With Harness Security Testing Orchestration (STO), your pipelines can detect security vulnerabilities automatically. Harness STO enables DevOps and Security teams teams to left shift security testing as a key outcome of their DevSecOps initiative. STO orchestrates scanning, intelligently deduplicating scanner output, prioritizing remediations, and enforcing governance into your pipelines. STO puts scanning directly into your pipelines to ensure that vulnerabilities are caught and fixed before your products are ever released.
Get started
Run scans and ingest data
STO workflows
Learn about the three high-level workflows for running scans and ingesting results: orchestration, extraction, and ingestion.
Orchestration workflows
Learn how to scan an object and ingest the results automatically in one step.
Ingestion workflows
Learn how to run scans in a separate step, or outside Harness entirely, and ingest the results.
Configure external scanners
STO includes integrations with over 30 external tools for scanning repositories, container images, applications, and configurations.
Ingest SARIF scan results
SARIF is an open data format supported by many scan tools. You can ingest results from any tool that supports this format.
Ingest data from custom scanners
You can ingest custom Issues from any scanning tool. This topic shows you how.
View, troubleshoot, and fix vulnerabilities
View issues in target baselines over time
See all detected issues in your main branches, latest images, and other target baselines.
Create Jira tickets for detected issues
You can easily create Jira tickets for issues detected during an STO build.
Navigate and drill down into detected vulnerabilities
The Security Testing Dashboard enables you to view, navigate, discover, and investigate detected vulnerabilities in your organization.
Stop builds based on detected vulnerabilities
Exemptions (Ignore Rules) for Specific Issues
Learn how to set fail_on_severity to stop pipeline builds and create exemptions (ignore rules) for specific vulnerabilities
Stop pipelines automatically using governance policies
Learn how to create OPA policies to stop pipelines automatically
Trigger STO scans to block Git pull requests with vulnerabilities
You can create Git event triggers to block PRs if an STO scan detects vulnerabilities that violate OPA policies or Fail on Severity settings.