What's supported in Harness STO

This topic lists the supported STO features and integrations to scan your code repositories, container images, and other targets for security vulnerabilities.

Scanner categories

The following list shows the scan types that STO supports:

SAST (Static Application Security Testing) scans a code repository and identifies known vulnerabilities in the proprietary code.
SCA (Software Composition Analysis) scans a code repository and identifies known vulnerabilities in open-source libraries and packages used by the code.
DAST (Dynamic Application Security Testing) scans a running application for vulnerabilties by simulating a malicious external actor exploiting known vulnerabilties.
Container Scanning identifies known vulnerabilities in a Docker container.

Data ingestion methods

Harness Security Testing Orchestration integrates with multiple scanners and targets. Different types of scan approaches can be done on each scanner-target combination:

Orchestrated (orchestratedScan) Scans are fully orchestrated. A Security step in the Harness pipeline orchestrates a scan and then normalizes and compresses the results.
Extraction (dataLoad) Scans are partially orchestrated. The Security step pulls scan results from an external SaaS service and then normalizes and compresses the data.
Ingestion (ingestionOnly) Scans are not orchestrated. The Security step ingests results from a previous scan (for a scan run in a previous step), and then normalizes and compresses the results.

The scanner, targets, and scan approach combinations are covered in the next section.

Harness STO scanner support

Scan Mode	Open Source	Commercial
SAST	Anchore Grype (filesystem scans) Orchestration, Ingestion Bandit Orchestration, Ingestion Brakeman Orchestration, Ingestion Qwiet AI (formerly ShiftLeft) Orchestration, Extraction, Ingestion Semgrep Code(open-source option) Ingestion SonarQube/SonarCloud (free option) Orchestration, Extraction, Ingestion	Checkmarx — The following workflows are supported: Ingestion workflows for all Checkmarx One services (including SAST and SCA) that can publish scan results in SARIF format Orchestration, Extraction, and Ingestion workflows for Checkmarx SAST and Checkmarx SCA scans Fortify on Demand Ingestion Fortify Static Code Analyzer Ingestion Mend (formerly WhiteSource) Orchestration, Ingestion Reapsaw Ingestion Snyk Code Ingestion SonarQube/SonarCloud Orchestration, Extraction, Ingestion Veracode Extraction, Ingestion
SCA	OWASP Dependency Check Orchestration, Ingestion	Black Duck Hub Orchestration, Ingestion Checkmarx Orchestration, Extraction, Ingestion Fortify on Demand Ingestion JFrog Xray Ingestion Snyk Open Source Orchestration, Ingestion Veracode SCA Orchestration, Extraction, Ingestion
DAST	Nikto Orchestration, Ingestion OpenVAS Orchestration, Ingestion OWASP ZAP Orchestration, Ingestion	Burp Enterprise Ingestion Fortify on Demand Ingestion Metasploit Pro Orchestration, Ingestion Nexus IQ Orchestration, Ingestion Nmap ("Network Mapper") Orchestration, Ingestion Prowler Orchestration, Ingestion Qualys Web Application Scanning (WAS) Ingestion Tenable.io Nessus vulnerability scan Orchestration, Extraction, Ingestion Tenable.io Nessus web app scan Orchestration, Extraction, Ingestion
Containers	Anchore Grype Orchestration, Ingestion Aqua Trivy Orchestration, Ingestion Clair Orchestration, Ingestion	Amazon Image Scanning Extraction Black Duck Hub Orchestration, Ingestion Data Theorem Orchestration, Ingestion Docker Content Trust (DCT) Orchestration, Ingestion Prisma Cloud (formerly Twistlock) Orchestration, Extraction, Ingestion Snyk Container Orchestration, Ingestion Tenable.io Orchestration, Extraction, Ingestion

STO support by CI build infrastructure type

STO uses CI build infrastructures to orchestrate scans and ingest issues. The following table shows STO support for each infrastructure type.

Operating System	Architecture	Harness Cloud	Docker	VMs	Kubernetes
Linux	amd64	✅	✅	✅	✅
Linux	arm64	✅	✅	✅	✅
Windows	amd64	Roadmap	❌	Roadmap	❌
MacOS	amd64	Roadmap	Roadmap	Roadmap	❌
MacOS	arm64	❌	❌	❌	❌

Scanner binaries used in STO container images

Harness maintains and updates a container image for every scanner supported by STO. The following table lists the binaries and versions used for the most popular scanners.

Scanner	Binary	Current version
Aqua Trivy	`trivy image`	Latest stable build
Bandit	`bandit`	1.7.4
Black Duck Hub	`synopsys detect`	8.9.0
Brakeman	`brakeman`	4.4.0
Checkmarx	`runCxConsole.sh`	1.1.26
Grype	`grype`	Latest stable build
Nikto	`Nikto`	2.1.6
Nmap	`nmap`	7.92
Prowler	`prowler`	Latest stable build
SonarQube	`sonar-scanner`	4.7.0.2747
Twistlock	`twistcli`	30.01.152
Whitesource	`java -jar /opt/whitesource/wss-unified-agent.jar`	23.5.2.1