Skip to main content

CISA KEV

Last updated on

Harness STO helps you prioritize security issues based on real-world exploitation risk. For issues with a Common Vulnerabilities and Exposures (CVE) identifier, STO shows whether the CVE appears in the CISA Known Exploited Vulnerabilities (KEV) catalog. Use this signal on the Issues page and Vulnerabilities tab to focus remediation on CVEs CISA has confirmed are actively exploited.

CISA KEV requirements
  • Feature flag: This feature is behind STO_ISSUE_KEV. Contact Harness Support to enable it.
  • CVE requirement: CISA KEV applies only to issues with a CVE ID.
  • Catalog updates: CISA updates the catalog several times per week. STO refreshes each CVE's KEV status from the latest catalog snapshot.

What is CISA KEV?

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) publishes a catalog of vulnerabilities with evidence of active exploitation. When a CVE appears in KEV, CISA has confirmed active exploitation in the wild.


What STO shows

STO exposes a single Yes or No signal for each CVE-associated finding:

  • Yes: The CVE appears in the CISA KEV catalog. CISA confirms active exploitation.
  • No: CISA has not listed this CVE as actively exploited. The finding may still be Critical or have a public exploit.

View and filter CISA KEV in STO

STO displays CISA KEV on the Issues page and the Vulnerabilities tab. You can inspect the signal on an individual issue or filter the full list.

  1. Go to the Issues page at the project level, or open the Vulnerabilities tab for a pipeline execution.
  2. Select an issue from the list. In the Issue Details side pane, locate the CISA KEV field. It shows Yes or No.