Security Testing Orchestration (STO)

The Harness Security Testing Orchestration (STO) module helps development teams automate security scanning in CI/CD pipelines, enabling Shift-Left Security.

Core Features

Security Scanner Integration

STO supports one-click integration for multiple security scanning tools:

Type	Supported Scanners
SAST (Static Application Security Testing)	SonarQube, Checkmarx, Snyk Code
DAST (Dynamic Application Security Testing)	OWASP ZAP, Burp Suite
SCA (Software Composition Analysis)	Snyk, OWASP Dependency Checker, Trivy
Container Security	Trivy, Aqua Trivy, Grype
Secret Detection	Gitleaks, TruffleHog

Intelligent Orchestration

Unified Scan Results: Aggregate results from multiple scanners
Deduplication & Prioritization: Automatically identify duplicate vulnerabilities and sort by severity
Auto Fix Suggestions: Provide vulnerability remediation guidance

Policy Enforcement

OPA Integration: Define security policies using Open Policy Agent
Blocking Rules: Automatically block pipelines when high-risk vulnerabilities are found
Exception Management: Allow exemptions for specific vulnerabilities under certain circumstances

Use Cases

Scenario	Description
Code Security	Detect security vulnerabilities in source code during the build stage
Dependency Security	Check third-party dependencies for known vulnerabilities
Container Security	Scan container images for security risks
Secret Security	Detect accidentally committed sensitive information in code

Getting Started

1. Add STO Stage

Add a Security Tests stage to your CI/CD pipeline.

2. Select Scanner

Select or add custom scanners from predefined scanner templates.

3. Configure Scan Target

Specify targets to scan (code repository, container image, Dockerfile, etc.).

4. Set Policy

Define which vulnerability severity levels should block the pipeline.

5. View Reports

View detailed security scan reports through the Harness console.

Best Practices

Scan Early: Find problems early in the pipeline to reduce remediation costs
Layered Scanning: Combine SAST, SCA, DAST and other scanning methods
Continuous Optimization: Adjust policies based on scan results to reduce false positives
Team Collaboration: Assign security vulnerabilities to corresponding developers

Security & Compliance

Report Export: Support exporting security reports compliant with industry standards
Compliance Mapping: Map scan results to compliance frameworks (PCI-DSS, SOC2, etc.)
Audit Trail: Record all security scan activities and configuration changes

Default

​Security Testing Orchestration (STO)

​Core Features

​Security Scanner Integration

​Intelligent Orchestration

​Policy Enforcement

​Use Cases

​Getting Started

​1. Add STO Stage

​2. Select Scanner

​3. Configure Scan Target

​4. Set Policy

​5. View Reports

​Best Practices

​Security & Compliance

​Related Resources