Skip to main content

Run an Orchestration scan in an STO Pipeline

In an orchestration scan, you scan a target and ingest the results in one step. Orchestration scans are the easiest to set up and are a great way to get started with STO.

To set up an orchestration scan, you specify information such as:

  • The scan tool and settings.
  • Access credentials to access the object to scan (if the object is remote).
  • Information about the object to scan. This information depends on the object type:
    • Container image — image type, domain, owner, project, and tag
    • Code repo — project and branch
    • Instance (website) — identifier, environment, domain, path, protocol, port

STO supports orchestration scans for popular open-source scanners such as Aqua-Trivy and Bandit as well as commercial scanners such as SonarQube. For a complete list of supported scanners, go to Harness STO scanner support.

Example workflows

Here are some example workflows that illustrate how to set up an orchestration scan:

See also