Security Step Settings Reference
This topic includes the Security step settings for each of the scanner providers supported by Harness.
Scan Approach Types
Harness Security Testing Orchestration integrates with multiple scanners and targets. Different types of scan approaches can be done on each scanner-target combination:
- orchestratedScan:
orchestratedScan
is fully orchestrated. A new scan is orchestrated and the scan results are normalized and compressed by Security Testing Orchestration. - ingestionOnly:
ingestionOnly
is not orchestrated. For a scan that was done previously (or an earlier step in the a Pipeline), the results are presented to Security Testing Orchestration for normalization and compression. - dataLoad:
dataLoad
is partially orchestrated. A previously run scan where the results exist in scan tool vendors SaaS. The data is pulled, normalized, and compressed for Security Testing Orchestration.
The scanner, targets, and scan approach combinations are covered in the next section.
Scanners, Target Types, and Scan Approach
The following scanners are supported.
Scanner Name | Scan Target Type | Scan Approach |
Aqua Trivy | container | orchestratedScan, ingestionOnly |
Image scanning - Amazon ECR | container | dataLoad |
AWS Security Hub | container | dataLoad |
Bandit | repository | orchestratedScan, ingestionOnly |
Black Duck Open Hub | repository, container | orchestratedScan, ingestionOnly |
Brakeman | repository | orchestratedScan, ingestionOnly |
Burp | instance | ingestionOnly |
Checkmarx | repository | orchestratedScan, dataLoad, ingestionOnly |
Data Theorem | repository | dataLoad, ingestionOnly |
Docker Content Trust (DCT) | container | orchestratedScan, ingestionOnly |
Docker Content Trust (clair) | container | orchestratedScan, ingestionOnly |
External (JSON upload v2) | container, repository, instance, configuration | ingestionOnly |
Fortify | repository | ingestionOnly |
Fortify on Demand | repository | orchestratedScan, dataLoad, ingestionOnly |
Grype | container, repository | orchestratedScan, ingestionOnly |
Mend (formerly WhiteSource) | repository | orchestratedScan, ingestionOnly |
Metasploit | instance | orchestratedScan, ingestionOnly |
Nessus | instance | orchestratedScan, ingestionOnly |
Nexus IQ | instance | orchestratedScan, ingestionOnly |
Nikto | instance | orchestratedScan, ingestionOnly |
Nmap ("Network Mapper") | instance | orchestratedScan, ingestionOnly |
OpenVAS | instance | orchestratedScan, ingestionOnly |
OWASP | repository | orchestratedScan, ingestionOnly |
Prisma Cloud (formerly Twistlock) | container | orchestratedScan, dataLoad, ingestionOnly |
Prowler | repository | orchestratedScan, ingestionOnly |
Qualys Web Application Scanning (WAS) | instance | ingestionOnly |
Reapsaw | repository | ingestionOnly |
ScoutSuite | configuration | ingestionOnly |
ShiftLeft | repository | orchestratedScan, dataLoad, ingestionOnly |
Sniper | instance | orchestratedScan, ingestionOnly |
Snyk | repository, container | orchestratedScan (repository only), ingestionOnly |
SonarQube SonarScanner | repository | orchestratedScan, dataLoad, ingestionOnly |
Tenable.io | instance | orchestratedScan, dataLoad, ingestionOnly |
Veracode | repository | orchestratedScan, dataLoad, ingestionOnly |
JFrog Xray | container | ingestionOnly |
Zed Attack Proxy (ZAP) | instance | orchestratedScan, ingestionOnly |
Test Targets
The following table specifies where the target to be tested is located.
Target Name | Target Type |
azure | repository |
bitbucket | repository |
github | repository |
gitlab | repository |
local_image | container |
docker_v2 | container |
jfrog_artifactory | container |
aws_ecr | container |
website | instance |
Using Scanner Providers in the Security Step
To use any supported scanner provider in the Harness Security step, you simply need to provide the setting:value
pairs for the scanner.
For example, here are the setting:value
pairs for Aqua Trivy:
The Aqua Trivy-specific settings are just
scan_type
and policy_type
. The rest of the settings are common to all scanners where the scan_type
is container
.
The following sections list the setting:value
pairs for each provider.
All Scan Types
The following settings apply to all scanners.
scan_type
- accepted values:
container
,repository
,instance
,configuration
.
- accepted values:
Repository Scan Type Settings
The following settings apply to all scanners where the scan_type
is repository
.
repository_project
(required)repository_branch
(required)
Container Scan Type Settings
The following settings apply to all scanners where the scan_type
is containerImage
.
container_project
(required)container_tag
(required)container_type
- accepted value(s):
local_image
,docker_v2
,jfrog_artifactory
,aws_ecr
- for
container_type
set tolocal
None
- for
container_type
set todocker_v2
container_access_id
: Usernamecontainer_access_token
: Password/Token
- for
container_type
set tojfrog_artifactory
container_access_id
: Usernamecontainer_access_token
: Password/Token
- for
container_type
set toaws_ecr
container_access_id
: Usernamecontainer_access_token
: Password/Tokencontainer_region
: AWS default region
- for
- accepted value(s):
container_domain
Instance Scan Type Settings
The following settings apply to all scanners where the scan_type
is instance
.
instance_identifier
(required)instance_environment
(required)instance_domain
instance_path
instance_protocol
instance_port
instance_type
- accepted value(s):
website
- accepted value(s):
Configuration Scan Type Settings
The following settings apply to all scanners where the scan_type
is configuration
.
configuration_type
- accepted value(s)s:
aws_account
- accepted value(s)s:
configuration_region
configuration_environment
configuration_access_id
configuration_access_token
Aqua Trivy
See Aqua Trivy Scanner Reference
Image scanning - Amazon ECR
When product_name
is set to aws-ecr
:
scan_type
=container
policy_type
=dataLoad
product_config_name
=default
container_project
= The name of the scanned ECR container with the results you want to ingest.container_tag
= The container tag for the given container project.configuration_access_id
= Your AWS Access ID secretconfiguration_access_token
= Your AWS Access Token secretconfiguration_region
= The AWS region where the container is located. For example,us-east-1
container_domain
= URI of the ECR container with the scan results you want to load.
AWS Security Hub
When product_name
is set to aws-security-hub
scan_type
- accepted value(s):
configuration
- accepted value(s):
policy_type
- accepted value(s):
dataLoad
,ingestionOnly
- accepted value(s):
product_config_name
- Accepted values(s):
default
- Accepted values(s):
Bandit
Black Duck Open Hub
When product_name
is set to blackduckhub
scan_type
- accepted value(s):
repository
,containerImage
- accepted value(s):
policy_type
- accepted value(s):
orchestratedScan
,ingestionOnly
- accepted value(s):
- When
policy_type
is set toorchestratedScan
product_domain
product_auth_type
- accepted value(s):
usernamePassword
,apiKey
- accepted value(s):
product_access_id
: api usernameproduct_access_token
api password or api keyproduct_api_version
product_project_name
product_project_version
product_config_name
- Accepted values(s):
default
- Accepted values(s):
Brakeman
When product_name
is set to brakeman
scan_type
- accepted value(s):
repository
- accepted value(s):
policy_type
- accepted value(s):
orchestratedScan
,ingestionOnly
- accepted value(s):
product_config_name
- Accepted values(s):
default
- Accepted values(s):
Burp
When product_name
is set to burp
scan_type
- accepted value(s):
instance
- accepted value(s):
policy_type
- accepted value(s):
ingestionOnly
- accepted value(s):
product_config_name
- Accepted values(s):
burp-default
(CLI interface uses a Cybric extension)burp-fast-and-max-depth-of-1
(Form fill disabled and max_link_depth=1)burp-fast-mode
(Turns off automatic form fill)
- Accepted values(s):
Checkmarx
When product_name
is set to checkmarx
scan_type
- accepted value(s):
repository
- accepted value(s):
policy_type
- accepted value(s):
orchestratedScan
,dataLoad
,ingestionOnly
- accepted value(s):
- When
policy_type
is set toorchestratedScan
ordataLoad
product_domain
product_access_id
product_access_token
— The account passwordproduct_team_name
- accepted value(s):
/<
server-name
>/<
team-name
>
for example,/server1.myorg.org/devOpsEast
- accepted value(s):
product_project_name
product_config_name
- Accepted values(s):
default
- Accepted values(s):
- When
policy_type
is set toorchestratedScan
tool_args
You can use this field to run the Checkmarx plugin with specific command-line arguments. To run an incremental scan, for example, specifytool_args
=-incremental
.
Running incremental scans with Checkmarx
In some cases, you might want to run an incremental rather than a full scan with Checkmarx due to time or licensing limits. An incremental scan evaluates only new or changed code in a merge or pull request. Incremental scans are faster than full scans, but become less accurate over time.
You should consider carefully when to run incremental vs. full scans. See When should I use Incremental Scans vs Full Scans in CxSAST? in the Checkmarx docs.
Data Theorem
When product_name
is set to data-theorem
scan_type
- accepted value(s):
repository
- accepted value(s):
policy_type
- accepted value(s):
dataLoad
,ingestionOnly
- accepted value(s):
- When
policy_type
is set todataLoad
product_app_id
product_access_token
product_config_name
- Accepted values(s):
default
- Accepted values(s):
Docker Content Trust (DCT)
When product_name
is set to docker-content-trust
scan_type
- accepted value(s):
containerImage
- accepted value(s):
policy_type
- accepted value(s):
orchestratedScan
,ingestionOnly
- accepted value(s):
product_config_name
- Accepted values(s):
default
- Accepted values(s):
Docker Content Trust (clair)
When product_name
is set to docker-content-trust
(clair)
scan_type
- accepted value(s):
containerImage
- accepted value(s):
policy_type
- accepted value(s):
orchestratedScan
,ingestionOnly
- accepted value(s):
product_url
product_access_id
product_access_token
product_config_name
- Accepted values(s):
default
- Accepted values(s):
External (JSON upload v2)
Go to Ingesting issues from other scanners.
Fortify
When product_name
is set to fortify
scan_type
- accepted value(s):
repository
- accepted value(s):
policy_type
- accepted value(s):
ingestionOnly
- accepted value(s):
product_config_name
- Accepted values(s):
default
- Accepted values(s):
Fortify on Demand
When product_name
is set to fortifyondemand
scan_type
- accepted value(s):
repository
- accepted value(s):
policy_type
- accepted value(s):
orchestratedScan
,dataLoad
,ingestionOnly
- accepted value(s):
- When
policy_type
is set toorchestratedScan
ordataLoad
product_domain
product_access_id
product_access_token
product_owner_id
product_entitlement
product_scan_type
product_app_name
product_release_name
product_target_language
product_target_language_version
product_scan_settings
- accepted values:
Custom
,default
- accepted values:
product_audit_type
product_lookup_type
- accepted values:
Dynamic
,Static
,Mobile
- accepted values:
product_data_center
product_config_name
- Accepted values(s):
sast
( ifproduct_lookup_type
=Static
)dast
( ifproduct_lookup_type
=Dynamic
)
Mend (formerly WhiteSource)
When product_name
is set to whitesource
scan_type
- Accepted value(s):
ingestionOnly
,dataLoad
,orchestratedScan
product_domain
(optional) — The default ishttps://saas.whitesourcesoftware.com/api
product_access_id
product_access_token
product_include
product_config_name
=default
product_lookup_type
(optional)- Accepted value(s) when policy_type is set to
dataLoad
:byName
byTokens
- Accepted value(s) when policy_type is set to
orchestratedScan
:appendToProductByToken
appendToProductByName
- Accepted value(s) when policy_type is set to
- Accepted value(s):
You must configure the following settings depending on the product lookup type — i.e., whether you are using the names or tokens to reference the Mend product:
* `product_product_name`
* `product_project_name`
* `product_project_token`
* `product_project_token`
Metasploit
When product_name
is set to metasploit
scan_type
- accepted value(s):
instance
- accepted value(s):
policy_type
- accepted value(s):
orchestratedScan
,ingestionOnly
- accepted value(s):
product_config_name
- Accepted values(s):
metasploit-weak-ssh
(Brute-force test a host for SSH weak ssh/pass)metasploit-openssl-heartbleed
(Checkhttps (443) for Heartbleed vulerability)dynamic-by-cve
(Finds and applies Metaspoit module by CVE)
- Accepted values(s):
Nessus
When product_name
is set to nessus
scan_type
- accepted value(s):
instance
- accepted value(s):
policy_type
- accepted value(s):
orchestratedScan
,ingestionOnly
- accepted value(s):
- When
policy_type
is set toorchestratedScan
product_domain
product_access_id
product_access_token
product_policy_id
product_scanner_id
product_template_uuid
product_config_name
- Accepted values(s):
nessus-web-application
- Accepted values(s):
Nexus IQ
When product_name
is set to nexusiq
scan_type
- accepted value(s):
repository
- accepted value(s):
policy_type
- accepted value(s):
orchestratedScan
,ingestionOnly
- accepted value(s):
- When
policy_type
is set toorchestratedScan
product_domain
product_access_id
product_access_token
product_organization_id
product_project_name
product_lookup_type
- accepted value(s):
byPrivateId
,byPublicId
- accepted value(s):
- When
product_lookup_type
is set tobyPublicId
- product_public_id
- When
product_lookup_type
is set tobyPrivateId
- product_private_id
product_config_name
- Accepted values(s):
default
- Accepted values(s):
Nikto
When product_name
is set to nikto
scan_type
- accepted value(s):
instance
- accepted value(s):
policy_type
- accepted value(s):
orchestratedScan
,ingestionOnly
- accepted value(s):
product_config_name
- Accepted values(s):
default
(Scan the host on port 80)nikto-full
(Scan the host on ports 80 and 443 with-Tuning 9
)nikto-full-web
(Scan the host on ports 80 and 443)
- Accepted values(s):
Nmap ("Network Mapper")
When product_name
is set to nmap
scan_type
- accepted value(s):
instance
- accepted value(s):
policy_type
- accepted value(s):
orchestratedScan
,ingestionOnly
- accepted value(s):
product_config_name
- Accepted values(s):
OpenVAS
When product_name
is set to openvas
scan_type
- accepted value(s):
instance
- accepted value(s):
policy_type
- accepted value(s):
orchestratedScan
,ingestionOnly
- accepted value(s):
product_domain
product_access_id
product_access_token
product_config_name
- Accepted values(s):
host-discovery
(Do a host discovery scan on the network)network-discovery
(Do a network discovery scan)full-and-very-deep
(Do a full and very deep discovery scan)openvas-system-discovery
(Do a system discovery scan on the network)default
- Accepted values(s):
OWASP
When product_name
is set to owasp
scan_type
- accepted value(s):
repository
- accepted value(s):
policy_type
- accepted value(s):
orchestratedScan
,ingestionOnly
- accepted value(s):
product_config_name
- Accepted values(s):
default
- Accepted values(s):
Prisma Cloud (formerly Twistlock)
When product_name
is set to twistlock
scan_type
- accepted value(s):
containerImage
- accepted value(s):
policy_type
- accepted value(s):
orchestratedScan
,dataLoad
,ingestionOnly
- accepted value(s):
- When
policy_type
is set toorchestratedScan
ordataLoad
product_image_name
product_domain
product_access_id
product_access_token
product_config_name
- Accepted values(s):
default
- Accepted values(s):
Prowler
When product_name
is set to prowler
scan_type
- accepted value(s):
configuration
- accepted value(s):
policy_type
- accepted value(s):
orchestratedScan
,ingestionOnly
- accepted value(s):
product_config_name
- Accepted values(s):
default
,hipaa
,gdpr
,exclude_extras
- Accepted values(s):
Qualys Web Application Scanning (WAS)
When product_name
is set to qualys
scan_type
- accepted value(s):
instance
- accepted value(s):
policy_type
- accepted value(s):
ingestionOnly
- accepted value(s):
product_config_name
- Accepted values(s):
default
- Accepted values(s):
Reapsaw
When product_name
is set to reapsaw
scan_type
- accepted value(s):
repository
- accepted value(s):
policy_type
- accepted value(s):
ingestionOnly
- accepted value(s):
product_config_name
- Accepted values(s):
default
- Accepted values(s):
ScoutSuite
When product_name
is set to scoutsuite
(aws only)
scan_type
- accepted value(s):
configuration
- accepted value(s):
policy_type
- accepted value(s):
ingestionOnly
- accepted value(s):
product_config_name
- Accepted values(s):
default
- Accepted values(s):
ShiftLeft
When product_name
is set to shiftleft
scan_type
- accepted value(s):
repository
- accepted value(s):
policy_type
- accepted value(s):
orchestratedScan
,dataLoad
,ingestionOnly
- accepted value(s):
- When
policy_type
is set toorchestratedScan
ordataLoad
product_access_id
product_access_token
product_app_name
product_target_language
product_config_name
- Accepted values(s):
default
- Accepted values(s):
Sniper
When product_name
is set to sniper
scan_type
- accepted value(s):
instance
- accepted value(s):
policy_type
- accepted value(s):
orchestratedScan
,ingestionOnly
- accepted value(s):
product_config_name
- Accepted values(s):
default
(Run a basic sniper scan on a target)web
(Sniper Stealth Mode)stealth
(Run the web based scan)
- Accepted values(s):
Snyk
When product_name
is set to snyk
:
scan_type
- accepted value(s):
containerImage
,repository
- accepted value(s):
policy_type
- accepted value for
containerImage
:ingestionOnly
- accepted values for
repository
:orchestratedScan
,ingestionOnly
- accepted value for
product_access_token
product_config_name
=default
snyk_api
= URL to the Snyk instance, if you're using an on-prem installation.
SonarQube SonarScanner
Go to SonarQube SonarScanner Reference.
Tenable.io
When product_name
is set to tenableio
scan_type
- accepted value(s):
instance
- accepted value(s):
policy_type
- accepted value(s):
orchestratedScan
,dataLoad
,ingestionOnly
- accepted value(s):
- When
policy_type
is set toorchestratedScan
ordataLoad
product_domain
product_access_id
product_access_token
product_policy_id
product_scanner_id
product_template_uuid
product_config_name
- Accepted values(s):
legacy-web-application-scan
(Use legacy nessus scan inside tenableIO)
- Accepted values(s):
Veracode
Go to Veracode Scanner Reference.
JFrog Xray
When product_name
is set to xray
scan_type
- accepted value(s):
containerImage
- accepted value(s):
policy_type
- accepted value(s):
ingestionOnly
- accepted value(s):
product_config_name
- Accepted values(s):
default
- Accepted values(s):