Run an Orchestrated Scan in an STO Pipeline
An orchestrated scan is a fully automated workflow that scans an object and ingests the results into Harness in one Security step. Orchestrated scans are the easiest to set up and are a great way to get started with STO.
STO supports orchestrated scan for popular open-source scanners such as Aqua-Trivy and Bandit as well as commercial scanners such as SonarQube.
In the following example workflow, you will clone the base pipeline created in Set up Harness for STO and configure it to scan a Docker image using Aqua Trivy.
- In the Pipeline Studio, go to the project where you create your base pipeline. Click the top-right menu, choose Clone, and save the new pipeline as Trivy Image Scan Orchestrated.
- In your new pipeline, go to securityTestStage and open the banditScan step.
- Rename the step to ScanContainerImage.
Scan settings
Orchestrated scan settings generall fall into two categories: information about the scan operation, and information about the object to scan.
Specify the following:
- The scanner to use:
product_name
=aqua-trivy
- The scanner settings to use:
product_config_name
=aqua-trivy
- The scan type:
policy_type
=orchestratedScan
Scanned object settings
Now you can specify the object to scan. In this example, you'll scan an image on Docker Hub based on the DVPWA GitHub project. Specify the following:
- The object type to scan:
scan_type
=container
- The type of container to scan — in this case, we're scanning a Docker v2 image:
container_type
=docker_v2
- The registry domain that hosts the image:
container_domain
=docker.io
- The image to pull (
container_project
setting).
This is based on the image you would specify using thedocker pull
command. In this example, you will scan the latest ubuntu image. The command to pull this is:docker pull ubuntu:latest
Therefore, specify:container_project
=ubuntu
- The image tag. In this case, enter:
container_tag
=latest
Save the pipeline and run the scan
Now that you've set up the Security step with the previous settings, you can save and run the pipeline. When the pipeline finishes, click Security Tests to view the results.