Skip to main content

Target baselines in STO

Every scanned target should have a baseline, which represents the root variant such as the main branch of a Git repository or the latest tag of a container image. Baselines make it easy to identify issues in the baseline vs. issues in a downstream variant derived from that baseline.

key concepts: target baselines
  • Every scanned target needs a baseline to enable the full suite of STO features.
  • You can specify a baseline using a fixed value or a regular expression (RegEx).
    • If you always want to compare against a specific variant — such as the main branch of your git repository — use a fixed value.
    • You might find that the variant you want use as your baseline changes over time. Suppose your team creates a new X.Y.Z branch with each release. In this case you can use a RegEx baseline that updates automatically.
  • You can specify a default RegEx baseline for each target type. This RegEx will automatically be used as the baseline for any new targets.
  • Repositories and images have predefined defaults. For repositories, the default is the main or master branch. For images, the default is latest or the most recently scanned Semantic Versioned release.

To view and edit the current baseline for a target, go to Test Targets:




Every target needs a baseline

Every target needs a baseline to enable the full suite of STO features. Here's why:

  • For developers, it’s critical to distinguish between security issues in the baseline vs. issues in the variant you’re working on. You want to detect and resolve issues in your downstream branch (the variant) before merging, so you don’t introduce them into the main branch (the baseline).

  • When your target has a baseline defined, the Security Tests tab divides your issues into two lists:

    • Only in <target>:<variant> Issues detected in the scanned variant only.

    • Common to <target>:<baseline> Issues also detected in the target baseline.

  • While the Security Tests tab highlights downstream issues, the STO Overview and Security Testing Dashboard only show baseline issues. These views enable security personnel and other non-developers to monitor, investigate, and address issues in production-ready targets and view vulnerability trends over time.

  • In short, baselines make it easy for developers to drill down into “shift-left” issues in the variants they're currently working on, and security personnel to monitor the security posture of production targets.

Benefits of using regular expressions to define baselines

  • RegEx baselines more accurately reflect the current "root" element in the context of a real-world software development life cycle. A typical sprint cycle might run like this:

    • Publish the current release — for example, 1.2.3 — and merge this branch into main.
    • Create a "next-release" branch — for example, 1.2.4 — from main.
    • Create branches from 1.2.4 for different features, hotfixes, and so on.
    • When the release is ready to publish, merge the various branches into 1.2.4.
    • Publish the release, merge 1.2.4 into main, create a new release branch such as 1.2.5, and repeat the cycle.

    To support proper functioning of STO with this workflow, 1.2.4 more accurately reflects the baseline for the current sprint than main. Given a matching RegEx, the first scan after creating the branch establishes 1.2.4 as the current baseline. This remains the current baseline until 1.2.4 gets merged into main and 1.2.5 gets created and scanned.

  • RegEx baselines make it easier to track the introduction and remediation of specific vulnerabilities. The lifecycle of a specific vulnerability might run like this:

    • A new release branch 1.2.3 is created. You scan this branch, which matches your RegEx, and it becomes the current baseline.
    • The scan detects a new vulnerability, vXYZ, with a severity of MEDIUM.
    • A few sprints later, the vulnerability is remediated in a branch that gets merged into 1.2.7.
    • 1.2.7 is scanned before getting merged into main, and vXYZ is no longer in the scan results.

Target baselines

You can specify baselines for individual targets.

Fixed target baselines

You can specify a fixed value if you know that the baseline for a target will not change.

  1. Scan the target with the baseline variant if you haven't yet done so.

  2. Go to Test Targets.

  3. In Baseline for Comparison, set the value type to Fixed and select the baseline from the menu of scanned variants.

RegEx target baselines

You can specify a RegEx baseline if the baseline changes over time and you can capture it using a regular expression.

note

Harness recommends that you test your regular expression thoroughly before you apply it to a RegEx target. For more information, go to:

  1. Go to Test Targets.

  2. Set the value type for the target to RegEx and enter the regular expression.

Default RegEx baselines by target type

notes

You can specify default baselines for specific target types: code repositories, container images, web/API instances, and infrastructure configurations. STO includes a set of predefined defaults for repository and container image targets.

  • For repositories, the baseline is master or main.

  • For container images, the baseline is latest or the most recently scanned Semantic Version number if it can be detected, such as

    • 1.2.3
    • v1.15.4

  • STO does not include predefined default RegEx baselines for application instances and configurations.

To specify default RegExes:

  1. Go to the Default settings page for the scope you want:

    • Account settings — all targets in the account
    • Organization settings — overrides account defaults
    • Project settings — overrides organization defaults

  2. Go to Default Settings > Security Testing Orchestration.

  3. Enter the regular expression you want in the Value field.

Regex baselines reference

Regex baselines: important notes

  • You must use a consistent naming scheme for your scanned variants. This is necessary to ensure that your regular expression captures your baselines consistently and predictably.

  • Carefully consider which targets you want to use for your baselines. In general, the baseline should be the root element for all your current variants.

  • When you specify a regular expression, the baseline is the most recently scanned target that matches the expression.

  • Use re2 format for your expressions.

  • Defining regular expressions is outside the scope of this documentation. Harness recommends that you test any regular expressions thoroughly to ensure that the expression matches any variant name that might be used for the scan target.

RegEx baseline examples

The following table shows a few simple examples of expressions for specific use cases.

Variant namesRegular expressionDescription
main
master
^(main|master)$

  • If the scanned variant is main or master
    • , set the baseline.
  • Useful as the default baseline for code repositories.

latest
1.2.3
v2.3.4 		^(v?\d+.\d+.\d+([+-][a-zA-Z0-9.+-]+)?|latest)$
  • If the scanned variant is either latest or a Semantic Version release number, set the baseline.
  • Useful as the default baseline for container images.
release-20230420
release-20230427
release-20230504
release-20230511
^(release-\d+)$
  • Start with release, dash.
  • Follow with one or more digits.
code-v1.1
code-v1.2
code-v1.3
code-v2.1
code-v2.2
code-v20.31 		^(code-v\d+.\d*)$
  • Start with code, dash, v.
  • Follow with one or more digits, dot, one or more digits.
1.14.6-linux-amd64
1.14.11-linux-amd64
1.15.4-linux-amd64 		^(\d*.\d*.\d*-linux-amd64)$
  • Start with one or more digits, dot, one or more digits, dot, one or more digits.
  • Follow with hyphen, linux-amd64
3
3.17
3.17.3
3.18
3.18.12
30.142.1
30 		^([\d.]+)$
  • Any combination of digits and dots.
2023-02-11, 17:59:12
2023-02-17, 11:17:23
2023-02-23, 08:36:47 		^(\d4-\d2-\d2,\s\d2:\d2:\d2$)
2023-02-11
2023-02-17
2023-02-23 		^(\d4-\d2-\d2)$
  • Simple date format.