Skip to main content

Adding Custom Artifacts to STO Pipelines

In some cases, a scanner might require additional files such as SSL certificates and license files. The workflow to include these files depends on your build infrastructure.

Kubernetes workflows

The primary workflow for adding certificates to your delegate is described in the CI docs: Configure a Kubernetes build farm to use self-signed certificates.

You can add certificates to your delegate using this workflow with the following differences, based on the scanner you're setting up.

  • Scanner template: If you're using a scanner template to set up your scan, note the following:

    • Make sure that you place your files in the correct location in the delegate workspace and that you set up the CI_MOUNT_VOLUMES and ADDITIONAL_CERTS_PATH environment variables correctly.

    • STO supports certificates in PEM format as well as DER (Distinguished Encoding Rules).

  • Security step: If you're using a Security step to set up your scan, note the following:

    • You need to place the certificates in the folder /shared/customer_artifacts/certificates/

    • STO supports loading multiple certificates in PEM format as well as DER (Distinguished Encoding Rules).

  • Nexus IQ scan: For Nexus IQ scans, follow the Security step workflow. The certificate must have the filename certificate and the path /shared/customer_artifacts/certificates/certificate.
Security step setup example
apiVersion: apps/v1  
kind: StatefulSet
spec:
template:
spec:
env:
- name: ADDITIONAL_CERTS_PATH
value: /tmp/ca.bundle
- name: CI_MOUNT_VOLUMES
value: /tmp/ca.bundle:/shared/customer_artifacts/certificates/ca.bundle
volumeMounts:
- name: customercertvol
mountPath: /shared/customer_artifactss/certificates/ca.bundle
subPath: ca.bundle
volumes:
- name: customercertvol
secret:
secretName: addcerts
items:
- key: ca.bundle
path: ca.bundle
Nexus IQ scan setup example
apiVersion: apps/v1  
kind: StatefulSet
spec:
template:
spec:
env:
- name: ADDITIONAL_CERTS_PATH
value: /tmp/ca.bundle
- name: CI_MOUNT_VOLUMES
value: /tmp/ca.bundle:/shared/customer_artifacts/certificates/certificate
volumeMounts:
- name: customercertvol
mountPath: /shared/customer_artifactss/certificates/certificate
subPath: ca.bundle
volumes:
- name: customercertvol
secret:
secretName: addcerts
items:
- key: ca.bundle
path: ca.bundle

Harness Cloud workflow

If you're using a Harness Cloud delegate, use the following workflow.

  1. For each artifact that contains sensitive information, such as an SSL certificate, create a Harness secret.

  2. Go to the pipeline where you want to add the artifact.

  3. In the stage where that will use the artifact, go to Overview > Shared Paths and create a folder under /shared such as /shared/customer_artifacts.

  4. Add a Run step to the stage that adds the artifacts to the shared folder. This step needs to run before the scanner step that uses the artifact.

Important Notes
  • You must include all required files in /shared/customer_artifacts/. You can include any number of certificates or other files in this folder.

  • If your scanners use SSL certificates such as PEM files, save each certificate to /shared/customer_artifacts/<certificate_name>.

  • If the scanner requires a license file, save the file to /shared/customer_artifacts/<license_file_name>.

  • If you're running a ZAP scan that uses context files such as auth scripts, context files, or URL files, specify the following shared folders and make sure that your Run step copies in the required files.

    • /shared/customer_artifacts/authScript/<artifact_file_name>
    • /shared/customer_artifacts/context/<artifact_file_name>
    • /shared/customer_artifacts/urlFile/<artifact_file_name>
    • /shared/customer_artifacts/hosts/<artifact_file_name>
  • The following example workflow uses a PEM file stored as a Harness file secret. You can also use third-party managers such as HashiCorp Vault, Azure Key Vault, and AWS Secrets Manager. See Harness Secrets Manager Overview.

Example workflow

This example shows how to include a PEM file in a pipeline that runs a scan using a Security step. This workflow assumes that you have a valid PEM stored as a Harness File Secret.

  1. In your Harness pipeline, go to the Overview tab of the Security stage. Under Shared Paths, enter the following shared path:

    /shared/customer_artifacts/certificates

    This is the default certificate location for Harness pipelines. You can copy any number of certificates to this folder.

  2. Add a Run step that copies your PEM file to the certificates folder. Here's some example code that does this:

    set -e
    touch /shared/customer_artifacts/certificates/certificate
    printf "%s" "$NEWCERT" > /shared/customer_artifacts/certificates/certificate
  3. Set up the remaining downstream steps in your pipeline. When the pipeline runs a SonarQube scan that requires a PEM, it looks in /shared/customer_artifacts/certificates and proceeds if it finds a valid certificate.