Fix security vulnerabilities using AIDA
Currently, AIDA for STO is a beta feature that is behind the feature flag STO_AI_ENHANCED_REMEDIATIONS
. Contact Harness Support to enable the feature.
Harness AI Development Assistant (AIDA) uses state-of-the-art AI technology to streamline the process of triaging and fixing security vulnerabilities. For every vulnerability detected by STO, Harness AIDA explains the issue precisely and provides detailed advice — including code changes and package upgrades — on how to fix it. Harness AIDA is based on large, well-trained language models. It learns continuously based on feedback and the latest public knowledge. Optionally, you can regenerate advice with additional context and thereby optimize your results.
Harness AIDA reduces developer toil by streamlining and simplifying the process of fixing vulnerabilities. It enables developers and security personnel to manage security-issue backlogs and address critical issues promptly. Harness AIDA can dramatically reduce your TTR, speed up your software development lifecycle, and improve the security posture of your applications and services.
Important notes
Before you can use Harness AIDA, you must read the AIDA Data Privacy Overview and sign an End-user license agreenment with Harness.
Currently, this feature is behind the feature flag
STO_AI_ENHANCED_REMEDIATIONS
. Contact Harness Support to enable the feature.Before you implement an AI-generated suggestion, consider carefully the reliability and extent of the publicly-known information about that issue. The accuracy, reliability, and completeness of a suggestion depends on the publicly-known information about the detected issue. An AI-generated suggestion is not guaranteed to remediate the issue and could possibly introduce other issues.
You should also consider the suggestion's applicability to your specific target and use case. An issue might have no known remediation, especially if it was recently discovered. An issue might have multiple suggested remediations that are contradictory or applicable only to specific use cases.
A specific remediation might involve installing components with usage and license requirements. Check any requirements in advance.
The workflow description below shows how you can refine a suggestion by providing more information, such as additional context or code snippets, to Harness AIDA.
Workflow description
When you go to Security Tests and then select an issue, an initial AI enhanced remediation appears in Issue Details.
This suggested remediation is based on public information about the CVE or CWE and the first detected occurrence (Occurrence 1) in the target. If the scanner captures the code snippet where the vulnerability is occurring, the query to Harness AIDA includes this snippet as well.
If you want to optimize the advice with additional information or context, do the following:
Select Edit Input.
Specify the occurrence, reference ID, and language (if you've scanned a codebase).
Harness AIDA can often auto-detect the language of a code snippet, but it's good practice to confirm that the language setting is correct.
Add any additional context in the text pane. For example, you might want to include relevant code immediately before the snippet where the vulnerability was identified, in addition to the snippet itself. Then select Generate.
To generate remediations for another occurrence, do the following:
In Issue Details, scroll down to the occurrence of interest and then select Unsure how to remediate? Ask AI. (You might need to wait a few seconds for the remediation to appear.)
To further refine the suggested remediation with an additional code snippet, select Edit Snippet and then re-generate.