Skip to main content

Security Testing Orchestration

With Harness Security Testing Orchestration (STO), your pipelines can detect security vulnerabilities automatically. Harness STO enables DevOps and Security teams teams to left shift security testing as a key outcome of their DevSecOps initiative. STO orchestrates scanning, intelligently deduplicating scanner output, prioritizing remediations, and enforcing governance into your pipelines. STO puts scanning directly into your pipelines to ensure that vulnerabilities are caught and fixed before your products are ever released.

Get started

STO tutorials

Dive in with these tutorials.

STO basics

Learn about the security scanning problems facing developers and how STO provides the solutions they need.

STO concepts

Learn about key STO concepts such as scan targets, baselines, severities, and exemptions.

Run scans and ingest data

STO workflows

Learn about the three high-level workflows for running scans and ingesting results: orchestration, extraction, and ingestion.

Orchestration workflows

Learn how to scan an object and ingest the results automatically in one step.

Ingestion workflows

Learn how to run scans in a separate step, or outside Harness entirely, and ingest the results.

Configure external scanners

STO includes integrations with over 30 external tools for scanning repositories, container images, applications, and configurations.

Ingest SARIF scan results

SARIF is an open data format supported by many scan tools. You can ingest results from any tool that supports this format.

Ingest data from custom scanners

You can ingest custom Issues from any scanning tool. This topic shows you how.

View, troubleshoot, and fix vulnerabilities

View issues in target baselines over time

See all detected issues in your main branches, latest images, and other target baselines.

Create Jira tickets for detected issues

You can easily create Jira tickets for issues detected during an STO build.

Navigate and drill down into detected vulnerabilities

The Security Testing Dashboard enables you to view, navigate, discover, and investigate detected vulnerabilities in your organization.

Stop builds based on detected vulnerabilities

Exemptions (Ignore Rules) for Specific Issues

Learn how to set fail_on_severity to stop pipeline builds and create exemptions (ignore rules) for specific vulnerabilities.

Stop pipelines automatically using governance policies

Learn how to create OPA policies to stop pipelines automatically.

GitHub triggers to block pull requests with vulnerabilities

You can create GitHub event triggers to trigger STO scans and block pull requests if the results match your failure criteria.

GitLab triggers to block merge requests with vulnerabilities

You can create GitLab event triggers to trigger STO scans and block merge requests if the results match your failure criteria.