Harness maintains its own set of scan images for STO-supported scanners. By default, a Harness pipeline build pulls scan images from Docker Hub.
This topic describes how to override the default behavior and use a private registry instead. You can download the scan images you need, perform your own security checks on the images, upload them to a private registry, and then set up your STO steps to download images from this registry.
Download the scan images you need, test and validate the images, and store them in your private registry.
Harness maintains a Container Image Registry that is dedicated exclusively to hosting Harness-supported images. You can download your scan images from this registry instead of Docker Hub. To view the list of images in this registry, enter the following command:
curl -X GET https://app.harness.io/registry/_catalog
You can also set up your CI pipelines to download build images from this registry instead of Docker Hub.
For each Security Scan step, add these settings:
runner_registry_domain— The URL of the Docker registry where the images are stored.
The supported format is
Do not include the scheme (such as
runner_registry_image_prefix : harness
runner_registry_username— As needed
runner_registry_token— As needed
If you need to use a proxy server, you must also specify the following:
http_proxy— The hostname and port to use for proxied HTTP requests
https_proxy— The hostname and port to use for proxied HTTPS requests
no_proxy— A comma-separated list of hosts to bypass the proxy
The following pipeline downloads its Security Scan image (bandit) and all of its CI build images from the Harness Image Registry.
# Here the Harness delegate downloads from the
# Harness Image Registry rather than a private registry.
# Username and token are undefined.
name: STO Tutorial 1