DevSecOps – Compliance & Governance
What is Security Scanning?
Security scanning, including container and vulnerability scanning, allows you to detect vulnerabilities in deployable artifacts and running applications. Container scanning can refer to scanning the base image or the running container for known vulnerabilities / security exposures. Containers can have several layers all with third party open source powering parts of the container which need to be regularly scanned.
How security scanning works with Harness.
Harness has the ability to call container scanning and vulnerability scanning tools as part of a CI/CD pipeline. Passing a container scan can be a quality gate in a Harness Pipeline Stage before moving on to a deployment. Passing a vulnerability scan can be a quality gate before a build is packaged and deployed.
SaaS provider LogMeIn found its legacy tool deployments became too complex to manage and standardized its Continuous Delivery with Harness. Since migrating to Harness, they’ve reduced deployment time, toil, and effort by over 95%.Read More
What is Pipeline Compliance?
Pipeline compliance is the ability for a pipeline to adhere to a certain standard, i.e. conformance, or the ability to have controls in place, i.e. governance.
How Harness addresses pipeline compliance.
Harness can enforce pipeline compliance and also pipeline conformance in several ways. Standardization is a driving factor around compliance providing the guard rails. Harness has the ability to leverage templates and has configuration-as-code which can be managed in a Source Code Management [SCM] solution. With RBAC, controls can support a wide set of users who need to view and users who need edit. Harness can also score conformance to pipeline standards with the Harness Pipeline Governance feature.
Regulatory and operational compliance is critical in software development. Harness’s Pipeline Governance feature will allow you to measure how compliant your pipelines are with your regulatory and operations standards.Read More
In an organization where developers are continuously pushing code to production, managing risks can be difficult. This piece details pipeline compliance under the umbrella of governance, risk management, and compliance (GRC).Read More
What is Secrets Management?
Sensitive properties and passwords should not be stored in plain text. Modern approaches are to store sensitive information as encrypted secrets. To manage the lifecycle of a secret, e.g updates and secret injection, secret management solutions are available.
How Harness manages Secrets.
Harness includes a built-in secrets management feature that enables the storing of encrypted secrets. With Harness, you can also use third-party secrets managers such as HashiCorp Vault, Azure Key Vault, CyberArk, or AWS Secrets Manager.
If you’ve ever posted a private key to your code repository, then you’ve shared a secret. This three-part series on security will share how to manage modern security solutions for the cloud-native ecosystem.Read More
What is Auditing?
Auditing in a technology-sense is the examination of evidence and controls. Having systematic record of why and where a pipeline ran is crucial in an audit.
How Harness addresses Auditing.
Audits provide us with answers to who, what, when, and where. Harness helps you with your audit and compliance needs. The audit trails feature provides records of all events and changes to your services and accounts.
Learn about audit trailing in the context of Continuous Delivery (the who, what, and when of all activity relating to the contents, dependencies, and execution of your deployment pipelines). Watch our short 3-minute video on how audit trails work in Harness specifically.Read More