Update your STO images
This topic describes how Harness updates and maintains supported STO images and how to update these images yourself if you use a private registry.
- Harness updates STO images every two weeks.
- If you store your Harness images in a private registry, Harness strongly recommends that you update your images each month to ensure that you're using the latest supported scanner images in your pipelines.
- Harness does not support STO images that are more than 90 days old.
- Harness images are available on Docker Hub and Google Container Registry. However, Harness is deprecating the
app.harness
Docker registry and recommends that you download images from the Harness project on GCR instead.
Harness STO images list
When a Harness pipeline runs, each stage begins with an initialize step. During initialization, the pipeline prepares the build infrastructure and pulls the images required to run the steps.
Here are are a few examples of Harness STO images in the Harness GCR project.
sto-plugin
: Launch and orchestrate scans and ingest, normalize, and deduplicate the results.anchore-job-runner
: Run Anchore Enterprise orchestration scans.gitleaks-job-runner
: Run Gitleaks orchestration scans.owasp-dependency-check-job-runner
: Run OWASP Dependency-Check orchestration scans.
I don't want to pull images from a public registry
If you don't want to pull images directly from the public Harness registry, you can pull images from your own private registry. For more information, go to Configure your pipeline to use STO images from private registry.
When should I update my STO images?
Your organization has a one-month window to run security scans or other tests on new STO images before you deploy them.
Harness has the following process for updating STO images such as sto-plugin
and veracode-agent-job-runner
:
- Harness publishes updates for STO images every two weeks.
- Version numbers use an
x.y.z
format with the major, minor, and hotfix or patch release number. - You can choose to deploy the latest containers immediately upon release, or you can download and scan them before deployment.
For more information
Harness STO uses many of the same policies and procedures for maintaining images as Harness CI. For more information, go to Harness CI images.