STO tutorials

The following workflows and tutorials are available.

• Getting started:

  • Set up Harness for STO This is a good primer if you're new to Harness. It guides you through the process of setting up the connectors, delegate, and infrastructure needed to run STO scans.

  • Your first STO pipeline This tutorial covers the basic concepts of STO. You'll set up a standalone pipeline with one scanner, run scans, analyze the results, and learn how to investigate and fix detected vulnerabilities.

• Quickstarts:

  • SAST code scans using Semgrep This "quick-start" tutorial shows how to scan a codebase using Semgrep, which can scan a wide variety of languages and includes a free version.

  • Container image scans with Aqua Trivy This "quick-start" tutorial shows how to scan a container image using Aqua Trivy, a popular open-source scanning tool.

  • DAST app scans using Zed Attack Proxy This "quick-start" tutorial shows how to scan an application instance using Zed Attack Proxy (ZAP), an open-source penetration tool for testing web applications.

• Integrated end-to-end workflows:

  • Create a build-scan-push pipeline (STO only) Set up an end-to-end STO pipeline that scans your codebase. Then it builds an image and scans it. If the image scan detects no critical issues, the pipeline pushes the image to your registry.

  • Create a build-scan-push pipeline (STO and CI) Set up an end-to-end STO/CI pipeline that scans your codebase, builds/pushes a test image, and then scans it. If there are no critical issues, the pipeline builds/pushes a prod image.