Skip to main content

Fix security issues using Harness AI

Harness leverages state-of-the-art AI to streamline the triaging and resolution of security vulnerabilities. For each security issue found, Harness AI explains the issue and offers detailed remediation advice beyond what the scanner provides, including specific code changes and package upgrades. You can regenerate advice with additional context to optimize the suggestions. Harness AI helps you reduce developer toil, manage security backlogs, address critical issues, and even generate code suggestions or pull requests directly from STO. This accelerates time to resolution (TTR), enhances software delivery, and improves overall application security posture.

Once you complete a security scan using the scanners in STO, you can access all the scan results. For each identified security issue, Harness AI analyzes the details and provides specific remediation guidance. Key functionalities include:

Important notes for Harness AI remediations in STO

Before you can use Harness AI in STO, you must do the following:

  1. Read the AIDA Data Privacy Overview.
  2. Sign an End-User License Agreement with Harness.
  3. Enable AIDA in your Harness account. Go to Account Settings, select Default Settings, select the Harness AIDA tile, and then enable the Harness AI Development Assistant (AIDA) setting. Select Allow Overrides if you want to be able to enable/disable AIDA for individual projects.
caution

  • AI will always provide an answer. However, if there is no known remediation within the model’s training, the answer might be invalid. For this reason, an AI suggestion might require further research to confirm its validity.

  • Before you implement an AI-generated suggestion, consider carefully the reliability and extent of the publicly-known information about the detected issue. The accuracy, reliability, and completeness of a suggestion depend on the public knowledge about that issue. An AI-generated suggestion is not guaranteed to remediate the issue and could introduce other issues.

  • You should also consider the suggestion's applicability to your specific target and use case. An issue might have no known remediation, especially if it was recently discovered. An issue might have multiple suggested remediations that are contradictory or applicable only to specific use cases.

  • A specific remediation might involve installing components with usage and license requirements. Check any requirements in advance.

View AI remediations for security issues

Harness AI analyzes security issues and provides AI remediation within the security details for each specific issue. This includes an analysis of the issue, remediation concepts, and step-by-step instructions to fix them, along with example code snippets. Additionally, AI remediation details can be found for each occurrence of an issue. You also have the option to make a Code Suggestion or create a Pull Request to apply the suggested remediation.

Moreover, you can enhance the AI remediation by editing its content to better suit your needs.

Make Code Suggestion from STO

In the AI Remediation details of a selected issue, STO provides the option to make code suggestions for applying the recommended fixes. To use this feature, simply click on Suggest Fix. Once you have created a code suggestion, you can view it by clicking on the View Fix button. Make sure to read the configuration details to understand the requirements and what is supported for this feature.

Please note that the Suggest Fix option will only be available if there is a match between the file where the issue was found and the files being modified in the pull request. This ensures that the suggested changes are directly committed in the existing PR without the need for a separate PR.

Create Pull Request from STO

In the AI Remediation details of a selected issue, STO provides the option to create a Pull Request to apply the recommended fixes. To use this feature, click on Create Pull Request, STO will create a Pull Request with the recommended fixes. You can view the PR by clicking on the View Fix button. Make sure to read the configuration details to understand the requirements and what is supported for this feature.

The Create Pull Request option is available for both branch scanning and PR scanning. However, in the case of PR scanning, this option will only appear if the remediation suggestions apply to code files that were not modified in the PR. These suggestions may address new or existing vulnerabilities identified in the base branch.

Configuration for Code Suggestions and Create Pull Request features

These features are currently supported only for Harness Code Repository and GitHub.

  • Harness Code Repository: No configuration is needed; these features are enabled by default.
  • GitHub: To enable these features, you’ll need to configure your GitHub connector. Follow the steps below to set it up.

Also, these features are currently supported only for the scan results from all the Secret detection and SAST scanners including both built-in open-source and commercial scanners.

To enable code suggestions and create pull requests in GitHub from STO, you need to configure the GitHub connector within STO’s Default Settings. Go to Account Settings, select Default Settings, and then choose the Security Testing Orchestration tile. Locate the GitHub Connector for Pull Requests field and set up your GitHub connector. Ensure your GitHub token includes the following permissions:

  • repo - Full control of private repositories
  • write:org - Read and write org and team membership, read and write org projects
  • write:discussion - Read and write team discussions
  • project - Full control of projects

You can also configure these settings at the organization or project level, based on your requirements.

tip

These features will only appear if the scanner provides the exact vulnerable code snippet. If the code snippet is not provided, you can still use the feature by manually adding context on the vulnerable code. For details on how to do this, refer to Edit to enhance AI remediations.

Edit to enhance the AI remediations

This procedure describes how to refine a suggestion by providing more information, such as additional context or code snippets, to Harness AI.

  1. When you go to Security Tests and then select an issue, an initial AI Remediation appears in Issue Details.

    This suggested remediation is based on public information about the CVE or CWE and the first detected occurrence (Occurrence 1) in the target. If the scanner captures the code snippet where the vulnerability is occurring, the query to Harness AI includes this snippet as well.

    You can send feedback to Harness about a specific remediation. Under Helpful?, click No. Then enter in your feedback and choose Submit.

  2. If you want to optimize the advice with additional information or context, do the following:

    1. Select Edit Input.

    2. Specify the occurrence, reference ID, and language (if you've scanned a codebase).

    Harness AI can often auto-detect the language of a code snippet, but it's good practice to confirm that the language setting is correct.

    Some scanners provide details on the location of the vulnerable code, such as the file name and line number, but may not offer the specific code snippet itself. With the Edit Input option, you can copy and paste the exact vulnerable code snippet. Harness AI will then use this information to recommend code changes, which can be used to create a pull request or make a code suggestion.

    1. Add any additional context in the text pane. For example, you might want to include relevant code immediately before the snippet where the vulnerability was identified, in addition to the snippet itself. Then select Generate.

  3. To generate remediations for another occurrence, do the following:

    1. In Issue Details, scroll down to the occurrence of interest and then select Unsure how to remediate? Ask AI. (You might need to wait a few seconds for the remediation to appear.)

    2. To further refine the suggested remediation with an additional code snippet, select Edit Snippet and then re-generate.