JFrog Xray scan native step
long-term
P
Purple Lungfish
We would like to see JForg Xray security tests step in Harness as out of the box capabilities for docker and file type artifact scan.
Log In
Pritesh Chandaliya
long-term
We are not able to get partnership legal terms signed with jfrog. can you help us? Purple Lungfish
Canny AI
Merged in a post:
wiz.io scan native security steps
P
Purple Lungfish
We would like to see Wiz.io security tests step in Harness as out of the box capabilities.
P
Purple Lungfish
As we are integrating the wiz.io for container scanning. We are looking the same support for IaC scanning.
Pritesh Chandaliya
Step 1. Orchestrate the JFrog Xray CLI via a custom run step.
JFrog publishes their own docker images for the CLI, or you can create your own. (Customer will also have to write authentication scripts required to auth and use jf scan) https://jfrog.com/getcli/. But the scan command will look like this...
jf docker scan --format json IMAGE_NAME > scan-results.json
Step 2. Ingest the .json results file into STO as described here- https://developer.harness.io/docs/security-testing-orchestration/sto-techref-category/xray-scanner-reference/
Can you please give this a try using the custom ingestion, in case you are not aware. We are still working on adding it as a native step as mentioned before.
Pritesh Chandaliya
next fiscal quarter
We have prioritized the efforts for Q3 Aug-Oct 2024. Thanks!
Pritesh Chandaliya
We are currently working on adding Wiz as one of the OOB scanner support under the STO module. The working includes Container and repo scanning support for this Quarter and for the next quarter we will focus on adding IaC capability. Please refer to the roadmap - https://developer.harness.io/roadmap/#sto