Supply Chain Security release notes
These release notes describe recent changes to Harness Supply Chain Security.
About Harness Release Notes
- Progressive deployment: Harness deploys changes to Harness SaaS clusters on a progressive basis. This means that the features described in these release notes may not be immediately available in your cluster. To identify the cluster that hosts your account, go to your Account Overview page in Harness. In the new UI, go to Account Settings, Account Details, General, Account Details, and then Platform Service Versions.
- Security advisories: Harness publishes security advisories for every release. Go to the Harness Trust Center to request access to the security advisories.
- More release notes: Go to Harness Release Notes to explore all Harness release notes, including module, delegate, Self-Managed Enterprise Edition, and FirstGen release notes.
February 2025
Version: 1.25.1
New features and enhancements
- Added Dashboards for License and Compliance Reports to easily access detailed information about the licenses and compliance status associated with your software components at one place.
- Added Artifact Signing and Verification steps to sign artifacts and verify the signed artifacts before it gets deployed to ensure integrity and prevent tampering.
- With Harness Internal Developer Portal (IDP) workflow now you can use a single GitHub connector at the account level and selectively onboard repositories to the project of your choice and automatically create scan pipelines to scan those repositories.
- Secure attestation with Cosign using HashiCorp Vault, now supported via Vault Proxy with GCP Auth for enhanced security.
- Enabled SBOM and SLSA generation and verification via Harness GitHub Actions, integrating seamlessly with GitHub CI workflows.
Fixed Issues
- Added a link in the Supply Chain tab that redirects to the Artifacts/Repositories details page, for better traceability.
- Fixed the issue where clicking the back button on the Select Code Repo page after selecting a connector redirected the user to the login page.
November 2024
Version: 1.19.1
New features and enhancements
- Launched a dedicated SLSA Generation step under the Supply Chain Security section in the step palette; removed the SLSA Provenance section from the stage Overview. You can now perform SLSA provenance generation and attestation using the new SLSA Generation step.
- Chain of Custody in the Artifact section now logs events from the Security Testing Orchestration (STO) module.
- Rule Definitions section now has an expandable view, showing rule descriptions upon expansion; replaced the Type column with Applicable On to display the entity types to which rules apply, such as Code Repository or CI/CD, along with platform/Integration logo. For example, GitHub, GitHub Actions.
Enhancements in CI/CD section
- Added sorting option for pipelines based on Risk and Compliance Issues column.
- New filter for pipelines by CI/CD Types, allowing you to list GitHub workflows or Harness pipelines.
Enhancements in Compliance section
- Renamed Rules tab to Evaluations.
- Added Applicable On column in the Evaluations tab to display the entity types to which rules apply, such as Code Repository or CI/CD.
- Added a link to entity source in the impacted entity details within the Evaluations tab. By clicking on an impacted entity, you can use the “Go to workflow/repository” link to navigate directly to the associated pipeline or repository.
October 2024
Version: 1.18.0
New features and enhancements
- Added rule
2.3.9from OWASP CICD-SEC-6 for evaluation against Harness pipelines. For more information, refer to the Standards and Rule Definitions documentation. - In the Evaluation details, links to the relevant GitHub workflows or Harness pipelines have been included.
- Introduced UI enhancements in the Compliance section.
July 2024
Version: 1.14.3
Announcements
SCS is now Generally Available (GA). We have moved from Limited GA (since January 2024) to GA. Read more on our announcement blog.
New features
- Repository Security Posture Management:
- Connect your GitHub with Harness SCS to identify insecure configurations in code repositories and organization settings for comprehensive risk, compliance, and security posture management. Use the Harness SCS GitHub app for integration. Learn more in our RSPM documentation.
- Manage Risk and Compliance
- Compliance Section: A new Compliance section to assess and understand the risk posture of your entire supply chain. Detailed information is available in the Manage Compliance Posture documentation.
- Rule Definitions Section: Access a complete list of all standards and associated rules supported by Harness SCS, including: More details can be found in the Standards and Rule Definitions documentation.
- Integrations and Permissions
- A new interface to manage your integrations with Harness SCS. Learn more about this in the Integrations and Permissions document.
Enhancements
Artifact view will now support the following views
- Chain of Custody: Log the artifact's journey throughout the software supply chain.
- Artifact Listing: View all container images, including their digests and tags.
- Security Insights: Access detailed information on security vulnerabilities.
- SLSA Provenance: View the provenance and verification status of artifacts following the SLSA framework.
July 2024
Version 1.12.0
New features and enhancements
- The "Repositories" tab previously located in the Artifact View has been relocated and expanded into a separate section titled "Code Repositories". All repository data will now be accessible from the Code Repositories section, providing a more streamlined interface for managing repository information.
September 2023
The Supply Chain Security module documentation is live on the Harness Developer Hub. Check back soon for module release notes.