Skip to main content

Security Step Settings Reference

This topic includes the Security step settings for each of the scanner providers supported by Harness.

On March 14, 2023, Harness introduced a set of new UIs (step palettes) for Aqua Trivy, Bandit, SonarQube, and other popular scanners. These steps greatly simplify the process of setting up scans in your pipelines. Previously, the workflow for all scanners was to enter a set of hard-coded key and value strings in a Security step. These new steps have simplified user-friendly UIs that include only the options relevant to the specific scanner, mode, and target.

The following security steps are now generally available:

Scanner categories

The following list shows the scan types that STO supports:

  • SAST (Static Application Security Testing) scans a code repository and identifies known vulnerabilities in the proprietary code.
  • SCA (Software Composition Analysis) scans a code repository and identifies known vulnerabilities in open-source libraries and packages used by the code.
  • DAST (Dynamic Application Security Testing) scans a running application for vulnerabilties by simulating a malicious external actor exploiting known vulnerabilties.
  • Container Scanning identifies known vulnerabilities in a Docker container.

Data ingestion methods

Harness Security Testing Orchestration integrates with multiple scanners and targets. Different types of scan approaches can be done on each scanner-target combination:

  • Orchestrated (orchestratedScan) Scans are fully orchestrated. A Security step in the Harness pipeline orchestrates a scan and then normalizes and compresses the results.
  • Extraction (dataLoad) Scans are partially orchestrated. The Security step pulls scan results from an external SaaS service and then normalizes and compresses the data.
  • Ingestion (ingestionOnly) Scans are not orchestrated. The Security step ingests results from a previous scan (for for a scan run in an previous step) and then normallizes and compresses the results.

The scanner, targets, and scan approach combinations are covered in the next section.

Harness STO scanner support

Scan ModeOpen SourceCommercial
SAST
SCA
DAST
Containers

Scanner binaries used in STO container images

Harness maintains and updates a container image for every scanner supported by STO. The following table lists the binaries and versions used for the most popular scanners.

ScannerBinaryCurrent version
Aqua Trivytrivy imageLatest stable build
Banditbandit1.7.4
Black Duck Hubsynopsys detect7.9.0
Brakemanbrakeman4.4.0
CheckmarxrunCxConsole.sh1.1.18
GrypegrypeLatest stable build
NiktoNikto2.1.6
Nmapnmap7.92
ProwlerprowlerLatest stable build
SonarQubesonar-scanner4.7.0.2747
Twistlocktwistcli22.12.582
Whitesourcejava -jar /opt/whitesource/wss-unified-agent.jar22.10.1

Security steps and scanner templates

The Step library includes a Security step for setting up scanners: open the step and configure the scan as a set of key/value pairs under Settings.

Some scanners also have scanner templates with UIs that simplify the process of setting up a scanner.

Step Library with Security step and scanner templates

tep Library with Security step and scanner templates

Security step configuration

Security step configuration

Scanner template configuration

Scanner template configuration