guaranteed to remediate the issue and could introduce other issues.
-
You should also consider the suggestion's applicability to your specific target and use case. An issue might have no known remediation, especially if it was recently discovered. An issue might have multiple suggested remediations that are contradictory or applicable only to specific use cases.
-
A specific remediation might involve installing components with usage and license requirements. Check any requirements in advance.
Workflow description
This procedure describes how to refine a suggestion by providing more information, such as additional context or code snippets, to Harness AI.
-
When you go to Security Tests and then select an issue, an initial AI Remediation appears in Issue Details.
This suggested remediation is based on public information about the CVE or CWE and the first detected occurrence (Occurrence 1) in the target. If the scanner captures the code snippet where the vulnerability is occurring, the query to Harness AI includes this snippet as well.
You can send feedback to Harness about a specific remediation. Under Helpful?, click No. Then enter in your feedback and choose Submit.
-
If you want to optimize the advice with additional information or context, do the following:
-
Select Edit Input.
-
Specify the occurrence, reference ID, and language (if you've scanned a codebase).
Harness AI can often auto-detect the language of a code snippet, but it's good practice to confirm that the language setting is correct.
Some scanners provide details on the location of the vulnerable code, such as the file name and line number, but may not offer the specific code snippet itself. With the Edit Input option, you can copy and paste the exact vulnerable code snippet. Harness AI will then use this information to recommend code changes, which can be used to create a pull request or make a code suggestion.
-
Add any additional context in the text pane. For example, you might want to include relevant code immediately before the snippet where the vulnerability was identified, in addition to the snippet itself. Then select Generate.
-
-
To generate remediations for another occurrence, do the following:
-
In Issue Details, scroll down to the occurrence of interest and then select Unsure how to remediate? Ask AI. (You might need to wait a few seconds for the remediation to appear.)
-
To further refine the suggested remediation with an additional code snippet, select Edit Snippet and then re-generate.
-