EPSS score
Harness STO helps you identify security issues early in the pipeline by shifting vulnerability management left. However, identifying vulnerabilities alone is not sufficient - prioritizing them based on risk is equally important.
What is EPSS score?
To support risk-based prioritization, Harness STO surfaces the Exploit Prediction Scoring System (EPSS) score directly on the Issues and Vulnerabilities page. EPSS score provides:
Probability: The likelihood (0–100%) that a Common Vulnerabilities and Exposures (CVE) will be exploited in the wild within the next 30 days.
Percentile: The relative ranking of the CVE’s exploitation likelihood compared to other CVEs.
Most vulnerabilities even those rated High or Critical by Common Vulnerability Scoring System (CVSS) are never exploited in the wild. A vulnerability may have a CVSS score of 9 or 10 but still be unlikely to be exploited where as EPSS takes a risk-based approach and helps you focus on vulnerabilities based on real world exploitation signals rather than theoretical impact alone.
- EPSS scores are updated once every 24 hours.
- All the issues with a CVE ID are assigned with a EPSS score.
- This feature is behind the feature flag
STO_ISSUE_EPSS. Please contact Harness Support to enable this feature.
Navigate to Issues Section
Select an issue from the list in the Issues section to open the Issue Details sideview pane. You can view the EPSS score for the issue which has CVE ID associated with it. You can also view the EPSS score in the Vulnerabilities tab. Apply filters to sort vulnerabilities based on EPSS probability and percentile.
Enforce OPA Policy
Block vulnerabilities based on EPSS probability and percentile using an OPA policy. Navigate to Account Settings, select Policies, and search for the EPSS policy. Open the policy and configure the maximum permitted EPSS threshold and percentile. Vulnerabilities exceeding the defined values will be blocked according to the policy configuration.
