April 5, 2024

Making Shift-left Security Even Easier: Built-in Scanners and Automatic Configuration with Harness STO

Table of Contents

Even with our integrated platform approach to shift-left security through the Harness STO (Security Testing Orchestration) module, we still found a few new ways to enhance the simplicity of configuring and orchestrating security scanners throughout development pipelines.

When we first dove into shift-left security, we quickly learned that when it comes to security scanners across all five major classes (SAST, DAST, SCA, Container, and Secrets detection), users tend to have strong preferences for specific scanners and therefore value freedom of choice. This is why Harness built integrations with over 40 of the top commercially-available scanners. But what about customers who are just getting started with figuring out their shift-left security approach and aren’t yet ready to integrate commercial scanners with Harness STO?

For those users still figuring out the initial stages of their shift-left security strategy, we’ve created an easy on-ramp to running application security testing through a set of fully built-in open-source scanners available in the Harness Platform’s step library, shown below:

Built-in open source scanners in Harness Step Library

Supported Built-in Open Source Scanners

  • SCA: OWASP & Google OSV
  • Secret Detection: Gitleaks
  • Container: Aqua Trivy & Anchor Gryp
  • DAST: ZAP
  • SAST: Semgrep (coming soon)

Any of these five open-source scanners can be added to your pipelines quickly and with minimal configuration. The scanners used in these steps are free to STO users and are ready to run as soon as you add them to your pipeline. Working with these built-in scanners is a great way to jumpstart your DevSecOps practices without developer toil.

We’ve also made scanner configuration more efficient, which pays off in situations where multiple scans are being added as parallel pipeline steps. Rather than manually entering values for targets and variants for security test steps with configurable UIs, such as Aqua Trivy, Semgrep, and ZAP, Harness STO now offers an auto-detection option for these parameters. This feature reduces toil and error.

 

Scanner configuration window with option for Target and Variant auto-detection

Want to learn more about how Harness STO helps you shift security left? Visit the STO product page or sign up for a demo with one of our experts!

You might also like
No items found.

Similar Blogs

No items found.
Security Testing Orchestration