What's supported by Harness SCS
This document outlines the platforms, features, and integrations supported by Harness SCS. The Supply Chain Security (SCS) module is available on the following platforms:
- Harness SaaS
- Harness Self-Managed Enterprise Edition
- Harness Self-Managed Enterprise Edition in Air-gapped/Offline Environments
SCS on Harness SaaS
- Repository Security Posture Management - RSPM
- Generate or ingest SBOM, followed by SBOM drift detection and scoring.
- Enforce OSS usage with SBOM governance policies.
- Generate SLSA provenance and achieve Build Levels 1, 2, and 3.
- Verify SLSA provenance with SLSA governance policies.
- Attest and verify SBOM and SLSA Provenance with Cosign.
- Create and manage Remediation Trackers.
SCS on Harness Self-Managed Enterprise Edition (SMP)
Connected Environment
All features of 'SCS on Harness SaaS' are available in an SMP environment, with the following exceptions:
- Creating a Remediation tracker will require manually adding the CVE details as auto-population is linked with STO module. However, if you are using Harness STO SMP, this limitation does not apply.
- Achieving SLSA Level 3 compliance is not possible in SMP, as it requires Harness hosted build infrastructure. This capability is available through 'SCS on Harness SaaS'.
Air-gapped Environment
All features of 'SCS on Harness SaaS' are available in an air-gapped or offline environment, with the following exceptions:
- Repository Security Posture Management is not supported in air-gapped environments.
- In the generated SBOMs, the license data for certain dependencies will be marked as "NOASSERTION", leading to a reduced SBOM quality score. However, this does not impact the SBOM generation or any other features of SBOM Orchestration.
- Logging the attestation record in the Sigstore public Rekor will not be performed during the SBOM and SLSA Provenance attestation process, but this will not impact the attestation itself.
- Creating a Remediation tracker will require manually adding the CVE details as auto-population is linked with STO module. However, if you are using Harness STO SMP, this limitation does not apply.
- Achieving SLSA Level 3 compliance is not possible in SMP, as it requires Harness hosted build infrastructure. This capability is available through 'SCS on Harness SaaS'.
SCS Steps Support Across Stages
| Step | Build Stage | Security Stage | Deploy Stage |
|---|---|---|---|
| SBOM Orchestration | Yes | Yes | Yes |
| SBOM Policy Enforcement | Yes | Yes | Yes |
| SLSA Generation | Yes | No | No |
| SLSA Verification | Yes | Yes | Yes |
| SCS Compliance | Yes | Yes | No |
| Artifact Signing | Yes | Yes | No |
| Artifact Verification | Yes | Yes | Yes |
For information about what's supported for other Harness modules and the Harness Platform overall, go to Supported platforms and technologies.