What's supported by Harness SSCA

This document outlines the platforms, features, and integrations supported by Harness SSCA. The Software Supply Chain Assurance (SSCA) module is available on the following platforms:

• Harness SaaS
• Harness Self-Managed Enterprise Edition
• Harness Self-Managed Enterprise Edition in Air-gapped/Offline Environments

SSCA on Harness SaaS

• Generate or ingest SBOM, followed by SBOM drift detection and scoring.
• Enforce OSS usage with SBOM governance policies.
• Generate SLSA provenance and achieve Build Levels 1, 2, and 3.
• Verify SLSA provenance with SLSA governance policies.
• Attest and verify SBOM and SLSA Provenance with Cosign.
• Create and manage Remediation Trackers.

SSCA on Harness Self-Managed Enterprise Edition (SMP)

Connected Environment

All features of 'SSCA on Harness SaaS' are available in an SMP environment, with the following exceptions:

• Creating a Remediation tracker will require manually adding the CVE details as auto-population is linked with STO module. However, if you are using Harness STO SMP, this limitation does not apply.
• Achieving SLSA Level 3 compliance is not possible in SMP, as it requires Harness hosted build infrastructure. This capability is available through 'SSCA on Harness SaaS'.

Air-gapped Environment

All features of 'SSCA on Harness SaaS' are available in an air-gapped or offline environment, with the following exceptions:

• In the generated SBOMs, the license data for certain dependencies will be marked as "NOASSERTION", leading to a reduced SBOM quality score. However, this does not impact the SBOM generation or any other features of SBOM Orchestration.
• Logging the attestation record in the Sigstore public Rekor will not be performed during the SBOM and SLSA Provenance attestation process, but this will not impact the attestation itself.
• Creating a Remediation tracker will require manually adding the CVE details as auto-population is linked with STO module. However, if you are using Harness STO SMP, this limitation does not apply.
• Achieving SLSA Level 3 compliance is not possible in SMP, as it requires Harness hosted build infrastructure. This capability is available through 'SSCA on Harness SaaS'.

Integrations

Code Repositories

• Harness Code Repository

The following code repository providers are integrated using 3rd party Git Connectors:

• GitHub
• GitLab
• BitBucket
• Azure Code Repos

CI/CD Pipelines

• Harness CI - as native steps in Harness Pipeline's Build Stage
• Harness CD & GitOps - as native steps in Harness Pipeline's Deploy Stage
• SSCA steps are also available in Harness Pipeline's Security stage

The following CI/CD pipeline providers are integrated using Pipeline Triggers.

• GitHub
• GitLab
• BitBucket
• Azure Code Repos

Artifact Repositories

• Docker Hub
• GCR
• Amazon ECR
• Microsoft ACR

SBOM Generation Tools

• Syft
• Cdxgen
• Blackduck
• Aqua Trivy
• Snyk

SBOM Formats

• SPDX
• CycloneDX

SLSA Build Level

You can achieve SLSA Build Level 1, Level 2 and Level 3 using Harness SSCA. Refer to SLSA Overview

• SLSA Build L1
• SLSA Build L2
• SLSA Build L3

Attestation/Provenance Generation & Verification Tools

• Sigstore Cosign with built-in in-toto attestations

Policy Enforcement Attributes

• Component name
• Component version
• License
• Supplier
• PURL

For information about what's supported for other Harness modules and the Harness Platform overall, go to Supported platforms and technologies.