Skip to main content

Set up target baselines in STO

It is good practice to specify a baseline for every target. The baseline represents the root variant, such as the main branch or the latest tag. In some cases, you might want to use the name of the latest official release as the baseline. Baselines make it easy to identify issues in the baseline vs. issues in a downstream variant derived from that baseline.

To view all targets in your account, and specify baselines for your targets, go to Security Tests (left menu) and then Test Targets.

Figure 1: Test Targets page

Specify STO target baselines using regular expressions

In some cases, you might want to specify the name of the latest release for your target baseline. Suppose your organization publishes releases with names such as:

  • 3 , 3.17, 3.17.3, 3.18, ...

  • 1.14.6-linux-amd64, 1.14.11-linux-amd64, 1.15.4-linux-amd64, ...

  • 2023-02-29, 2023-03-05, 2023-03-12, 2023-03-19, ...

With this cadence, the default baseline updates whenever you create a new release branch and scan it. In this case, you can use a regular expression (regex) to capture the latest release name and use it for the baseline.

Advantages of using regular expressions to define baselines

Defining your baselines using regular expressions provides significant benefits over using hard-coded strings such as main or latest.

  • Dynamic baselines more accurately reflect the current "root" element in the context of a real-world software development life cycle. A typical sprint cycle might run like this:

    • Publish the current release — for example, 1.2.3 — and merge this branch into main.
    • Create a "next-release" branch — for example, 1.2.4 — from main.
    • Create branches from 1.2.4 for different features, hotfixes, and so on.
    • When the release is ready to publish, merge the various branches into 1.2.4.
    • Publish the release, merge 1.2.4 into main, create a new release branch such as 1.2.5, and repeat the cycle.

    Given this cadence, 1.2.4 more accurately reflects the baseline for the current sprint than main. Given a matching regex, the first scan after creating the branch establishes 1.2.4 as the current baseline. This remains the current baseline until 1.2.4 gets merged into main and 1.2.5 gets created and scanned.

  • Dynamic baselines make it easier to track the introduction and remediation of specific vulnerabilities. The lifecyle of a specific vulnerability might run like this:

    • A new release branch 1.2.3 is created. You scan this branch, which matches your regex, and it becomes the current baseline.

    • The scan detects a new vulnerability, vXYZ, with a severity of MEDIUM.

    • A few sprints later, the vulnerability is remediated in a branch that gets merged into 1.2.7.

    • 1.2.7 is scanned before getting merged into main, and vXYZ is no longer in the scan results.

      Figure 2: Tracking a vulnerability across baselines

Important notes for setting up target baselines in STO

  • You must use a consistent naming scheme for your scanned targets. This is necessary to ensure that your regular expression captures your baselines consistently and predictably.

  • Carefully consider which targets you want to use for your baselines. In general, the baseline should be the root element for all your current variants.

  • When you specify a regular expression, the baseline is the most recently scanned target that matches the expression.

  • Use re2 format for your expressions.

  • Defining regular expressions is outside the scope of this documentation. Harness recommends that you test any regular expressions thoroughly to ensure that the expression matches any variant name that might be used for the scan target.

Regex examples

The following table shows a few simple examples of expressions for specific use cases.

Variant namesRegular expressionDescription
  • release\- start with release, dash
  • \d+\.\d+\ follow with one or more digits
  • code\-v start with code, dash, v
  • \d+\.\d+\ follow with one or more digits, dot, one or more digits
  • \d+\.\d+\.\d+ start with one or more digits, dot, one or more digits, dot, one or more digits
  • \-linux-amd64 follow with hyphen, linux-amd64
  • Any combination of digits and dots
  • \d\d\d\d-\d\d\-\d\d four digits, dash, two digits, dash, two digits