What's supported in Harness STO

This topic lists the supported STO features and integrations to scan your code repositories, container images, and other targets for security vulnerabilities. Harness STO is supported on the following platforms:

• Harness SaaS
• Harness Self-Managed Enterprise Edition (SMP)
• Harness SMP in offline environments

Harness SaaS

Scanners

Scanner categories

The following list shows the scan types that STO supports:

• SAST (Static Application Security Testing) scans a code repository and identifies known vulnerabilities in open-source and proprietary code.
• SCA (Software Composition Analysis) scans a code repository and identifies known vulnerabilities in open-source libraries and packages used by the code.
• Secret Scanning scans a code repository and identifies all secrets such as access keys and passwords.
• DAST (Dynamic Application Security Testing) scans a running application for vulnerabilties by simulating a malicious external actor exploiting known vulnerabilties.
• Container Scanning identifies vulnerabilities in container images.
• IaC identifies vulnerabilities in Infrastructure as Code scripts that automatically provision and configure infrastructures.

Harness STO scanner support

The following sections describe the scanners supported by Harness STO, based on the target type:

• Code repo scanners
• Artifact scanners
• Instance scanners
• Configuration scanners
• Other scanners

Code repo scanners

A code scanner can detect one or more of the following issue types in your source code. For information about the specific vulnerabilities detected by each scanner, go to the scanner provider's documentation.

• SAST (Static Application Security Testing): Known vulnerabilities in open-source and proprietary code.
• SCA (Software Composition Analysis): Known vulnerabilities in open-source libraries and packages used by the code.
• Secrets: Hard-coded secrets such as access keys and passwords.
• IaC: Known vulnerabilities in Infrastructure-as-Code files such as Terraform configurations.
• Misconfigurations: Known vulnerabilities in software configurations.

Open Source

Commercial

Bandit Orchestration, Ingestion Brakeman Orchestration, Ingestion Coverity Ingestion Gitleaks Orchestration, Ingestion Grype Orchestration, Ingestion Open Source Vulnerabilities (OSV) Orchestration, Ingestion OWASP Dependency Check Orchestration, Ingestion Reapsaw Ingestion Semgrep Code (open-source option) Orchestration, Ingestion SonarQube/SonarCloud (free option) Orchestration, Extraction, Ingestion

Black Duck Hub Orchestration, Extraction, Ingestion Checkmarx — The following workflows are supported: Ingestion workflows for all Checkmarx One services (including SAST and SCA) that can publish scan results in SARIF format Orchestration, Extraction, and Ingestion workflows for Checkmarx SAST and Checkmarx SCA scans CodeQL Ingestion Data Theorem Extraction, Ingestion Fortify on Demand Orchestration, Extraction, Ingestion Fortify Static Code Analyzer Ingestion Fossa Ingestion Mend (formerly WhiteSource) Orchestration, Extraction, Ingestion Nexus IQ Orchestration, Extraction, Ingestion Qwiet AI (formerly ShiftLeft) Orchestration, Extraction, Ingestion Semgrep Code (paid option) Orchestration, Ingestion Snyk Code Ingestion Snyk Infrastructure as Code Ingestion (beta) Snyk Open Source Orchestration, Ingestion SonarQube/SonarCloud Orchestration, Extraction, Ingestion Veracode Orchestration, Extraction, Ingestion Wiz Orchestration, Ingestion

Artifact scanners

An artifact scanner can detect one or more of the following issue types in your container images and other artifacts. For information about the specific vulnerabilities detected by each scanner, go to the scanner provider's documentation.

• SCA (Software Composition Analysis): Known vulnerabilities in open-source libraries and packages used by the code.
• Container Scanning: Identify vulnerabilities in container images.

Open Source

Commercial

Grype Orchestration, Ingestion Aqua Trivy Orchestration, Ingestion Clair Orchestration, Ingestion

Anchore Enterprise Orchestration, Extraction, Ingestion Aqua Security Orchestration, Ingestion AWS ECR Extraction Black Duck Hub Orchestration, Extraction, Ingestion Docker Content Trust (DCT) Orchestration, Ingestion Mend (formerly WhiteSource) Orchestration, Extraction, Ingestion Prisma Cloud (formerly Twistlock) Orchestration, Extraction, Ingestion Snyk Container Ingestion Sysdig Orchestration, Ingestion Tenable.io Orchestration, Ingestion Wiz Orchestration, Ingestion JFrog Xray Ingestion

Instance scanners

An instance scanner scans a running application for vulnerabilities by simulating a malicious external actor exploiting known vulnerabilities. This is also known as a DAST (Dynamic Application Security Testing) scan.

For information about the specific vulnerabilities detected by each scanner, go to the scanner provider's documentation.

Open Source	Commercial
Metasploit Framework Orchestration, Ingestion Nikto Orchestration, Ingestion Nmap ("Network Mapper") Orchestration, Ingestion OpenVAS Orchestration, Ingestion ZAP Orchestration, Ingestion	Burp Enterprise Orchestration, Extraction, Ingestion Fortify on Demand Extraction, Ingestion HCL AppScan Ingestion Qualys Web Application Scanning (WAS) Ingestion Tenable.io Nessus vulnerability scan Orchestration, Ingestion Tenable.io Nessus web app scan Orchestration, Ingestion

Configuration scanners

The following scanners detect misconfigurations in your cloud environment that can result in vulnerabilities. For information about the specific vulnerabilities detected by each scanner, go to the scanner provider's documentation.

Open Source	Commercial
ScoutSuite Ingestion Prowler Orchestration, Ingestion	AWS Security Hub Extraction, Ingestion

Other scanners

If you use a scanner that isn't listed above, you can still ingest your scan results into STO.

• If your scanner can publish to SARIF format, go to Ingest SARIF scan results into STO.

• For other scanners, go to Ingest results from unsupported scanners.

Supported ingestion formats

Harness STO can automatically ingest, aggregate, normalize, and deduplicate data from the following scanners and formats.

info

Static Analysis Results Interchange Format (SARIF) is an open JSON format supported by many scan tools, especially tools available as GitHub Actions. Harness STO can ingest SARIF 2.1.0 data from any tool that supports this format.

Harness recommends that you publish and ingest using the scanner-specific JSON format when available, because it tends to include more useful information.

• Anchore Enterprise — JSON
• Aqua Security — JSON
• Aqua Trivy — JSON (recommended), SARIF
• AWS ECR — JSON
• AWS Security Hub — JSON
• Bandit — JSON (recommended), SARIF
• Black Duck Hub — JSON
• Brakeman — JSON
• Burp — XML
• Checkmarx — XML, SARIF
• CodeQL — SARIF
• Coverity — XML
• Data Theorem — JSON
• Docker Content Trust — JSON
• Fortify — JSON
• Fortify on Demand — JSON
• Fossa — JSON
• Gitleaks — JSON (recommended), SARIF
• HQL AppScan — XML
• Grype — JSON
• Mend (formerly Whitesource) — JSON
• Nessus — XML
• Nexus — JSON
• Nikto — XML
• Nmap — XML
• OpenVAS — JSON
• OWASP Dependency Check — JSON
• Prisma Cloud — JSON
• Prowler — JSON
• Qualys — XML
• Qwiet — JSON
• Reapsaw — JSON
• Semgrep — SARIF
• Snyk — JSON (recommended), SARIF
• SonarQube — JSON
• Sysdig — JSON
• Tenable — JSON
• Veracode — XML
• JFrog Xray — JSON
• Wiz - JSON (recommended), SARIF
• Zed Attack Proxy (ZAP) — JSON

Data ingestion

Harness Security Testing Orchestration integrates with multiple scanners and targets. Different types of scan approaches can be done on each scanner-target combination:

• Orchestration (orchestratedScan) Scans are fully orchestrated. A Security step in the Harness pipeline orchestrates a scan and then normalizes and compresses the results.
• Extraction (dataLoad) Scans are partially orchestrated. The Security step pulls scan results from an external SaaS service and then normalizes and compresses the data.
• Ingestion (ingestionOnly) Scans are not orchestrated. The Security step ingests results from a previous scan (for a scan run in a previous step), and then normalizes and compresses the results.

In addition to ingesting scan data in the external scanner's native format, STO steps can also ingest data in SARIF and Harness Custom JSON format.

Build infrastructure

Operating systems and architectures supported for STO

STO uses CI build infrastructures to orchestrate scans and ingest issues. The following table shows STO support for each infrastructure type.

Operating System	Architecture	Harness Cloud	Self-managed local runner	Self-managed AWS/GCP/Azure VMs	Self-managed Kubernetes cluster
Linux	amd64	✅ Supported	✅ Supported	✅ Supported	✅ Supported
Linux	arm64	✅ Ingestion mode only	✅ Ingestion mode only	✅ Ingestion mode only	✅ Ingestion mode only
Windows	amd64	✅ Ingestion mode only	❌ Not supported	Roadmap	❌ Not supported
MacOS	arm64	Roadmap	Roadmap	Roadmap	❌ Not supported

Approvals / Ticketing

Harness STO supports the following features for generating notifications and stopping pipelines in response to detected vulnerabilities:

• Each Security Test step has a Fail on Severity setting that causes a pipeline build to fail if a Security Scan step detects one or more issues with the specified severity (Critical, High, Medium, etc.). You can also create exemptions ("Ignore rules") for specific issues to override this behavior.

• You can also enforce governance policies against scan results to stop pipelines automatically.

• You can configure STO to generate the following notifications automatically in response to issues detected in a scan:

  • New Jira tickets

  • Email notifications

  • Slack notifications

Governance

Harness Policy As Code uses Open Policy Agent (OPA) as the central service to store and enforce policies for the different entities and processes across the Harness platform.

You can centrally define and store policies and then select where (which entities) and when (which events) they will be applied.

Currently, you can define and store policies directly in the OPA service in Harness.

Soon, you will be able to use remote Git or other repos (e.g. OCI-compatible registries) to define and store the policies used in Harness.

• Use security test policies to stop STO pipelines automatically
• Harness Policy As Code overview
• Harness Policy As Code quickstart
• Add a Policy step to a pipeline

Harness Self-Managed Enterprise Edition (SMP)

All STO features supported in Harness SaaS are also supported in Self-Managed Enterprise Edition with the following exceptions:

• Custom dashboards
• Harness AI Development Assistant (AIDA™) for STO
• You cannot run SaaS-based scans if there is no connectivity between Harness and the external SaaS environment.

Harness SMP in offline environments

If you're running Harness Self-Managed Enterprise Edition in an offline environment, note the following:

• SaaS-based scanners require connectivity between Harness and the external SaaS environment. This means that you cannot run SaaS-based scans in offline environments.

• All STO scanners are supported in both Harness SaaS and Self-Managed Enterprise Edition. Harness regularly updates the container images it uses to run STO scans. If you're running STO in an offline environment, Harness recommends that you download your STO images regularly to ensure that your scanners are up-to-date. For more information, go to Configure STO to Download Images from a Private Registry.