What's supported in Harness STO
This topic lists the supported STO features and integrations to scan your code repositories, container images, and other targets for security vulnerabilities. Harness STO is supported on the following platforms:
Harness SaaS
- Scanners
- Data ingestion
- Build infrastructure
- Approvals / Ticketing
- Governance
Scanner categories
The following list shows the scan types that STO supports:
- SAST (Static Application Security Testing) scans a code repository and identifies known vulnerabilities in open-source and proprietary code.
- SCA (Software Composition Analysis) scans a code repository and identifies known vulnerabilities in open-source libraries and packages used by the code.
- Secret Scanning scans a code repository and identifies all secrets such as access keys and passwords.
- DAST (Dynamic Application Security Testing) scans a running application for vulnerabilties by simulating a malicious external actor exploiting known vulnerabilties.
- Container Scanning identifies vulnerabilities in container images.
Harness STO scanner support
If you use a scanner that isn't listed in the following table, you can still ingest your scan results into STO.
-
If your scanner can publish to SARIF format, go to Ingest SARIF scan results into STO.
-
For other scanners, go to Ingest results from unsupported scanners.
Scan Mode | Open Source | Commercial |
---|---|---|
SAST |
|
|
SCA |
|
|
Secrets |
|
|
DAST |
| |
Container Images |
|
|
Configurations |
|
|
Scanner binaries used in STO container images
Harness maintains and updates a container image for every scanner supported by STO. The following table lists the binaries and versions used for the most popular scanners.
Scanner | Binary | Current version |
---|---|---|
Aqua Trivy | trivy image | Latest stable build |
Bandit | bandit | 1.7.4 |
Black Duck Hub | synopsys detect | 8.9.0 |
Brakeman | brakeman | 4.4.0 |
Checkmarx | runCxConsole.sh | 1.1.26 |
Grype | grype | Latest stable build |
Nikto | Nikto | 2.1.6 |
Nmap | nmap | 7.92 |
Prowler | prowler | Latest stable build |
SonarQube | sonar-scanner | 4.7.0.2747 |
Twistlock | twistcli | 30.01.152 |
Whitesource | java -jar /opt/whitesource/wss-unified-agent.jar | 23.5.2.1 |
Supported ingestion formats
Harness STO can automatically ingest, aggregate, normalize, and deduplicate data from the following scanners and formats.
- Anchore Enterprise — JSON
- Aqua Security — JSON
- Aqua Trivy — JSON
- AWS ECR — JSON
- AWS Security Hub — JSON
- Bandit — JSON
- Black Duck Hub — JSON
- Brakeman — JSON
- Burp — XML
- Checkmarx — XML, SARIF
- CodeQL — JSON, SARIF
- Coverity — XML
- Data Theorem — JSON
- Docker Content Trust — JSON
- Fortify — JSON
- Fortify on Demand — JSON
- Fossa — JSON
- Gitleaks — JSON, SARIF
- HQL AppScan — XML
- Grype — JSON
- Mend (formerly Whitesource) — JSON
- Nessus — XML
- Nexus — JSON
- Nikto — XML
- Nmap — XML
- OpenVAS — JSON
- OWASP Dependency Check — JSON
- Prisma Cloud — JSON
- Prowler — JSON
- Qualys — XML
- Qwiet — JSON
- Reapsaw — JSON
- Semgrep — SARIF
- Snyk — JSON, SARIF
- SonarQube — JSON
- Sysdig — JSON
- Tenable — JSON
- Veracode — XML
- JFrog Xray — JSON
- Zed Attack Proxy (ZAP) — JSON
Harness Security Testing Orchestration integrates with multiple scanners and targets. Different types of scan approaches can be done on each scanner-target combination:
- Orchestration (
orchestratedScan
) Scans are fully orchestrated. A Security step in the Harness pipeline orchestrates a scan and then normalizes and compresses the results. - Extraction (
dataLoad
) Scans are partially orchestrated. The Security step pulls scan results from an external SaaS service and then normalizes and compresses the data. - Ingestion (
ingestionOnly
) Scans are not orchestrated. The Security step ingests results from a previous scan (for a scan run in a previous step), and then normalizes and compresses the results.
In addition to ingesting scan data in the external scanner's native format, STO steps can also ingest data in SARIF and Harness Custom JSON format.
Operating systems and architectures supported for STO
STO uses CI build infrastructures to orchestrate scans and ingest issues. The following table shows STO support for each infrastructure type.
Operating System | Architecture | Harness Cloud | Self-managed local runner | Self-managed AWS/GCP/Azure VMs | Self-managed Kubernetes cluster |
---|---|---|---|---|---|
Linux | amd64 | ✅ Supported | ✅ Supported | ✅ Supported | ✅ Supported |
Linux | arm64 | ❌ Not supported | ❌ Not supported | ❌ Not supported | ❌ Not supported |
Windows | amd64 | Roadmap |