Log in to your harness - The Modern Software Delivery Platform® account to give feedback

Feature Requests

Anonymous

Feature Requests for Harness. Select 'Category' based on the module you are requesting the feature for.
Surface the full SLA-reporting dataset (EPSS, Reachability, CVSS, found and remediated dates) in the STO Issues list
Teams that run a vulnerability-remediation SLA off STO need a single per-issue dataset to compute remediations completed inside vs. outside SLA. When the SLA is driven by a combination of CVSS, EPSS, and Reachability, the report needs all of these in one place, per issue: Issue (CVE / title) CVSS score EPSS score (and percentile) Reachability Found date (first detected) Remediated date (when the issue was resolved) Today the Issues list (Active Issues / All Issues) exposes only Severity, Issue Type, Title, Targets Impacted, Occurrences, Last Detected, Tickets, and Status. It does not surface EPSS, CVSS, Reachability, or an explicit found/remediated date pair. The All Occurrences dashboard already carries most of this (EPSS Score and Percentile, Reachability, CVSS, First Seen) and exports to CSV, but it is a separate surface from the Issues list, it is Enterprise and limited-availability, and it has no explicit "remediated date" column (only Status = Remediated plus Last Seen as a proxy). In practice its EPSS data can also come through sparsely populated, which pushes users to stitch EPSS in externally. ## What we need Expose EPSS (score and percentile), CVSS, and Reachability as columns in the Issues list (Active Issues / All Issues), not only on the dashboard. Add an explicit remediated-date field alongside found date, so in-SLA vs. out-of-SLA remediation can be computed directly from the Issues surface. Make the combined dataset exportable as a first-class report from the Issues list. Clarify and, where applicable, populate Reachability for Snyk-based scanning setups (see below), since Reachability is one of the SLA inputs. ## Why it matters Without a consolidated dataset on the Issues surface, teams cannot compute in-SLA vs. out-of-SLA remediation from STO natively. They fall back to exporting from a separate dashboard and joining EPSS and Reachability in externally, which defeats the point of reporting from STO and blocks adoption of STO as the system of record for remediation SLAs. ## Related Reachability data source: for Snyk-only scanning setups it is currently unclear whether Snyk's native reachability output is ingested into STO's reachability field, or whether reachability is derived only from Harness scanners. This gates the Reachability portion of the ask and is being clarified separately. A near-term follow-on is using EPSS and Reachability as OPA pass/fail criteria (for example: a Critical CVE deemed not reachable with EPSS <= 0.1 should not fail a build, while a High CVE deemed reachable with EPSS 0.5 should). ## Use case A security team onboarding STO wants to run its internal vulnerability-remediation SLA report directly from STO. SLA priority is determined by CVSS, EPSS, and Snyk reachability. They need one exportable dataset per issue (CVE, CVSS, EPSS, Reachability, found date, remediated date) to show which remediations landed inside vs. outside SLA.
0
·
Security Testing…
Load More