Skip to main content

What's supported in Harness STO

This topic lists the supported STO features and integrations to scan your code repositories, container images, and other targets for security vulnerabilities. Harness STO is supported on the following platforms:

Harness SaaS

Scanner categories

The following list shows the scan types that STO supports:

  • SAST (Static Application Security Testing) scans a code repository and identifies known vulnerabilities in open-source and proprietary code.
  • SCA (Software Composition Analysis) scans a code repository and identifies known vulnerabilities in open-source libraries and packages used by the code.
  • DAST (Dynamic Application Security Testing) scans a running application for vulnerabilties by simulating a malicious external actor exploiting known vulnerabilties.
  • Container Scanning identifies vulnerabilities in container images.
Harness STO scanner support

If you use a scanner that isn't listed in the following table, you can still ingest your scan results into STO. For a full description of the workflow, go to Ingest Results from Custom or Unsupported Scanners.

Scan ModeOpen SourceCommercial
SAST
SCA
DAST
Containers
Scanner binaries used in STO container images

Harness maintains and updates a container image for every scanner supported by STO. The following table lists the binaries and versions used for the most popular scanners.

ScannerBinaryCurrent version
Aqua Trivytrivy imageLatest stable build
Banditbandit1.7.4
Black Duck Hubsynopsys detect8.9.0
Brakemanbrakeman4.4.0
CheckmarxrunCxConsole.sh1.1.26
GrypegrypeLatest stable build
NiktoNikto2.1.6
Nmapnmap7.92
ProwlerprowlerLatest stable build
SonarQubesonar-scanner4.7.0.2747
Twistlocktwistcli30.01.152
Whitesourcejava -jar /opt/whitesource/wss-unified-agent.jar23.5.2.1

Harness Self-Managed Enterprise Edition (SMP)

All STO features supported in Harness SaaS are also supported in Self-Managed Enterprise Edition with the following exceptions:

  • Custom dashboards
  • Harness AI Development Assistant (AIDA) for STO
  • You cannot run SaaS-based scans if there is no connectivity between Harness and the external SaaS environment.

Harness SMP in offline environments

If you're running Harness Self-Managed Enterprise Edition in an offline environment, note the following:

  • SaaS-based scanners require connectivity between Harness and the external SaaS environment. This means that you cannot run SaaS-based scans in offline environments.

  • All STO scanners are supported in both Harness SaaS and Self-Managed Enterprise Edition. Harness regularly updates the container images it uses to run STO scans. If you're running STO in an offline environment, Harness recommends that you download your STO images regularly to ensure that your scanners are up-to-date. For more information, go to Configure STO to Download Images from a Private Registry.