Skip to main content

Create custom scanner images

Harness maintains a set of public scanner images for popular tools such as Semgrep, OWASP, SonarQube, Snyk, and Veracode. Harness seeks to keep these images as small and as lightweight as possible, and to minimize the number of vulnerabilities in each image. This means that you might want to extend an image with additional layers to scan a specific type of target. You can easily add packages such as Node, Ruby, and Maven to a scanner image and then run the custom container in STO.

Important notes

  • This topic assumes that you are familiar with containerization, Dockerfiles, and best practices for building container images.

  • Harness supports the CI and STO images in the Harness project on GCR. You can extend these images to support your own uses cases, but custom images are not supported by Harness.

  • Harness recommends that you add only the packages and files required for your specific use case, and that you thoroughly test and scan your custom images for vulnerabilities and other issues before you deploy them in your production environment.

  • Harness updates its public CI and STO images every two weeks. It is good practice to rebuild your custom images every month to use the most recent base images.

Workflow description

The following steps describe the general workflow.

  1. Create a Dockerfile that specifies the base Harness image and the packages and files that you want to.

  2. Build your custom image and push it to your image registry.

  3. In your pipeline, add a Run step that uses your customized image to scan the target and save the results in a shared folder.

  4. Add a Security or Security Test step to ingest the results.

Hands-on example: add Yarn and PNPM to an OWASP image

Suppose you're a security engineer and you want to start using STO and OWASP Dependency Check to scan and validate the code repositories maintained by your organization. One development team uses Yarn and another team uses PNPM. Your initial scans are failing because the base image doesn't include these packages.

The following steps illustrate how to create an OWASP image that you can use to scan repositories that use Yarn AND repositories that use PNPM. (OWASP assumes that a scanned repo uses one package manager only. A scan will fail if the repo includes files associated with different managers.)

Extend the base image with Yarn and PNPM

The first step is to create a Dockerfile that adds these packages to the OWASP base image.

Dockerfile example
# STEP 1 
# Specify the base STO scanner image
# For a list of all images in the Harness Container Registry, run the following:
# curl -X GET

FROM harness/owasp-dependency-check-job-runner:latest as scanner

RUN apt-get update && apt-get install -y \
ca-certificates \

# STEP 2
# Add the packages and files you need to the image

# Install sudo
RUN apt install sudo

# Install npm
RUN apt update
RUN printf 'y\n1\n\1n' | apt install nodejs
RUN apt install -y npm

# Make sure Node is up-to-date
RUN sudo npm cache clean -f
RUN sudo npm install -y -g n
RUN sudo n stable

# Install yarn
RUN curl -o- -L | bash
RUN sudo apt install yarn -y
ENV PATH="/root/.yarn/bin:$PATH"

# Install pnpm
RUN wget -qO- | ENV="$HOME/.bashrc" SHELL="$(which bash)" bash -
RUN npm install -g pnpm
ENV PATH="~/.local/share/pnpm:$PATH"

Build and push the customized image

Once you're satisfied with the customized image, you can push it to your image registry.

Custom image in private registry

Add a shared folder to the pipeline stage

Now you're ready to set up your pipeline. First, you add a shared path to the stage for the scan results. This is a standard good practice for ingestion workflows.

  1. In your Harness pipeline, go to the stage where you want to run the scan.

  2. Select Overview and then add a shared path such as /shared/scan_results.

Add a Run step to scan the target with the custom image

Now add a Run step that pulls your custom image, runs the dependency-check binary on the specified target, and saves the scan results to the shared folder you created.

Add a Run step and configure it as follows:

  1. Optional Configuration > Container Registry: A connector to the registry where you stored your custom OWASP image.

  2. Optional Configuration > Image: Your custom image name and tag, such as myimageregistry/owaspcustom:latest

  3. Command: The dependency-check CLI command and arguments, as well as any other commands you want to run.

    The following dependency-check arguments are required in this case:

    • --scan /harness
    • --format JSON
    • --out <scan_results_output_path_and_filename>
    • --yarn <path_to_yarn>
    • --pnpm <path_to_pnpm>

    Here's an example:

    command: |-
    yarn --version
    pnpm --version
    /app/dependency-check/bin/ \
    --yarn /root/.yarn/bin/yarn \
    --pnpm /usr/local/bin/pnpm \
    --scan /harness \
    --format JSON \
    --out /shared/scan_results/owasp.json

Add an OWASP ingest step

Finally, add an OWASP step to ingest the scan results from the shared folder.

Set the Scan Mode to Ingestion and specify the Ingestion File in your shared folder.

Example pipeline

This example pipeline has three steps.

  • owasp_scan_oob and owasp_scan_with_binaries run in parallel:

    • owasp_scan_oob uses the OWASP Dependency-Check step out-of-the box in orchestration mode. The step fails when trying to scan a repository with Yarn or PNPM because it doesn't have the required binaries. This step has a failure strategy to ignore all errors so it doesn't stop the pipeline.

    • owasp_scan_with_binaries uses the custom OWASP image that includes the binaries required to scan Yarn and PNPM repositories.

  • owasp_ingest_results uses the OWASP Dependency-Check step to ingest the scan results that owasp_scan_with_binaries published to the shared folder.

If you copy this example, replace the placeholder values with appropriate values for your code repo connector, image registry connector, and other applicable values. Depending on your project and organization, you might also need to replace projectIdentifier and orgIdentifier.

Example pipeline YAML
projectIdentifier: default
orgIdentifier: default
identifier: owaspyarnpnpmtestFINAL
name: owasp-yarn-pnpm-test-FINAL
tags: {}
- stage:
name: owasp-scan
identifier: owaspscan
description: ""
type: SecurityTests
cloneCodebase: true
enabled: true
paths: []
os: Linux
arch: Amd64
type: Cloud
spec: {}
- parallel:
- step:
type: Owasp
name: owasp_scan_oob
identifier: Owasp_1
mode: orchestration
config: default
type: repository
detection: auto
level: info
cli: "--yarn /yarndir/yarn-v1.22.19/bin/yarn --log /yarndir/log.log"
- onFailure:
- AllErrors
type: Ignore
- step:
type: Run
name: owasp-scan-with-binaries
identifier: Run_1
shell: Sh
command: |-
yarn --version
pnpm --version
/app/dependency-check/bin/ \
--yarn /root/.yarn/bin/yarn \
--pnpm /usr/local/bin/pnpm \
--scan /harness \
--prettyPrint \
--format JSON \
--out /shared/scan_results/output.json
# --project owasp_scan_with_yarn_and_pnpm
# --disableNodeAudit \
# --enableExperimental \
# --noupdate\
# echo "SCAN RESULTS FILE ============================"
# cat /shared/scan_results/output.json
imagePullPolicy: Always
- step:
type: Owasp
name: owasp_ingest_results
identifier: owasp_ingest_results
mode: ingestion
config: default
type: repository
detection: auto
level: info
file: /shared/scan_results/output.json
- /shared/scan_results
- /yarndir
enabled: false
- onFailure:
- AllErrors
type: Ignore
repoName: <+input>
build: <+input>