In some cases, a scanner might require additional files such as SSL certificates and license files. The following steps describe the high-level workflow.
1) For each artifact that contains sensitive information, such as an SSL certificate, create a Harness secret.
2) Go to the pipeline where you want to add the artifact.
3) In the stage where that will use the artifact, go to Overview > Shared Paths and create a folder under /shared such as shared/customer-artifacts.
To add a PEM file or other SSL certificate, the shared folder should be shared/customer-artifacts/certificates. You can include any number of certificates in this folder.
4) Add a Run step to the stage that adds the artifacts to the shared folder. This step needs to run before the scanner step that uses the artifact.
If the scanner uses an SSL certificate such as a PEM file, save each certificate to shared/customer-artifacts/certificates/
The following example workflow uses a PEM file stored as a Harness file secret. You can also use third-party managers such as HashiCorp Vault, Azure Key Vault, and AWS Secrets Manager. See Harness Secrets Manager Overview.
If the scanner requires a license file, save the file to shared/customer-artifacts/license/
If the pipeline runs a ZAP scan that uses context files such as auth scripts, context files, or URL files, specify the following shared folders.
This example shows how to include a PEM file in a pipeline that runs a SonarQube scan. This workflow assumes that you have a valid SonarQube PEM stored as a Harness File Secret.
In your Harness pipeline, go to the Overview tab of the Security stage. Under Shared Paths, enter the following shared path:
This is the default certificate location for Harness pipelines. You can copy any number of certificates to this folder.
Add a Run step that copies your PEM file to the certificates folder. Here's some example code that does this:
printf "%s" "$NEWCERT" > /shared/customer_artifacts/certificates/certificate
Set up the remaining downstream steps in your pipeline. When the pipeline runs a SonarQube scan that requires a PEM, it looks in /shared/customer_artifacts/certificates and proceeds if it finds a valid certificate.
YAML pipeline example
The following illustrates an end-to-end pipeline that copies a PEM certificate to the default location, builds an image, and then scans the image using SonarQube (authorized using the certificate).
name: sq mvn with pem files
- identifier: dind
name: export path
- name: harness_path
mkdir -p -v /shared/customer_artifacts/certificates
printf "%s" "$NEWCERT" > /shared/customer_artifacts/certificates/certificate1
mvn clean package
- name: runner_tag