Skip to main content

Security Step Settings Reference

This topic includes the Security step settings for each of the scanner providers supported by Harness.

Scan Approach Types

Harness Security Testing Orchestration integrates with multiple scanners and targets. Different types of scan approaches can be done on each scanner-target combination:

  • orchestratedScan: orchestratedScan is fully orchestrated. A new scan is orchestrated and the scan results are normalized and compressed by Security Testing Orchestration.
  • ingestionOnly: ingestionOnly is not orchestrated. For a scan that was done previously (or an earlier step in the a Pipeline), the results are presented to Security Testing Orchestration for normalization and compression.
  • dataLoad: dataLoad is partially orchestrated. A previously run scan where the results exist in scan tool vendors SaaS. The data is pulled, normalized, and compressed for Security Testing Orchestration.

The scanner, targets, and scan approach combinations are covered in the next section.

Scanners, Target Types, and Scan Approach

The following scanners are supported.

Scanner NameScan Target TypeScan Approach
Aqua TrivycontainerorchestratedScan, ingestionOnly
Image scanning - Amazon ECRcontainerdataLoad
AWS Security HubcontainerdataLoad
BanditrepositoryorchestratedScan, ingestionOnly
Black Duck Open Hubrepository, containerorchestratedScan, ingestionOnly
BrakemanrepositoryorchestratedScan, ingestionOnly
BurpinstanceingestionOnly
CheckmarxrepositoryorchestratedScan, dataLoad, ingestionOnly
Data TheoremrepositorydataLoad, ingestionOnly
Docker Content Trust (DCT)containerorchestratedScan, ingestionOnly
Docker Content Trust (clair)containerorchestratedScan, ingestionOnly
External (JSON upload v2)container, repository, instance, configurationingestionOnly
FortifyrepositoryingestionOnly
Fortify on DemandrepositoryorchestratedScan, dataLoad, ingestionOnly
Grypecontainer, repositoryorchestratedScan, ingestionOnly
Mend (formerly WhiteSource)repositoryorchestratedScan, ingestionOnly
MetasploitinstanceorchestratedScan, ingestionOnly
NessusinstanceorchestratedScan, ingestionOnly
Nexus IQinstanceorchestratedScan, ingestionOnly
NiktoinstanceorchestratedScan, ingestionOnly
Nmap ("Network Mapper")instanceorchestratedScan, ingestionOnly
OpenVASinstanceorchestratedScan, ingestionOnly
OWASPrepositoryorchestratedScan, ingestionOnly
Prisma Cloud (formerly Twistlock)containerorchestratedScan, dataLoad, ingestionOnly
ProwlerrepositoryorchestratedScan, ingestionOnly
Qualys Web Application Scanning (WAS)instanceingestionOnly
ReapsawrepositoryingestionOnly
ScoutSuiteconfigurationingestionOnly
ShiftLeftrepositoryorchestratedScan, dataLoad, ingestionOnly
SniperinstanceorchestratedScan, ingestionOnly
Snykrepository, containerorchestratedScan (repository only), ingestionOnly
SonarQube SonarScannerrepositoryorchestratedScan, dataLoad, ingestionOnly
Tenable.ioinstanceorchestratedScan, dataLoad, ingestionOnly
VeracoderepositoryorchestratedScan, dataLoad, ingestionOnly
JFrog XraycontaineringestionOnly
Zed Attack Proxy (ZAP)instanceorchestratedScan, ingestionOnly

Test Targets

The following table specifies where the target to be tested is located.

Target NameTarget Type
azurerepository
bitbucketrepository
githubrepository
gitlabrepository
local_imagecontainer
docker_v2container
jfrog_artifactorycontainer
aws_ecrcontainer
websiteinstance

Using Scanner Providers in the Security Step

To use any supported scanner provider in the Harness Security step, you simply need to provide the setting:value pairs for the scanner.

For example, here are the setting:value pairs for Aqua Trivy:

The Aqua Trivy-specific settings are just scan_type and policy_type. The rest of the settings are common to all scanners where the scan_type is container.

The following sections list the setting:value pairs for each provider.

All Scan Types

The following settings apply to all scanners.

  • scan_type
    • accepted values: container, repository, instance, configuration.

Repository Scan Type Settings

The following settings apply to all scanners where the scan_type is repository.

  • repository_project (required)
  • repository_branch (required)

Container Scan Type Settings

The following settings apply to all scanners where the scan_type is containerImage.

  • container_project (required)
  • container_tag (required)
  • container_type
    • accepted value(s): local_imagedocker_v2jfrog_artifactoryaws_ecr
      • for container_type set to local
        • None
      • for container_type set to docker_v2
        • container_access_id: Username
        • container_access_token: Password/Token
      • for container_type set to jfrog_artifactory
        • container_access_id: Username
        • container_access_token: Password/Token
      • for container_type set to aws_ecr
        • container_access_id: Username
        • container_access_token: Password/Token
        • container_region: AWS default region
  • container_domain

Instance Scan Type Settings

The following settings apply to all scanners where the scan_type is instance.

  • instance_identifier (required)
  • instance_environment (required)
  • instance_domain
  • instance_path
  • instance_protocol
  • instance_port
  • instance_type
    • accepted value(s): website

Configuration Scan Type Settings

The following settings apply to all scanners where the scan_type is configuration.

  • configuration_type
    • accepted value(s)s: aws_account
  • configuration_region
  • configuration_environment
  • configuration_access_id
  • configuration_access_token

↑ Scanners

Aqua Trivy

See Aqua Trivy Scanner Reference

↑ Scanners

Image scanning - Amazon ECR

When product_name is set to aws-ecr:

  • scan_type =container
  • policy_typedataLoad
  • product_config_name =default
  • container_project = The name of the scanned ECR container with the results you want to ingest.
  • container_tag = The container tag for the given container project.
  • configuration_access_id = Your AWS Access ID secret
  • configuration_access_token = Your AWS Access Token secret
  • configuration_region = The AWS region where the container is located. For example, us-east-1
  • container_domain = URI of the ECR container with the scan results you want to load.

↑ Scanners

AWS Security Hub

When product_name is set to aws-security-hub

  • scan_type
    • accepted value(s): configuration
  • policy_type
    • accepted value(s): dataLoad,  ingestionOnly
  • product_config_name
    • Accepted values(s): default

↑ Scanners

Bandit

See Bandit Scanner Reference.

↑ Scanners

Black Duck Open Hub

When product_name is set to blackduckhub

  • scan_type
    • accepted value(s): repositorycontainerImage
  • policy_type
    • accepted value(s): orchestratedScaningestionOnly
  • When policy_type is set to orchestratedScan
    • product_domain
    • product_auth_type
      • accepted value(s): usernamePasswordapiKey
    • product_access_id: api username
    • product_access_token api password or api key
    • product_api_version
    • product_project_name
    • product_project_version
  • product_config_name
    • Accepted values(s): default

↑ Scanners

Brakeman

When product_name is set to brakeman

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): orchestratedScaningestionOnly
  • product_config_name
    • Accepted values(s): default

↑ Scanners

Burp

When product_name is set to burp

  • scan_type
    • accepted value(s): instance
  • policy_type
    • accepted value(s): ingestionOnly
  • product_config_name
    • Accepted values(s):
      • burp-default (CLI interface uses a Cybric extension)
      • burp-fast-and-max-depth-of-1 (Form fill disabled and max_link_depth=1)
      • burp-fast-mode (Turns off automatic form fill)

↑ Scanners

Checkmarx

When product_name is set to checkmarx

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): orchestratedScandataLoadingestionOnly
  • When policy_type is set to orchestratedScan or dataLoad
    • product_domain
    • product_access_id
    • product_access_token — The account password
    • product_team_name
      • accepted value(s): /<server-name>/<team-name> for example, /server1.myorg.org/devOpsEast
    • product_project_name
  • product_config_name
    • Accepted values(s): default
  • When policy_type is set to orchestratedScan
    • tool_args You can use this field to run the Checkmarx plugin with specific command-line arguments. To run an incremental scan, for example, specify tool_args = -incremental.

Running incremental scans with Checkmarx

In some cases, you might want to run an incremental rather than a full scan with Checkmarx due to time or licensing limits. An incremental scan evaluates only new or changed code in a merge or pull request. Incremental scans are faster than full scans, but become less accurate over time.

note

You should consider carefully when to run incremental vs. full scans. See When should I use Incremental Scans vs Full Scans in CxSAST? in the Checkmarx docs.

↑ Scanners

Data Theorem

When product_name is set to data-theorem

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): dataLoadingestionOnly
  • When policy_type is set to dataLoad
    • product_app_id
    • product_access_token
  • product_config_name
    • Accepted values(s): default

↑ Scanners

Docker Content Trust (DCT)

When product_name is set to docker-content-trust

  • scan_type
    • accepted value(s): containerImage
  • policy_type
    • accepted value(s): orchestratedScaningestionOnly
  • product_config_name
    • Accepted values(s): default

↑ Scanners

Docker Content Trust (clair)

When product_name is set to docker-content-trust (clair)

  • scan_type
    • accepted value(s): containerImage
  • policy_type
    • accepted value(s): orchestratedScaningestionOnly
  • product_url
  • product_access_id
  • product_access_token
  • product_config_name
    • Accepted values(s): default

↑ Scanners

External (JSON upload v2)

Go to Ingesting issues from other scanners.

↑ Scanners

Fortify

When product_name is set to fortify

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): ingestionOnly
  • product_config_name
    • Accepted values(s):
      • default

↑ Scanners

Fortify on Demand

When product_name is set to fortifyondemand

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): orchestratedScandataLoadingestionOnly
  • When policy_type is set to orchestratedScan or dataLoad
    • product_domain
    • product_access_id
    • product_access_token
    • product_owner_id
    • product_entitlement
    • product_scan_type
    • product_app_name
    • product_release_name
    • product_target_language
    • product_target_language_version
    • product_scan_settings
      • accepted values: Customdefault
    • product_audit_type
    • product_lookup_type
      • accepted values: DynamicStaticMobile
    • product_data_center
  • product_config_name
    • Accepted values(s):
    • sast ( if product_lookup_type = Static)
    • dast ( if product_lookup_type = Dynamic)

↑ Scanners

Mend (formerly WhiteSource)

When product_name is set to whitesource

  • scan_type
    • Accepted value(s): ingestionOnly, dataLoad, orchestratedScan
    • product_domain (optional) — The default is https://saas.whitesourcesoftware.com/api
    • product_access_id
    • product_access_token
    • product_include
    • product_config_name = default
    • product_lookup_type(optional)
      • Accepted value(s) when policy_type is set to dataLoad:
        • byName
        • byTokens
      • Accepted value(s) when policy_type is set to orchestratedScan:
        • appendToProductByToken
        • appendToProductByName
note

You must configure the following settings depending on the product lookup type — i.e., whether you are using the names or tokens to reference the Mend product:

* `product_product_name`
* `product_project_name`
* `product_project_token`
* `product_project_token`

↑ Scanners

Metasploit

When product_name is set to metasploit

  • scan_type
    • accepted value(s): instance
  • policy_type
    • accepted value(s): orchestratedScaningestionOnly
  • product_config_name
    • Accepted values(s):
      • metasploit-weak-ssh (Brute-force test a host for SSH weak ssh/pass)
      • metasploit-openssl-heartbleed (Checkhttps (443) for Heartbleed vulerability)
      • dynamic-by-cve (Finds and applies Metaspoit module by CVE)

↑ Scanners

Nessus

When product_name is set to nessus

  • scan_type
    • accepted value(s): instance
  • policy_type
    • accepted value(s): orchestratedScaningestionOnly
  • When policy_type is set to orchestratedScan
    • product_domain
    • product_access_id
    • product_access_token
    • product_policy_id
    • product_scanner_id
    • product_template_uuid
  • product_config_name
    • Accepted values(s):
      • nessus-web-application

↑ Scanners

Nexus IQ

When product_name is set to nexusiq

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): orchestratedScaningestionOnly
  • When policy_type is set to orchestratedScan
    • product_domain
    • product_access_id
    • product_access_token
    • product_organization_id
    • product_project_name
    • product_lookup_type
      • accepted value(s): byPrivateIdbyPublicId
    • When product_lookup_type is set to byPublicId
      • product_public_id
    • When product_lookup_type is set to byPrivateId
      • product_private_id
    • product_config_name
      • Accepted values(s): default

↑ Scanners

Nikto

When product_name is set to nikto

  • scan_type
    • accepted value(s): instance
  • policy_type
    • accepted value(s): orchestratedScaningestionOnly
  • product_config_name
    • Accepted values(s):
      • default(Scan the host on port 80)
      • nikto-full (Scan the host on ports 80 and 443 with -Tuning 9)
      • nikto-full-web (Scan the host on ports 80 and 443)

↑ Scanners

Nmap ("Network Mapper")

When product_name is set to nmap

↑ Scanners

OpenVAS

When product_name is set to openvas

  • scan_type
    • accepted value(s): instance
  • policy_type
    • accepted value(s): orchestratedScaningestionOnly
  • product_domain
  • product_access_id
  • product_access_token
  • product_config_name
    • Accepted values(s):
      • host-discovery (Do a host discovery scan on the network)
      • network-discovery (Do a network discovery scan)
      • full-and-very-deep (Do a full and very deep discovery scan)
      • openvas-system-discovery (Do a system discovery scan on the network)
      • default

↑ Scanners

OWASP

When product_name is set to owasp

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): orchestratedScaningestionOnly
  • product_config_name
    • Accepted values(s):
      • default

↑ Scanners

Prisma Cloud (formerly Twistlock)

When product_name is set to twistlock

  • scan_type
    • accepted value(s): containerImage
  • policy_type
    • accepted value(s): orchestratedScandataLoadingestionOnly
  • When policy_type is set to orchestratedScan or dataLoad
    • product_image_name
    • product_domain
    • product_access_id
    • product_access_token
  • product_config_name
    • Accepted values(s):
      • default

↑ Scanners

Prowler

When product_name is set to prowler

  • scan_type
    • accepted value(s): configuration
  • policy_type
    • accepted value(s): orchestratedScaningestionOnly
  • product_config_name
    • Accepted values(s):
      • default, hipaa, gdpr, exclude_extras

↑ Scanners

Qualys Web Application Scanning (WAS)

When product_name is set to qualys

  • scan_type
    • accepted value(s): instance
  • policy_type
    • accepted value(s): ingestionOnly
  • product_config_name
    • Accepted values(s):
      • default

↑ Scanners

Reapsaw

When product_name is set to reapsaw

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): ingestionOnly
  • product_config_name
    • Accepted values(s):
      • default

↑ Scanners

ScoutSuite

When product_name is set to scoutsuite (aws only)

  • scan_type
    • accepted value(s): configuration
  • policy_type
    • accepted value(s): ingestionOnly
  • product_config_name
    • Accepted values(s): default

↑ Scanners

ShiftLeft

When product_name is set to shiftleft

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): orchestratedScandataLoadingestionOnly
  • When policy_type is set to orchestratedScan or dataLoad
    • product_access_id
    • product_access_token
    • product_app_name
    • product_target_language
  • product_config_name
    • Accepted values(s):
      • default

↑ Scanners

Sniper

When product_name is set to sniper

  • scan_type
    • accepted value(s): instance
  • policy_type
    • accepted value(s): orchestratedScaningestionOnly
  • product_config_name
    • Accepted values(s):
      • default (Run a basic sniper scan on a target)
      • web (Sniper Stealth Mode)
      • stealth (Run the web based scan)

↑ Scanners

Snyk

When product_name is set to snyk:

  • scan_type
    • accepted value(s): containerImage, repository
  • policy_type
    • accepted value for containerImage: ingestionOnly
    • accepted values for repositoryorchestratedScaningestionOnly
  • product_access_token
  • product_config_name = default
  • snyk_api = URL to the Snyk instance, if you're using an on-prem installation.

↑ Scanners

SonarQube SonarScanner

Go to SonarQube SonarScanner Reference.

↑ Scanners

Tenable.io

When product_name is set to tenableio

  • scan_type
    • accepted value(s): instance
  • policy_type
    • accepted value(s): orchestratedScandataLoadingestionOnly
  • When policy_type is set to orchestratedScan or dataLoad
    • product_domain
    • product_access_id
    • product_access_token
    • product_policy_id
    • product_scanner_id
    • product_template_uuid
  • product_config_name
    • Accepted values(s):
      • legacy-web-application-scan (Use legacy nessus scan inside tenableIO)

↑ Scanners

Veracode

Go to Veracode Scanner Reference.

↑ Scanners

JFrog Xray

When product_name is set to xray

  • scan_type
    • accepted value(s): containerImage
  • policy_type
    • accepted value(s): ingestionOnly
  • product_config_name
    • Accepted values(s):
      • default

↑ Scanners

Zed Attack Proxy (ZAP)

Go to Zed Attack Proxy (ZAP) Scanner Reference.

↑ Scanners