This topic lists the supported STO features and integrations to scan your code repositories, container images, and other targets for security vulnerabilities. Harness STO is supported on the following platforms:
- Data ingestion
- Build infrastructure
- Approvals / Ticketing
The following list shows the scan types that STO supports:
- SAST (Static Application Security Testing) scans a code repository and identifies known vulnerabilities in open-source and proprietary code.
- SCA (Software Composition Analysis) scans a code repository and identifies known vulnerabilities in open-source libraries and packages used by the code.
- DAST (Dynamic Application Security Testing) scans a running application for vulnerabilties by simulating a malicious external actor exploiting known vulnerabilties.
- Container Scanning identifies vulnerabilities in container images.
Harness STO scanner support
If you use a scanner that isn't listed in the following table, you can still ingest your scan results into STO. For a full description of the workflow, go to Ingest Results from Custom or Unsupported Scanners.
|Scan Mode||Open Source||Commercial|
Scanner binaries used in STO container images
Harness maintains and updates a container image for every scanner supported by STO. The following table lists the binaries and versions used for the most popular scanners.
|Aqua Trivy||Latest stable build|
|Black Duck Hub||8.9.0|
|Grype||Latest stable build|
|Prowler||Latest stable build|
Harness Security Testing Orchestration integrates with multiple scanners and targets. Different types of scan approaches can be done on each scanner-target combination:
- Orchestrated (
orchestratedScan) Scans are fully orchestrated. A Security step in the Harness pipeline orchestrates a scan and then normalizes and compresses the results.
- Extraction (
dataLoad) Scans are partially orchestrated. The Security step pulls scan results from an external SaaS service and then normalizes and compresses the data.
- Ingestion (
ingestionOnly) Scans are not orchestrated. The Security step ingests results from a previous scan (for a scan run in a previous step), and then normalizes and compresses the results.
STO support by CI build infrastructure type
STO uses CI build infrastructures to orchestrate scans and ingest issues. The following table shows STO support for each infrastructure type.
|Operating System||Architecture||Harness Cloud||Docker||VMs||Kubernetes|
Harness STO supports the following features for generating notifications and stopping pipelines in response to detected vulnerabilities:
Each Security step has a Fail on Severity setting that causes a pipeline build to fail if a Security Scan step detects one or more issues with the specified severity (Critical, High, Medium, etc.). You can also create exemptions ("Ignore rules") for specific issues to override this behavior.
You can also governance policies and security scan results to stop pipelines automatically.
You can set up STO to (create Jira tickets automatically for issues detected during an STO build.
You can also generate automated emails for detected issues.
Harness Policy As Code uses Open Policy Agent (OPA) as the central service to store and enforce policies for the different entities and processes across the Harness platform.
You can centrally define and store policies and then select where (which entities) and when (which events) they will be applied.
Currently, you can define and store policies directly in the OPA service in Harness.
Soon, you will be able to use remote Git or other repos (e.g. OCI-compatible registries) to define and store the policies used in Harness.
Harness Self-Managed Enterprise Edition (SMP)
All STO features supported in Harness SaaS are also supported in Self-Managed Enterprise Edition with the following exceptions:
- Custom dashboards
- Harness AI Development Assistant (AIDA™) for STO
- You cannot run SaaS-based scans if there is no connectivity between Harness and the external SaaS environment.
Harness SMP in offline environments
If you're running Harness Self-Managed Enterprise Edition in an offline environment, note the following:
SaaS-based scanners require connectivity between Harness and the external SaaS environment. This means that you cannot run SaaS-based scans in offline environments.
All STO scanners are supported in both Harness SaaS and Self-Managed Enterprise Edition. Harness regularly updates the container images it uses to run STO scans. If you're running STO in an offline environment, Harness recommends that you download your STO images regularly to ensure that your scanners are up-to-date. For more information, go to Configure STO to Download Images from a Private Registry.