Skip to main content

Supported Security Scanners

The following is the list of scanners supported by STO, you can view them by scan type

In addition to the listed supported scanners, the Custom Scan step allows the use of various other scanners. For a complete list of supported scanners, refer to Scanners Supported with Custom Scan Step.

Static Application Security Testing - SAST Scanners

Static Application Security Testing (SAST) is a security testing practice that analyzes source code for potential vulnerabilities without executing the application. To configure and run SAST scans, refer Static Application Security Testing documentation.

  1. Bandit - open-source
  2. Black Duck (by Synopsys)
  3. Brakeman - open-source
  4. Checkmarx
  5. Coverity - open-source
  6. CodeQL
  7. FOSSA
  8. Mend (formerly known as WhiteSource)
  9. Semgrep - open-source option
  10. Snyk
  11. SonarQube
  12. Veracode
  13. Wiz

Secret Detection Scanners

Secret Detection is a security testing practice that scans code repositories for exposed credentials, API keys, tokens, and other sensitive information. To configure and run secret detection scans, refer Secret Detection documentation.

  1. Gitleaks - open-source

Software Composition Analysis - SCA Scanners

Software Composition Analysis (SCA) is a security testing practice that identifies vulnerabilities in open-source dependencies and third-party libraries used in your applications. To configure and run SCA scans, refer Software Composition Analysis documentation.

  1. OSV Scanner - open-source
  2. OWASP Dependency-Check - open-source
  3. Snyk
  4. Veracode
  5. Wiz

Container Scanners

Container Scanning is a security testing practice that analyzes your container images for potential vulnerabilities. To configure and run container scans, refer Container Scanning documentation.

  1. Anchore
  2. Aqua Security
  3. Aqua Trivy - open-source
  4. AWS ECR Scan
  5. Black Duck
  6. Grype - open-source
  7. Prisma Cloud
  8. Snyk
  9. Sysdig
  10. Wiz

Dynamic Application Security Testing - DAST Scanners

Dynamic Application Security Testing (DAST) is a security testing practice that identifies vulnerabilities in running applications by simulating real-world attacks. To configure and run DAST scans, refer Dynamic Application Security Testing documentation.

  1. Burp Suite Enterprise Edition
  2. Nikto - open-source
  3. Nmap - open-source
  4. Traceable
  5. Veracode
  6. Zap - open-source

Infrastructure as Code - IaC Scanners

Infrastructure as Code (IaC) scanning is a security testing practice that analyzes IaC configurations to identify misconfigurations, security vulnerabilities, and compliance issues before deployment. To configure and run IaC scans, refer Infrastructure as Code documentation.

  1. Snyk
  2. Wiz
  3. Checkov - open-source

Scanners supported with Custom Scan step

The following scanners do not have a dedicated step in STO, but they can be used through the Custom Scan step.

  1. Clair
  2. Data Theorem
  3. Docker Content Trust
  4. Fortify Static Code Analyzer
  5. Fortify on Demand
  6. HCL AppScan
  7. Metasploit - open-source
  8. Nessus
  9. Nexus
  10. OpenVAS - open-source
  11. Qualys Web Application Scanning
  12. Qwiet AI (formerly ShiftLeft)
  13. Reapsaw - open-source
  14. ScoutSuite - open-source
  15. Tenable
  16. Veracode
  17. JFrog Xray

If you are looking for scanners that are not available as steps or are not supported through the Custom Scan step, you can use the Custom Ingest step to import scan results into STO. For detailed instructions, see Ingest results from unsupported scanners

Supported ingestion formats

Here are the scanners that support ingestion scan mode in STO and the data format each scanner expects for ingestion into STO.

info

Static Analysis Results Interchange Format (SARIF) is an open JSON format supported by many scan tools, especially tools available as GitHub Actions. Harness STO can ingest SARIF 2.1.0 data from any tool that supports this format.

Harness recommends that you publish and ingest using the scanner-specific JSON format when available, because it tends to include more useful information.

  • Anchore Enterprise — JSON
  • Aqua Security — JSON
  • Aqua Trivy — JSON (recommended), SARIF
  • AWS ECR — JSON
  • AWS Security Hub — JSON
  • Bandit — JSON (recommended), SARIF
  • Black Duck Hub — JSON
  • Brakeman — JSON
  • Burp — XML
  • Traceable — JSON
  • Checkmarx — XML, SARIF
  • CheckmarxOne — JSON
  • CodeQL — SARIF
  • Coverity — XML
  • Data Theorem — JSON
  • Docker Content Trust — JSON
  • Fortify — JSON
  • Fortify on Demand — JSON
  • Fossa — JSON
  • Gitleaks — JSON (recommended), SARIF
  • HQL AppScan — XML
  • Grype — JSON
  • Mend (formerly Whitesource) — JSON
  • Nessus — XML
  • Nexus — JSON
  • Nikto — XML
  • Nmap — XML
  • OpenVAS — JSON
  • OWASP Dependency Check — JSON
  • Prisma Cloud — JSON
  • Prowler — JSON
  • Qualys — XML
  • Qwiet — JSON
  • Reapsaw — JSON
  • Semgrep — SARIF
  • Snyk — JSON (recommended), SARIF
  • SonarQube — JSON
  • Sysdig — JSON
  • Tenable — JSON
  • Veracode — XML
  • JFrog Xray — JSON
  • Wiz - JSON (recommended), SARIF
  • Zed Attack Proxy (ZAP) — JSON
  • Checkov - JSON, SARIF
AIDA logo
AIDA logo

Harness AIDA Chatbot

AI Development Assistant

Today, April 2, 8:04pm

AIDA logo

Accelerate your software delivery with the powerful capabilities of Harness’s Platform.

AIDA logo

How can I help?

Log into your Harness Account to access AIDA