CISA KEV
Harness STO helps you prioritize security issues based on real-world exploitation risk. For issues with a Common Vulnerabilities and Exposures (CVE) identifier, STO shows whether the CVE appears in the CISA Known Exploited Vulnerabilities (KEV) catalog. Use this signal on the Issues page and Vulnerabilities tab to focus remediation on CVEs CISA has confirmed are actively exploited.
- Feature flag: This feature is behind
STO_ISSUE_KEV. Contact Harness Support to enable it. - CVE requirement: CISA KEV applies only to issues with a CVE ID.
- Catalog updates: CISA updates the catalog several times per week. STO refreshes each CVE's KEV status from the latest catalog snapshot.
What is CISA KEV?
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) publishes a catalog of vulnerabilities with evidence of active exploitation. When a CVE appears in KEV, CISA has confirmed active exploitation in the wild.
What STO shows
STO exposes a single Yes or No signal for each CVE-associated finding:
- Yes: The CVE appears in the CISA KEV catalog. CISA confirms active exploitation.
- No: CISA has not listed this CVE as actively exploited. The finding may still be Critical or have a public exploit.
View and filter CISA KEV in STO
STO displays CISA KEV on the Issues page and the Vulnerabilities tab. You can inspect the signal on an individual issue or filter the full list.
- Go to the Issues page at the project level, or open the Vulnerabilities tab for a pipeline execution.
- Select an issue from the list and In the Issue Details side pane, locate the CISA KEV field. It shows Yes or No.
How CISA KEV relates to other signals
Each prioritization signal measures a different aspect of risk. Use the list below to understand what each signal means and when to use it.
- CISA KEV: Indicates whether CISA has confirmed active exploitation of this CVE and listed it in the KEV catalog.
- EPSS score: Estimates the statistical likelihood that this CVE will be exploited in the next 30 days.
- Reachability: Indicates whether the vulnerable code path is reachable in your application based on static analysis.
- Exploitability (scanner-specific): Indicates whether the scanner has found evidence of a known exploit or proof-of-concept for this CVE.
- Severity (CVSS): Rates the theoretical impact of the vulnerability if it is exploited, independent of whether exploitation has occurred.
Enforce OPA policy
You can block pipelines when scan results include more CISA KEV issues than your team allows using an OPA policy. Go to Account Settings, select Policies, and search for the CISA KEV policy under Security Tests Entity.