I
Innocent Deer
Harness should provide a native reachability analysis step that can run in the pipeline and evaluate whether vulnerabilities identified by STO scanners are actually reachable in the application.
Today, reachability analysis is usually tool-specific and SAST-like in nature. Enabling reachability in each individual scanner can add significant runtime to the pipeline and creates inconsistent results across tools. Since multiple STO steps may report CVEs and CWEs, Harness should provide a common reachability step that can consume findings from all STO scanners and enrich them with reachability context.
The step should:
  • Read CVEs and CWEs identified by prior STO steps.
  • Perform reachability analysis once in a common Harness-controlled step.
  • Mark findings as reachable, unreachable, or unknown.
  • Expose reachability data to OPA policies.
  • Allow gates to block only on reachable findings, or apply different policy behavior for unreachable and unknown findings.
  • Display reachability status clearly in the STO UI.
This would be a highly valuable capability for Harness customers because it would reduce false positives, improve vulnerability prioritization, and help teams focus remediation effort on findings that present real application risk.