Skip to main content

Harness security FAQs

This article addresses some frequently asked questions about the security features in Harness.

In this topic:

General

For an overview of Harness' support for platforms, methodologies, and related technologies, see Supported platforms and technologies.

What security features does Harness provide?

The set of security features that Harness provides includes the following features:

Are delegate communications secure?

Yes. All network connections from the delegate on your local network or VPC to Harness SaaS are HTTPS outbound-only.

See Delegates overview.

What data does the delegate send to Harness Manager?

The delegate and Harness Manager (SaaS) establish a Secure WebSocket channel (WebSocket over TLS) to send new delegate task event notifications (not the tasks themselves) and exchange connection heartbeats. In the case that the WebSocket connection is dropped, the Harness delegate falls back to outbound-only, polling-based task fetch.

  • Heartbeat - The delegate sends a heartbeat to let Harness Manager know that it is running.
  • Deployment data - The information from the API executions the delegate performs is sent to Harness Manager for display on the Deployments page.
  • Time series and log data for Continuous Verification - The delegate connects to the verification providers you have configured and sends their data to Harness Manager for display in Harness Continuous Verification.
    See Delegates overview.

Harness role-based access control (RBAC)

For an overview of Harness' support for platforms, methodologies, and related technologies, see Supported platforms and technologies.

How does Harness implement RBAC?

Harness provides role-based access control (RBAC) that enables you to control user and group access to Harness resources according to their role assignment.

Here is an overview of Harness RBAC. It shows user authentication via its User settings and authorization via its User group and Role assignment.

See Access management (RBAC).

How are users added?

When you add Harness users manually, they are added using email addresses. When a user is added, they receive an email invite to the Harness account.

Can users be added dynamically?

Yes, you can leverage your existing user management infrastructure by adding them using OAuth 2.0, LDAP, SAML, and SCIM.

See:

Are there best practices for setting up Harness users?

Yes, you can add users for the most common application release scenario. This involves separate Harness user groups for app developers, DevOps engineers, and release approvers.

Harness Authentication

For an overview of Harness' support for platforms, methodologies, and related technologies, see Supported platforms and technologies.

How are Harness users authenticated?

The default method is email address and password.

You can use several other methods:

How is SAML SSO supported?

See SAML SSO with Harness overview.

Can I adjust password policies?

Yes. You can adjust:

Do you support Single Sign-On (SSO)?

Yes. You can enable Harness logins via a range of single sign-on mechanisms. Enable the Allow login via public OAuth providers slider to expose sliders for enabling individual OAuth providers.

See:

Do you support Two-Factor Authentication (2FA)?

Yes. Two-Factor Authentication (2FA) can be managed in two ways:

  • Individual user: You can set up 2FA for your own User Profile without impacting other user accounts.
  • All account users: If you have Manage Account permissions, you can enforce 2FA for all users in Harness. First, you set up 2FA for your own account, and then you can enforce 2FA account-wide in the Harness account's Login Settings.

See Two-factor authentication.

Secrets Management

For an overview of Harness' support for platforms, methodologies, and related technologies, see Supported platforms and technologies.

How are secrets managed in Harness?

See Harness secrets management overview.

Google Cloud Key Management Service is the default Secrets Manager in Harness.

You can use your own secrets manager with Harness. Harness integrates with all of the common secret managers:

This diagram shows how Harness handles secrets:

What kind of secrets are supported?

Harness supports:

Where can I use a secret?

You use secrets in many places in Harness.

You use secrets for credentials for Harness connections to third party integrations, such as cloud platforms, git repos, and artifact servers.

You use secrets in Harness connections to target infrastructure, such as SSH keys, and also when passing credentials as part of infrastructure provisioning.

How do I create a secret?

In Harness Secrets Management, you pick a type of secret, and then enter the secret or upload a file.

See:

How do I use a secret?

In most cases, you select the encrypted text or file secret you created as part of the credentials or value for a setting.

You can also reference a secret using an expression.

You reference a text secret in a script using the expression <+secrets.getValue("your_secret")>.

For an Encrypted File secret at the Project scope, you reference the secret in a Resource using the expression <+secrets.getValue("file-secret")>.

You can reference a secret at the Org scope using the expression <+secrets.getValue(“org.file-secret”)>.

If your secret is scoped at the Account level, you can refer it using the expression<+secrets.getValue(“account.platformSecret”)>.

See:

Are my secrets exposed in logs?

No. Text secrets are not exposed. Harness sanitizes logs and secrets are masked.

note

File secrets are not masked in Harness logs. As noted above they can be encoded in different formats, but they are not masked from users.

Auditing

For an overview of Harness' support for platforms, methodologies, and related technologies, see Supported platforms and technologies.

Can I view all my setup events and changes in Harness?

Yes. Harness provides auditing of events for Harness resources within your account. The Audit Trail enables you to track and review all events in one place.

See Audit trail.

What can I see on the audit trail?

For each event, you can see details such as:

  • Date and time (Time).
  • The user who made the change (User).
  • Action by the user like create, update, delete.
  • Harness entity affected (Resource).
  • Organization corresponding to the affected entity.
  • Project corresponding to the affected entity.
  • Module corresponding to the affected entity.

Can I set a date range for an audit?

Yes. You can restrict the Audit Trail's displayed events by date and time, or define detailed filters by these and other criteria.

Can I filter audit events?

Yes, extensively. You can set multiple conditions on the events displayed.

You can save your filters too.

Governance

For an overview of Harness' support for platforms, methodologies, and related technologies, see Supported platforms and technologies.

Does Harness provide governance features?

Yes. Harness Pipeline Governance feature enables you to measure how conformant your Pipelines are with your regulatory and operations standards.

See Pipeline governance.

How do I set up governance?

Harness provides governance using Open Policy Agent (OPA), Policy Management, and Rego policies. You can use Harness Governance to ensure that Harness entities like Pipelines meet specific compliance requirements when specific events happen (On Save, On Run, etc.).

The Harness OPA server is an OPA server managed by Harness.

In Harness, you add Rego policies to a Policy Set and select the Harness entities for evaluation (e.g. Pipelines). At that point, policies are configured on the Harness OPA Server via a Kubernetes ConfigMap.

When certain events happen (e.g. saving or running a Pipeline), Harness reaches out to the Harness OPA server to evaluate the action using the Policy Set.

API keys

For an overview of Harness' support for platforms, methodologies, and related technologies, see Supported platforms and technologies.

Can I register Harness with third-party apps?

Yes, by using Harness API keys.

To integrate Harness with some third-party apps, you need to register Harness with the app and then supply a Harness API key.

The API key is a simple encrypted string that other applications can use to access Harness without a private Harness account.

See API keys.