Skip to main content

Built-in scanners

Built-in scanners in STO refer to a selection of supported scanners that are pre-configured to work seamlessly without requiring additional setup or licensing. These scanners leverage free or open-source versions of the tools, allowing you to perform scans without the need of buying commercial scanner licenses.

Avoiding detailed configurations and paid license requirements, the built-in scanners in STO can be used for free, with STO automatically handling the configuration for a quick setup. However, please note that while the scanners themselves are free, Harness executions will still incur billing charges. This feature is especially beneficial for teams looking to integrate security scanning into their workflows quickly and cost-effectively. In doing so, STO eliminates the need for detailed setup and ensures that users can start scanning immediately.

Here are the list of built-in scanners available for specific scan types. To learn how to configure, you can click on the scanner name in the below table or refer to Setup Built-in scanner section.

Scan typeBuilt-in scan supported scanners

Static Application Security Testing(SAST)

Sempgrep v1.102.0

Software Composition Analysis(SCA)

OWASP Dependency Check v12.0.0, OSV v1

Secret Detection

Gitleaks v8.22.1

Container Scanning

Aqua Trivy v0.58, Anchor Grype v0.86.1

Dynamic Application Security Testing(DAST)

Zed Attack Proxy(ZAP) v2.16.0

Infrastructure as Code(IaC)

Checkov v3.2.352

Setup a Built-in scanner

Setting up a built-in scanner is just the same as setting up any other scanner step in STO. In this case, STO automatically handles the configuration for an easy setup. You can set up the built-in scanner for any of the scan types mentioned in the table above. The scan setup process is consistent across all scan types. Here's how you can set it up:

  1. In your Build or Security stage, open the step palette by clicking the Add Step option in your pipeline.

  2. Navigate to the Built-in Scanners section under the Security Tests category.

  3. You will see all the supported scan types listed as steps. Select the one you want to perform.

  4. Once selected, you will view a list of supported scanners available for the selected scan type. Depending on the scan type and scanner availability, you may see one or multiple step options to select. Optionally, expand the scan step to pass any Additional CLI Flags if required.

  5. If you have selected Container or DAST steps, you will need to provide the necessary details like Container Information or Domain Information, respectively.

  6. Click Add Scanner to add the selected scanner to your pipeline. The Target and Variant will be automatically detected by STO.

If needed, you can modify the step configuration by clicking on the scan step in the pipeline. If no further configuration is required, your scan step is ready to perform the scan. Please note that settings such as Log Level and Fail on Severity are set to their default values.