Security Step Settings Reference
This topic includes the Security step settings for each of the scanner providers supported by Harness.
Scanner categories
The following list shows the scan types that STO supports:
- SAST (Static Application Security Testing) scans a code repository and identifies known vulnerabilities in open-source and proprietary code.
- SCA (Software Composition Analysis) scans a code repository and identifies known vulnerabilities in open-source libraries and packages used by the code.
- DAST (Dynamic Application Security Testing) scans a running application for vulnerabilties by simulating a malicious external actor exploiting known vulnerabilties.
- Container Scanning identifies vulnerabilities in container images.
Data ingestion methods
Harness Security Testing Orchestration integrates with multiple scanners and targets. Different types of scan approaches can be done on each scanner-target combination:
- Orchestrated (
orchestratedScan
) Scans are fully orchestrated. A Security step in the Harness pipeline orchestrates a scan and then normalizes and compresses the results. - Extraction (
dataLoad
) Scans are partially orchestrated. The Security step pulls scan results from an external SaaS service and then normalizes and compresses the data. - Ingestion (
ingestionOnly
) Scans are not orchestrated. The Security step ingests results from a previous scan (for a scan run in a previous step), and then normalizes and compresses the results.
The scanner, targets, and scan approach combinations are covered in the next section.
Harness STO scanner support
If you use a scanner that isn't listed in the following table, you can still ingest your scan results into STO. For a full description of the workflow, go to Ingest Results from Custom or Unsupported Scanners.
Scan Mode | Open Source | Commercial |
---|---|---|
SAST |
|
|
SCA |
|
|
DAST |
| |
Containers |
|
|
Scanner binaries used in STO container images
Harness maintains and updates a container image for every scanner supported by STO. The following table lists the binaries and versions used for the most popular scanners.
Scanner | Binary | Current version |
---|---|---|
Aqua Trivy | trivy image | Latest stable build |
Bandit | bandit | 1.7.4 |
Black Duck Hub | synopsys detect | 8.9.0 |
Brakeman | brakeman | 4.4.0 |
Checkmarx | runCxConsole.sh | 1.1.26 |
Grype | grype | Latest stable build |
Nikto | Nikto | 2.1.6 |
Nmap | nmap | 7.92 |
Prowler | prowler | Latest stable build |
SonarQube | sonar-scanner | 4.7.0.2747 |
Twistlock | twistcli | 30.01.152 |
Whitesource | java -jar /opt/whitesource/wss-unified-agent.jar | 23.5.2.1 |
Docker-in-Docker requirements
Docker-in-Docker is not required for ingestion workflows where the scan data has already been generated.
You need to include a Docker-in-Docker background service in your stage if either of these conditions apply:
- You configured your scanner using a generic Security step rather than a scanner-specific template such as Aqua Trivy, Bandit, Mend, Snyk, etc.
- You’re scanning a container image using an Orchestration or Extraction workflow.
Set up a Docker-in-Docker background step
Go to the stage where you want to run the scan.
In Overview, add the shared path
/var/run
.In Execution, do the following:
- Click Add Step and then choose Background.
- Configure the Background step as follows:
- Dependency Name =
dind
- Container Registry = The Docker connector to download the DinD image. If you don't have one defined, go to Docker connector settings reference.
- Image =
docker:dind
- Under Optional Configuration, select the Privileged checkbox.
- Dependency Name =
Root access requirements
You need to run the scan step with root access if either of the following apply:
You need to run a Docker-in-Docker background service. This is required in the following scenarios only:
You're using a generic Security step to run an Orchestrated or Extraction scan, rather than a scanner-specific step such as Aqua Trivy, Bandit, etc. (not required for Ingestion scans).
You're scanning a container image using an Orchestrated or Extraction scan (not required for Ingestion scans).
You need to add trusted certificates to your scan images at runtime.
You can set up your STO scan images and pipelines to run scans as non-root and establish trust for your own proxies using self-signed certificates. For more information, go to Configure STO to Download Images from a Private Registry.
Security steps and scanner templates
The Step library includes a Security step for setting up scanners: open the step and configure the scan as a set of key/value pairs under Settings.
Some scanners also have scanner templates with UIs that simplify the process of setting up a scanner.