Skip to main content

What's supported in Harness STO

This topic lists the supported STO features and integrations to scan your code repositories, container images, and other targets for security vulnerabilities. Harness STO is supported on the following platforms:

Harness SaaS

Scanner categories

The following list shows the scan types that STO supports:

  • SAST (Static Application Security Testing) scans a code repository and identifies known vulnerabilities in open-source and proprietary code.
  • SCA (Software Composition Analysis) scans a code repository and identifies known vulnerabilities in open-source libraries and packages used by the code.
  • Secret Scanning scans a code repository and identifies all secrets such as access keys and passwords.
  • DAST (Dynamic Application Security Testing) scans a running application for vulnerabilties by simulating a malicious external actor exploiting known vulnerabilties.
  • Container Scanning identifies vulnerabilities in container images.
  • IaC identifies vulnerabilities in Infrastructure as Code scripts that automatically provision and configure infrastructures.
Harness STO scanner support

The following sections describe the scanners supported by Harness STO, based on the target type:

Code repo scanners

A code scanner can detect one or more of the following issue types in your source code. For information about the specific vulnerabilities detected by each scanner, go to the scanner provider's documentation.

  • SAST (Static Application Security Testing): Known vulnerabilities in open-source and proprietary code.
  • SCA (Software Composition Analysis): Known vulnerabilities in open-source libraries and packages used by the code.
  • Secrets: Hard-coded secrets such as access keys and passwords.
  • IaC: Known vulnerabilities in Infrastructure-as-Code files such as Terraform configurations.
  • Misconfigurations: Known vulnerabilities in software configurations.
Open SourceCommercial

Artifact scanners

An artifact scanner can detect one or more of the following issue types in your container images and other artifacts. For information about the specific vulnerabilities detected by each scanner, go to the scanner provider's documentation.

  • SCA (Software Composition Analysis): Known vulnerabilities in open-source libraries and packages used by the code.
  • Container Scanning: Identify vulnerabilities in container images.
Open SourceCommercial

Instance scanners

An instance scanner scans a running application for vulnerabilities by simulating a malicious external actor exploiting known vulnerabilities. This is also known as a DAST (Dynamic Application Security Testing) scan.

For information about the specific vulnerabilities detected by each scanner, go to the scanner provider's documentation.

Open SourceCommercial

Configuration scanners

The following scanners detect misconfigurations in your cloud environment that can result in vulnerabilities. For information about the specific vulnerabilities detected by each scanner, go to the scanner provider's documentation.

Open SourceCommercial

Other scanners

If you use a scanner that isn't listed above, you can still ingest your scan results into STO.

Supported ingestion formats

Harness STO can automatically ingest, aggregate, normalize, and deduplicate data from the following scanners and formats.

info

Static Analysis Results Interchange Format (SARIF) is an open JSON format supported by many scan tools, especially tools available as GitHub Actions. Harness STO can ingest SARIF 2.1.0 data from any tool that supports this format.

Harness recommends that you publish and ingest using the scanner-specific JSON format when available, because it tends to include more useful information.

  • Anchore Enterprise — JSON
  • Aqua Security — JSON
  • Aqua Trivy — JSON (recommended), SARIF
  • AWS ECR — JSON
  • AWS Security Hub — JSON
  • Bandit — JSON (recommended), SARIF
  • Black Duck Hub — JSON
  • Brakeman — JSON
  • Burp — XML
  • Traceable — JSON
  • Checkmarx — XML, SARIF
  • CodeQL — SARIF
  • Coverity — XML
  • Data Theorem — JSON
  • Docker Content Trust — JSON
  • Fortify — JSON
  • Fortify on Demand — JSON
  • Fossa — JSON
  • Gitleaks — JSON (recommended), SARIF
  • HQL AppScan — XML
  • Grype — JSON
  • Mend (formerly Whitesource) — JSON
  • Nessus — XML
  • Nexus — JSON
  • Nikto — XML
  • Nmap — XML
  • OpenVAS — JSON
  • OWASP Dependency Check — JSON
  • Prisma Cloud — JSON
  • Prowler — JSON
  • Qualys — XML
  • Qwiet — JSON
  • Reapsaw — JSON
  • Semgrep — SARIF
  • Snyk — JSON (recommended), SARIF
  • SonarQube — JSON
  • Sysdig — JSON
  • Tenable — JSON
  • Veracode — XML
  • JFrog Xray — JSON
  • Wiz - JSON (recommended), SARIF
  • Zed Attack Proxy (ZAP) — JSON
  • Checkov - JSON, SARIF

Harness Self-Managed Enterprise Edition (SMP)

All STO features supported in Harness SaaS are also supported in Self-Managed Enterprise Edition with the following exceptions:

  • Custom dashboards
  • Harness AI Development Assistant (AIDA™) for STO
  • You cannot run SaaS-based scans if there is no connectivity between Harness and the external SaaS environment.

Harness SMP in offline environments

If you're running Harness Self-Managed Enterprise Edition in an offline environment, note the following:

  • SaaS-based scanners require connectivity between Harness and the external SaaS environment. This means that you cannot run SaaS-based scans in offline environments.

  • All STO scanners are supported in both Harness SaaS and Self-Managed Enterprise Edition. Harness regularly updates the container images it uses to run STO scans. If you're running STO in an offline environment, Harness recommends that you download your STO images regularly to ensure that your scanners are up-to-date. For more information, go to Configure your pipeline to use STO images from private registry.