Target baselines in STO
Every scanned target should have a baseline, which represents the root variant such as the main
branch of a Git repository or the latest
tag of a container image. Baselines make it easy to identify issues in the baseline vs. issues in a downstream variant derived from that baseline.
- Every scanned target needs a baseline to enable the full suite of STO features.
- You can specify a baseline using a fixed value or a regular expression (RegEx).
- If you always want to compare against a specific variant — such as the
main
branch of your git repository — use a fixed value. - You might find that the variant you want use as your baseline changes over time. Suppose your team creates a new
X.Y.Z
branch with each release. In this case you can use a RegEx baseline that updates automatically.
- If you always want to compare against a specific variant — such as the
- You can specify a default RegEx baseline for each target type. This RegEx will automatically be used as the baseline for any new targets.
- Repositories and images have predefined defaults. For repositories, the default is the
main
ormaster
branch. For images, the default islatest
or the most recently scanned Semantic Versioned release.
To view and edit the current baseline for a target, go to Test Targets:
Every target needs a baseline
Every target needs a baseline to enable the full suite of STO features. Here's why:
-
For developers, it’s critical to distinguish between security issues in the baseline vs. issues in the variant you’re working on. You want to detect and resolve issues in your downstream branch (the variant) before merging, so you don’t introduce them into the main branch (the baseline).
-
When your target has a baseline defined, the Security Tests tab divides your issues into two lists:
-
Only in <target>:<variant> Issues detected in the scanned variant only.
-
Common to <target>:<baseline> Issues also detected in the target baseline.
-
-
While the Security Tests tab highlights downstream issues, the STO Overview and Security Testing Dashboard only show baseline issues. These views enable security personnel and other non-developers to monitor, investigate, and address issues in production-ready targets and view vulnerability trends over time.
-
In short, baselines make it easy for developers to drill down into “shift-left” issues in the variants they're currently working on, and security personnel to monitor the security posture of production targets.
Benefits of using regular expressions to define baselines
-
RegEx baselines more accurately reflect the current "root" element in the context of a real-world software development life cycle. A typical sprint cycle might run like this:
- Publish the current release — for example,
1.2.3
— and merge this branch intomain
. - Create a "next-release" branch — for example,
1.2.4
— frommain
. - Create branches from
1.2.4
for different features, hotfixes, and so on. - When the release is ready to publish, merge the various branches into
1.2.4
. - Publish the release, merge
1.2.4
intomain
, create a new release branch such as1.2.5
, and repeat the cycle.
To support proper functioning of STO with this workflow,
1.2.4
more accurately reflects the baseline for the current sprint thanmain
. Given a matching RegEx, the first scan after creating the branch establishes1.2.4
as the current baseline. This remains the current baseline until1.2.4
gets merged intomain
and1.2.5
gets created and scanned. - Publish the current release — for example,
-
RegEx baselines make it easier to track the introduction and remediation of specific vulnerabilities. The lifecycle of a specific vulnerability might run like this:
- A new release branch
1.2.3
is created. You scan this branch, which matches your RegEx, and it becomes the current baseline. - The scan detects a new vulnerability, vXYZ, with a severity of MEDIUM.
- A few sprints later, the vulnerability is remediated in a branch that gets merged into
1.2.7
. 1.2.7
is scanned before getting merged intomain
, and vXYZ is no longer in the scan results.
- A new release branch
Target baselines
You can specify baselines for individual targets.
Fixed target baselines
You can specify a fixed value if you know that the baseline for a target will not change.
-
Scan the target with the baseline variant if you haven't yet done so.
-
Go to Test Targets.
-
In Baseline for Comparison, set the value type to Fixed and select the baseline from the menu of scanned variants.
RegEx target baselines
You can specify a RegEx baseline if the baseline changes over time and you can capture it using a regular expression.
Harness recommends that you test your regular expression thoroughly before you apply it to a RegEx target. For more information, go to:
-
Go to Test Targets.
-
Set the value type for the target to RegEx and enter the regular expression.
Default RegEx baselines by target type
- Currently, this feature is behind the Feature Flag
STO_BASELINE_DEFAULTING
. Contact Harness Support to enable the feature. - Harness recommends that you test your regular expression thoroughly before you apply it to Regex target default. For more information, go to:
You can specify default baselines for specific target types: code repositories, container images, web/API instances, and infrastructure configurations. STO includes a set of predefined defaults for repository and container image targets.
-
For repositories, the baseline is
master
ormain
. -
For container images, the baseline is
latest
or the most recently scanned Semantic Version number if it can be detected, such as1.2.3
v1.15.4
-
STO does not include predefined default RegEx baselines for application instances and configurations.
To specify default RegExes:
-
Go to the Default settings page for the scope you want:
- Account settings — all targets in the account
- Organization settings — overrides account defaults
- Project settings — overrides organization defaults
-
Go to Default Settings > Security Testing Orchestration.
-
Enter the regular expression you want in the Value field.
Regex baselines reference
Regex baselines: important notes
-
You must use a consistent naming scheme for your scanned variants. This is necessary to ensure that your regular expression captures your baselines consistently and predictably.
-
Carefully consider which targets you want to use for your baselines. In general, the baseline should be the root element for all your current variants.
-
When you specify a regular expression, the baseline is the most recently scanned target that matches the expression.
-
Use re2 format for your expressions.
-
Defining regular expressions is outside the scope of this documentation. Harness recommends that you test any regular expressions thoroughly to ensure that the expression matches any variant name that might be used for the scan target.
RegEx baseline examples
The following table shows a few simple examples of expressions for specific use cases.
Variant names | Regular expression | Description |
---|---|---|
main master | ^(main|master)$ |
|
latest 1.2.3 v2.3.4 | ^(v?\d+.\d+.\d+([+-][a-zA-Z0-9.+-]+)?|latest)$ |
|
release-20230420 release-20230427 release-20230504 release-20230511 | ^(release-\d+)$ |
|
code-v1.1 code-v1.2 code-v1.3 code-v2.1 code-v2.2 code-v20.31 | ^(code-v\d+.\d*)$ |
|
1.14.6-linux-amd64 1.14.11-linux-amd64 1.15.4-linux-amd64 | ^(\d*.\d*.\d*-linux-amd64)$ |
|
3 3.17 3.17.3 3.18 3.18.12 30.142.1 30 | ^([\d.]+)$ |
|
2023-02-11, 17:59:12 2023-02-17, 11:17:23 2023-02-23, 08:36:47 | ^(\d4-\d2-\d2,\s\d2:\d2:\d2$) |
|
2023-02-11 2023-02-17 2023-02-23 | ^(\d4-\d2-\d2)$ |
|